1/* 2 * unbound-anchor.c - update the root anchor if necessary. 3 * 4 * Copyright (c) 2010, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36/** 37 * \file 38 * 39 * This file checks to see that the current 5011 keys work to prime the 40 * current root anchor. If not a certificate is used to update the anchor, 41 * with RFC7958 https xml fetch. 42 * 43 * This is a concept solution for distribution of the DNSSEC root 44 * trust anchor. It is a small tool, called "unbound-anchor", that 45 * runs before the main validator starts. I.e. in the init script: 46 * unbound-anchor; unbound. Thus it is meant to run at system boot time. 47 * 48 * Management-Abstract: 49 * * first run: fill root.key file with hardcoded DS record. 50 * * mostly: use RFC5011 tracking, quick . DNSKEY UDP query. 51 * * failover: use RFC7958 builtin certificate, do https and update. 52 * Special considerations: 53 * * 30-days RFC5011 timer saves a lot of https traffic. 54 * * DNSKEY probe must be NOERROR, saves a lot of https traffic. 55 * * fail if clock before sign date of the root, if cert expired. 56 * * if the root goes back to unsigned, deals with it. 57 * 58 * It has hardcoded the root DS anchors and the ICANN CA root certificate. 59 * It allows with options to override those. It also takes root-hints (it 60 * has to do a DNS resolve), and also has hardcoded defaults for those. 61 * 62 * Once it starts, just before the validator starts, it quickly checks if 63 * the root anchor file needs to be updated. First it tries to use 64 * RFC5011-tracking of the root key. If that fails (and for 30-days since 65 * last successful probe), then it attempts to update using the 66 * certificate. So most of the time, the RFC5011 tracking will work fine, 67 * and within a couple milliseconds, the main daemon can start. It will 68 * have only probed the . DNSKEY, not done expensive https transfers on the 69 * root infrastructure. 70 * 71 * If there is no root key in the root.key file, it bootstraps the 72 * RFC5011-tracking with its builtin DS anchors; if that fails it 73 * bootstraps the RFC5011-tracking using the certificate. (again to avoid 74 * https, and it is also faster). 75 * 76 * It uses the XML file by converting it to DS records and writing that to the 77 * key file. Unbound can detect that the 'special comments' are gone, and 78 * the file contains a list of normal DNSKEY/DS records, and uses that to 79 * bootstrap 5011 (the KSK is made VALID). 80 * 81 * The certificate RFC7958 update is done by fetching root-anchors.xml and 82 * root-anchors.p7s via SSL. The HTTPS certificate can be logged but is 83 * not validated (https for channel security; the security comes from the 84 * certificate). The 'data.iana.org' domain name A and AAAA are resolved 85 * without DNSSEC. It tries a random IP until the transfer succeeds. It 86 * then checks the p7s signature. 87 * 88 * On any failure, it leaves the root key file untouched. The main 89 * validator has to cope with it, it cannot fix things (So a failure does 90 * not go 'without DNSSEC', no downgrade). If it used its builtin stuff or 91 * did the https, it exits with an exit code, so that this can trigger the 92 * init script to log the event and potentially alert the operator that can 93 * do a manual check. 94 * 95 * The date is also checked. Before 2010-07-15 is a failure (root not 96 * signed yet; avoids attacks on system clock). The 97 * last-successful-RFC5011-probe (if available) has to be more than 30 days 98 * in the past (otherwise, RFC5011 should have worked). This keeps 99 * unnecessary https traffic down. If the main certificate is expired, it 100 * fails. 101 * 102 * The dates on the keys in the xml are checked (uses the libexpat xml 103 * parser), only the valid ones are used to re-enstate RFC5011 tracking. 104 * If 0 keys are valid, the zone has gone to insecure (a special marker is 105 * written in the keyfile that tells the main validator daemon the zone is 106 * insecure). 107 * 108 * Only the root ICANN CA is shipped, not the intermediate ones. The 109 * intermediate CAs are included in the p7s file that was downloaded. (the 110 * root cert is valid to 2028 and the intermediate to 2014, today). 111 * 112 * Obviously, the tool also has options so the operator can provide a new 113 * keyfile, a new certificate and new URLs, and fresh root hints. By 114 * default it logs nothing on failure and success; it 'just works'. 115 * 116 */ 117 118#include "config.h" 119#include "libunbound/unbound.h" 120#include "sldns/rrdef.h" 121#include "sldns/parseutil.h" 122#include <expat.h> 123#ifndef HAVE_EXPAT_H 124#error "need libexpat to parse root-anchors.xml file." 125#endif 126#ifdef HAVE_GETOPT_H 127#include <getopt.h> 128#endif 129#ifdef HAVE_OPENSSL_SSL_H 130#include <openssl/ssl.h> 131#endif 132#ifdef HAVE_OPENSSL_ERR_H 133#include <openssl/err.h> 134#endif 135#ifdef HAVE_OPENSSL_RAND_H 136#include <openssl/rand.h> 137#endif 138#include <openssl/x509.h> 139#include <openssl/x509v3.h> 140#include <openssl/pem.h> 141 142/** name of server in URL to fetch HTTPS from */ 143#define URLNAME "data.iana.org" 144/** path on HTTPS server to xml file */ 145#define XMLNAME "root-anchors/root-anchors.xml" 146/** path on HTTPS server to p7s file */ 147#define P7SNAME "root-anchors/root-anchors.p7s" 148/** name of the signer of the certificate */ 149#define P7SIGNER "dnssec@iana.org" 150/** port number for https access */ 151#define HTTPS_PORT 443 152 153#ifdef USE_WINSOCK 154/* sneakily reuse the the wsa_strerror function, on windows */ 155char* wsa_strerror(int err); 156#endif 157 158static const char ICANN_UPDATE_CA[] = 159 /* The ICANN CA fetched at 24 Sep 2010. Valid to 2028 */ 160 "-----BEGIN CERTIFICATE-----\n" 161 "MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n" 162 "TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n" 163 "BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n" 164 "DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n" 165 "IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n" 166 "MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n" 167 "cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n" 168 "G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n" 169 "ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n" 170 "paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n" 171 "MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n" 172 "iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n" 173 "Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n" 174 "DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n" 175 "6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n" 176 "2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n" 177 "15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n" 178 "0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n" 179 "j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n" 180 "-----END CERTIFICATE-----\n"; 181 182static const char DS_TRUST_ANCHOR[] = 183 /* The anchors must start on a new line with ". IN DS and end with \n"[;] 184 * because the makedist script greps on the source here */ 185 /* anchor 20326 is from 2017 */ 186". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n"; 187 188/** verbosity for this application */ 189static int verb = 0; 190 191/** list of IP addresses */ 192struct ip_list { 193 /** next in list */ 194 struct ip_list* next; 195 /** length of addr */ 196 socklen_t len; 197 /** address ready to connect to */ 198 struct sockaddr_storage addr; 199 /** has the address been used */ 200 int used; 201}; 202 203/** Give unbound-anchor usage, and exit (1). */ 204static void 205usage(void) 206{ 207 printf("Usage: local-unbound-anchor [opts]\n"); 208 printf(" Setup or update root anchor. " 209 "Most options have defaults.\n"); 210 printf(" Run this program before you start the validator.\n"); 211 printf("\n"); 212 printf(" The anchor and cert have default builtin content\n"); 213 printf(" if the file does not exist or is empty.\n"); 214 printf("\n"); 215 printf("-a file root key file, default %s\n", ROOT_ANCHOR_FILE); 216 printf(" The key is input and output for this tool.\n"); 217 printf("-c file cert file, default %s\n", ROOT_CERT_FILE); 218 printf("-l list builtin key and cert on stdout\n"); 219 printf("-u name server in https url, default %s\n", URLNAME); 220 printf("-S do not use SNI for the https connection\n"); 221 printf("-x path pathname to xml in url, default %s\n", XMLNAME); 222 printf("-s path pathname to p7s in url, default %s\n", P7SNAME); 223 printf("-n name signer's subject emailAddress, default %s\n", P7SIGNER); 224 printf("-b address source address to bind to\n"); 225 printf("-4 work using IPv4 only\n"); 226 printf("-6 work using IPv6 only\n"); 227 printf("-f resolv.conf use given resolv.conf\n"); 228 printf("-r root.hints use given root.hints\n" 229 " builtin root hints are used by default\n"); 230 printf("-R fallback from -f to root query on error\n"); 231 printf("-v more verbose\n"); 232 printf("-C conf debug, read config\n"); 233 printf("-P port use port for https connect, default 443\n"); 234 printf("-F debug, force update with cert\n"); 235 printf("-h show this usage help\n"); 236 printf("Version %s\n", PACKAGE_VERSION); 237 printf("BSD licensed, see LICENSE in source package for details.\n"); 238 printf("Report bugs to %s\n", PACKAGE_BUGREPORT); 239 exit(1); 240} 241 242/** return the built in root update certificate */ 243static const char* 244get_builtin_cert(void) 245{ 246 return ICANN_UPDATE_CA; 247} 248 249/** return the built in root DS trust anchor */ 250static const char* 251get_builtin_ds(void) 252{ 253 return DS_TRUST_ANCHOR; 254} 255 256/** print hex data */ 257static void 258print_data(const char* msg, const char* data, size_t len) 259{ 260 size_t i; 261 printf("%s: ", msg); 262 for(i=0; i<len; i++) { 263 printf(" %2.2x", (unsigned char)data[i]); 264 } 265 printf("\n"); 266} 267 268/** print ub context creation error and exit */ 269static void 270ub_ctx_error_exit(struct ub_ctx* ctx, const char* str, const char* str2) 271{ 272 ub_ctx_delete(ctx); 273 if(str && str2 && verb) printf("%s: %s\n", str, str2); 274 if(verb) printf("error: could not create unbound resolver context\n"); 275 exit(0); 276} 277 278/** 279 * Create a new unbound context with the commandline settings applied 280 */ 281static struct ub_ctx* 282create_unbound_context(const char* res_conf, const char* root_hints, 283 const char* debugconf, const char* srcaddr, int ip4only, int ip6only) 284{ 285 int r; 286 struct ub_ctx* ctx = ub_ctx_create(); 287 if(!ctx) { 288 if(verb) printf("out of memory\n"); 289 exit(0); 290 } 291 /* do not waste time and network traffic to fetch extra nameservers */ 292 r = ub_ctx_set_option(ctx, "target-fetch-policy:", "0 0 0 0 0"); 293 if(r && verb) printf("ctx targetfetchpolicy: %s\n", ub_strerror(r)); 294 /* read config file first, so its settings can be overridden */ 295 if(debugconf) { 296 r = ub_ctx_config(ctx, debugconf); 297 if(r) ub_ctx_error_exit(ctx, debugconf, ub_strerror(r)); 298 } 299 if(res_conf) { 300 r = ub_ctx_resolvconf(ctx, res_conf); 301 if(r) ub_ctx_error_exit(ctx, res_conf, ub_strerror(r)); 302 } 303 if(root_hints) { 304 r = ub_ctx_set_option(ctx, "root-hints:", root_hints); 305 if(r) ub_ctx_error_exit(ctx, root_hints, ub_strerror(r)); 306 } 307 if(srcaddr) { 308 r = ub_ctx_set_option(ctx, "outgoing-interface:", srcaddr); 309 if(r) ub_ctx_error_exit(ctx, srcaddr, ub_strerror(r)); 310 } 311 if(ip4only) { 312 r = ub_ctx_set_option(ctx, "do-ip6:", "no"); 313 if(r) ub_ctx_error_exit(ctx, "ip4only", ub_strerror(r)); 314 } 315 if(ip6only) { 316 r = ub_ctx_set_option(ctx, "do-ip4:", "no"); 317 if(r) ub_ctx_error_exit(ctx, "ip6only", ub_strerror(r)); 318 } 319 return ctx; 320} 321 322/** printout certificate in detail */ 323static void 324verb_cert(const char* msg, X509* x) 325{ 326 if(verb == 0 || verb == 1) return; 327 if(verb == 2) { 328 if(msg) printf("%s\n", msg); 329 X509_print_ex_fp(stdout, x, 0, (unsigned long)-1 330 ^(X509_FLAG_NO_SUBJECT 331 |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY)); 332 return; 333 } 334 if(msg) printf("%s\n", msg); 335 X509_print_fp(stdout, x); 336} 337 338/** printout certificates in detail */ 339static void 340verb_certs(const char* msg, STACK_OF(X509)* sk) 341{ 342 int i, num = sk_X509_num(sk); 343 if(verb == 0 || verb == 1) return; 344 for(i=0; i<num; i++) { 345 printf("%s (%d/%d)\n", msg, i, num); 346 verb_cert(NULL, sk_X509_value(sk, i)); 347 } 348} 349 350/** read certificates from a PEM bio */ 351static STACK_OF(X509)* 352read_cert_bio(BIO* bio) 353{ 354 STACK_OF(X509) *sk = sk_X509_new_null(); 355 if(!sk) { 356 if(verb) printf("out of memory\n"); 357 exit(0); 358 } 359 while(!BIO_eof(bio)) { 360 X509* x = PEM_read_bio_X509(bio, NULL, NULL, NULL); 361 if(x == NULL) { 362 if(verb) { 363 printf("failed to read X509\n"); 364 ERR_print_errors_fp(stdout); 365 } 366 continue; 367 } 368 if(!sk_X509_push(sk, x)) { 369 if(verb) printf("out of memory\n"); 370 exit(0); 371 } 372 } 373 return sk; 374} 375 376/* read the certificate file */ 377static STACK_OF(X509)* 378read_cert_file(const char* file) 379{ 380 STACK_OF(X509)* sk; 381 FILE* in; 382 int content = 0; 383 char buf[128]; 384 if(file == NULL || strcmp(file, "") == 0) { 385 return NULL; 386 } 387 sk = sk_X509_new_null(); 388 if(!sk) { 389 if(verb) printf("out of memory\n"); 390 exit(0); 391 } 392 in = fopen(file, "r"); 393 if(!in) { 394 if(verb) printf("%s: %s\n", file, strerror(errno)); 395#ifndef S_SPLINT_S 396 sk_X509_pop_free(sk, X509_free); 397#endif 398 return NULL; 399 } 400 while(!feof(in)) { 401 X509* x = PEM_read_X509(in, NULL, NULL, NULL); 402 if(x == NULL) { 403 if(verb) { 404 printf("failed to read X509 file\n"); 405 ERR_print_errors_fp(stdout); 406 } 407 continue; 408 } 409 if(!sk_X509_push(sk, x)) { 410 if(verb) printf("out of memory\n"); 411 fclose(in); 412 exit(0); 413 } 414 content = 1; 415 /* read away newline after --END CERT-- */ 416 if(!fgets(buf, (int)sizeof(buf), in)) 417 break; 418 } 419 fclose(in); 420 if(!content) { 421 if(verb) printf("%s is empty\n", file); 422#ifndef S_SPLINT_S 423 sk_X509_pop_free(sk, X509_free); 424#endif 425 return NULL; 426 } 427 return sk; 428} 429 430/** read certificates from the builtin certificate */ 431static STACK_OF(X509)* 432read_builtin_cert(void) 433{ 434 const char* builtin_cert = get_builtin_cert(); 435 STACK_OF(X509)* sk; 436 BIO *bio = BIO_new_mem_buf(builtin_cert, 437 (int)strlen(builtin_cert)); 438 if(!bio) { 439 if(verb) printf("out of memory\n"); 440 exit(0); 441 } 442 sk = read_cert_bio(bio); 443 if(!sk) { 444 if(verb) printf("internal error, out of memory\n"); 445 exit(0); 446 } 447 BIO_free(bio); 448 return sk; 449} 450 451/** read update cert file or use builtin */ 452static STACK_OF(X509)* 453read_cert_or_builtin(const char* file) 454{ 455 STACK_OF(X509) *sk = read_cert_file(file); 456 if(!sk) { 457 if(verb) printf("using builtin certificate\n"); 458 sk = read_builtin_cert(); 459 } 460 if(verb) printf("have %d trusted certificates\n", sk_X509_num(sk)); 461 verb_certs("trusted certificates", sk); 462 return sk; 463} 464 465static void 466do_list_builtin(void) 467{ 468 const char* builtin_cert = get_builtin_cert(); 469 const char* builtin_ds = get_builtin_ds(); 470 printf("%s\n", builtin_ds); 471 printf("%s\n", builtin_cert); 472 exit(0); 473} 474 475/** printout IP address with message */ 476static void 477verb_addr(const char* msg, struct ip_list* ip) 478{ 479 if(verb) { 480 char out[100]; 481 void* a = &((struct sockaddr_in*)&ip->addr)->sin_addr; 482 if(ip->len != (socklen_t)sizeof(struct sockaddr_in)) 483 a = &((struct sockaddr_in6*)&ip->addr)->sin6_addr; 484 485 if(inet_ntop((int)((struct sockaddr_in*)&ip->addr)->sin_family, 486 a, out, (socklen_t)sizeof(out))==0) 487 printf("%s (inet_ntop error)\n", msg); 488 else printf("%s %s\n", msg, out); 489 } 490} 491 492/** free ip_list */ 493static void 494ip_list_free(struct ip_list* p) 495{ 496 struct ip_list* np; 497 while(p) { 498 np = p->next; 499 free(p); 500 p = np; 501 } 502} 503 504/** create ip_list entry for a RR record */ 505static struct ip_list* 506RR_to_ip(int tp, char* data, int len, int port) 507{ 508 struct ip_list* ip = (struct ip_list*)calloc(1, sizeof(*ip)); 509 uint16_t p = (uint16_t)port; 510 if(tp == LDNS_RR_TYPE_A) { 511 struct sockaddr_in* sa = (struct sockaddr_in*)&ip->addr; 512 ip->len = (socklen_t)sizeof(*sa); 513 sa->sin_family = AF_INET; 514 sa->sin_port = (in_port_t)htons(p); 515 if(len != (int)sizeof(sa->sin_addr)) { 516 if(verb) printf("skipped badly formatted A\n"); 517 free(ip); 518 return NULL; 519 } 520 memmove(&sa->sin_addr, data, sizeof(sa->sin_addr)); 521 522 } else if(tp == LDNS_RR_TYPE_AAAA) { 523 struct sockaddr_in6* sa = (struct sockaddr_in6*)&ip->addr; 524 ip->len = (socklen_t)sizeof(*sa); 525 sa->sin6_family = AF_INET6; 526 sa->sin6_port = (in_port_t)htons(p); 527 if(len != (int)sizeof(sa->sin6_addr)) { 528 if(verb) printf("skipped badly formatted AAAA\n"); 529 free(ip); 530 return NULL; 531 } 532 memmove(&sa->sin6_addr, data, sizeof(sa->sin6_addr)); 533 } else { 534 if(verb) printf("internal error: bad type in RRtoip\n"); 535 free(ip); 536 return NULL; 537 } 538 verb_addr("resolved server address", ip); 539 return ip; 540} 541 542/** Resolve name, type, class and add addresses to iplist */ 543static void 544resolve_host_ip(struct ub_ctx* ctx, const char* host, int port, int tp, int cl, 545 struct ip_list** head) 546{ 547 struct ub_result* res = NULL; 548 int r; 549 int i; 550 551 r = ub_resolve(ctx, host, tp, cl, &res); 552 if(r) { 553 if(verb) printf("error: resolve %s %s: %s\n", host, 554 (tp==LDNS_RR_TYPE_A)?"A":"AAAA", ub_strerror(r)); 555 return; 556 } 557 if(!res) { 558 if(verb) printf("out of memory\n"); 559 ub_ctx_delete(ctx); 560 exit(0); 561 } 562 if(!res->havedata || res->rcode || !res->data) { 563 if(verb) printf("resolve %s %s: no result\n", host, 564 (tp==LDNS_RR_TYPE_A)?"A":"AAAA"); 565 return; 566 } 567 for(i = 0; res->data[i]; i++) { 568 struct ip_list* ip = RR_to_ip(tp, res->data[i], res->len[i], 569 port); 570 if(!ip) continue; 571 ip->next = *head; 572 *head = ip; 573 } 574 ub_resolve_free(res); 575} 576 577/** parse a text IP address into a sockaddr */ 578static struct ip_list* 579parse_ip_addr(const char* str, int port) 580{ 581 socklen_t len = 0; 582 union { 583 struct sockaddr_in6 a6; 584 struct sockaddr_in a; 585 } addr; 586 struct ip_list* ip; 587 uint16_t p = (uint16_t)port; 588 memset(&addr, 0, sizeof(addr)); 589 590 if(inet_pton(AF_INET6, str, &addr.a6.sin6_addr) > 0) { 591 /* it is an IPv6 */ 592 addr.a6.sin6_family = AF_INET6; 593 addr.a6.sin6_port = (in_port_t)htons(p); 594 len = (socklen_t)sizeof(addr.a6); 595 } 596 if(inet_pton(AF_INET, str, &addr.a.sin_addr) > 0) { 597 /* it is an IPv4 */ 598 addr.a.sin_family = AF_INET; 599 addr.a.sin_port = (in_port_t)htons(p); 600 len = (socklen_t)sizeof(struct sockaddr_in); 601 } 602 if(!len) return NULL; 603 ip = (struct ip_list*)calloc(1, sizeof(*ip)); 604 if(!ip) { 605 if(verb) printf("out of memory\n"); 606 exit(0); 607 } 608 ip->len = len; 609 memmove(&ip->addr, &addr, len); 610 if(verb) printf("server address is %s\n", str); 611 return ip; 612} 613 614/** 615 * Resolve a domain name (even though the resolver is down and there is 616 * no trust anchor). Without DNSSEC validation. 617 * @param host: the name to resolve. 618 * If this name is an IP4 or IP6 address this address is returned. 619 * @param port: the port number used for the returned IP structs. 620 * @param res_conf: resolv.conf (if any). 621 * @param root_hints: root hints (if any). 622 * @param debugconf: unbound.conf for debugging options. 623 * @param srcaddr: source address option (if any). 624 * @param ip4only: use only ip4 for resolve and only lookup A 625 * @param ip6only: use only ip6 for resolve and only lookup AAAA 626 * default is to lookup A and AAAA using ip4 and ip6. 627 * @return list of IP addresses. 628 */ 629static struct ip_list* 630resolve_name(const char* host, int port, const char* res_conf, 631 const char* root_hints, const char* debugconf, 632 const char* srcaddr, int ip4only, int ip6only) 633{ 634 struct ub_ctx* ctx; 635 struct ip_list* list = NULL; 636 /* first see if name is an IP address itself */ 637 if( (list=parse_ip_addr(host, port)) ) { 638 return list; 639 } 640 641 /* create resolver context */ 642 ctx = create_unbound_context(res_conf, root_hints, debugconf, 643 srcaddr, ip4only, ip6only); 644 645 /* try resolution of A */ 646 if(!ip6only) { 647 resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_A, 648 LDNS_RR_CLASS_IN, &list); 649 } 650 651 /* try resolution of AAAA */ 652 if(!ip4only) { 653 resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_AAAA, 654 LDNS_RR_CLASS_IN, &list); 655 } 656 657 ub_ctx_delete(ctx); 658 if(!list) { 659 if(verb) printf("%s has no IP addresses I can use\n", host); 660 exit(0); 661 } 662 return list; 663} 664 665/** clear used flags */ 666static void 667wipe_ip_usage(struct ip_list* p) 668{ 669 while(p) { 670 p->used = 0; 671 p = p->next; 672 } 673} 674 675/** count unused IPs */ 676static int 677count_unused(struct ip_list* p) 678{ 679 int num = 0; 680 while(p) { 681 if(!p->used) num++; 682 p = p->next; 683 } 684 return num; 685} 686 687/** pick random unused element from IP list */ 688static struct ip_list* 689pick_random_ip(struct ip_list* list) 690{ 691 struct ip_list* p = list; 692 int num = count_unused(list); 693 int sel; 694 if(num == 0) return NULL; 695 /* not perfect, but random enough */ 696 sel = (int)arc4random_uniform((uint32_t)num); 697 /* skip over unused elements that we did not select */ 698 while(sel > 0 && p) { 699 if(!p->used) sel--; 700 p = p->next; 701 } 702 /* find the next unused element */ 703 while(p && p->used) 704 p = p->next; 705 if(!p) return NULL; /* robustness */ 706 return p; 707} 708 709/** close the fd */ 710static void 711fd_close(int fd) 712{ 713#ifndef USE_WINSOCK 714 close(fd); 715#else 716 closesocket(fd); 717#endif 718} 719 720/** printout socket errno */ 721static void 722print_sock_err(const char* msg) 723{ 724#ifndef USE_WINSOCK 725 if(verb) printf("%s: %s\n", msg, strerror(errno)); 726#else 727 if(verb) printf("%s: %s\n", msg, wsa_strerror(WSAGetLastError())); 728#endif 729} 730 731/** connect to IP address */ 732static int 733connect_to_ip(struct ip_list* ip, struct ip_list* src) 734{ 735 int fd; 736 verb_addr("connect to", ip); 737 fd = socket(ip->len==(socklen_t)sizeof(struct sockaddr_in)? 738 AF_INET:AF_INET6, SOCK_STREAM, 0); 739 if(fd == -1) { 740 print_sock_err("socket"); 741 return -1; 742 } 743 if(src && bind(fd, (struct sockaddr*)&src->addr, src->len) < 0) { 744 print_sock_err("bind"); 745 fd_close(fd); 746 return -1; 747 } 748 if(connect(fd, (struct sockaddr*)&ip->addr, ip->len) < 0) { 749 print_sock_err("connect"); 750 fd_close(fd); 751 return -1; 752 } 753 return fd; 754} 755 756/** create SSL context */ 757static SSL_CTX* 758setup_sslctx(void) 759{ 760 SSL_CTX* sslctx = SSL_CTX_new(SSLv23_client_method()); 761 if(!sslctx) { 762 if(verb) printf("SSL_CTX_new error\n"); 763 return NULL; 764 } 765 return sslctx; 766} 767 768/** initiate TLS on a connection */ 769static SSL* 770TLS_initiate(SSL_CTX* sslctx, int fd, const char* urlname, int use_sni) 771{ 772 X509* x; 773 int r; 774 SSL* ssl = SSL_new(sslctx); 775 if(!ssl) { 776 if(verb) printf("SSL_new error\n"); 777 return NULL; 778 } 779 SSL_set_connect_state(ssl); 780 (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY); 781 if(!SSL_set_fd(ssl, fd)) { 782 if(verb) printf("SSL_set_fd error\n"); 783 SSL_free(ssl); 784 return NULL; 785 } 786 if(use_sni) { 787 (void)SSL_set_tlsext_host_name(ssl, urlname); 788 } 789 while(1) { 790 ERR_clear_error(); 791 if( (r=SSL_do_handshake(ssl)) == 1) 792 break; 793 r = SSL_get_error(ssl, r); 794 if(r != SSL_ERROR_WANT_READ && r != SSL_ERROR_WANT_WRITE) { 795 if(verb) printf("SSL handshake failed\n"); 796 SSL_free(ssl); 797 return NULL; 798 } 799 /* wants to be called again */ 800 } 801 x = SSL_get_peer_certificate(ssl); 802 if(!x) { 803 if(verb) printf("Server presented no peer certificate\n"); 804 SSL_free(ssl); 805 return NULL; 806 } 807 verb_cert("server SSL certificate", x); 808 X509_free(x); 809 return ssl; 810} 811 812/** perform neat TLS shutdown */ 813static void 814TLS_shutdown(int fd, SSL* ssl, SSL_CTX* sslctx) 815{ 816 /* shutdown the SSL connection nicely */ 817 if(SSL_shutdown(ssl) == 0) { 818 SSL_shutdown(ssl); 819 } 820 SSL_free(ssl); 821 SSL_CTX_free(sslctx); 822 fd_close(fd); 823} 824 825/** write a line over SSL */ 826static int 827write_ssl_line(SSL* ssl, const char* str, const char* sec) 828{ 829 char buf[1024]; 830 size_t l; 831 if(sec) { 832 snprintf(buf, sizeof(buf), str, sec); 833 } else { 834 snprintf(buf, sizeof(buf), "%s", str); 835 } 836 l = strlen(buf); 837 if(l+2 >= sizeof(buf)) { 838 if(verb) printf("line too long\n"); 839 return 0; 840 } 841 if(verb >= 2) printf("SSL_write: %s\n", buf); 842 buf[l] = '\r'; 843 buf[l+1] = '\n'; 844 buf[l+2] = 0; 845 /* add \r\n */ 846 if(SSL_write(ssl, buf, (int)strlen(buf)) <= 0) { 847 if(verb) printf("could not SSL_write %s", str); 848 return 0; 849 } 850 return 1; 851} 852 853/** process header line, check rcode and keeping track of size */ 854static int 855process_one_header(char* buf, size_t* clen, int* chunked) 856{ 857 if(verb>=2) printf("header: '%s'\n", buf); 858 if(strncasecmp(buf, "HTTP/1.1 ", 9) == 0) { 859 /* check returncode */ 860 if(buf[9] != '2') { 861 if(verb) printf("bad status %s\n", buf+9); 862 return 0; 863 } 864 } else if(strncasecmp(buf, "Content-Length: ", 16) == 0) { 865 if(!*chunked) 866 *clen = (size_t)atoi(buf+16); 867 } else if(strncasecmp(buf, "Transfer-Encoding: chunked", 19+7) == 0) { 868 *clen = 0; 869 *chunked = 1; 870 } 871 return 1; 872} 873 874/** 875 * Read one line from SSL 876 * zero terminates. 877 * skips "\r\n" (but not copied to buf). 878 * @param ssl: the SSL connection to read from (blocking). 879 * @param buf: buffer to return line in. 880 * @param len: size of the buffer. 881 * @return 0 on error, 1 on success. 882 */ 883static int 884read_ssl_line(SSL* ssl, char* buf, size_t len) 885{ 886 size_t n = 0; 887 int r; 888 int endnl = 0; 889 while(1) { 890 if(n >= len) { 891 if(verb) printf("line too long\n"); 892 return 0; 893 } 894 if((r = SSL_read(ssl, buf+n, 1)) <= 0) { 895 if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) { 896 /* EOF */ 897 break; 898 } 899 if(verb) printf("could not SSL_read\n"); 900 return 0; 901 } 902 if(endnl && buf[n] == '\n') { 903 break; 904 } else if(endnl) { 905 /* bad data */ 906 if(verb) printf("error: stray linefeeds\n"); 907 return 0; 908 } else if(buf[n] == '\r') { 909 /* skip \r, and also \n on the wire */ 910 endnl = 1; 911 continue; 912 } else if(buf[n] == '\n') { 913 /* skip the \n, we are done */ 914 break; 915 } else n++; 916 } 917 buf[n] = 0; 918 return 1; 919} 920 921/** read http headers and process them */ 922static size_t 923read_http_headers(SSL* ssl, size_t* clen) 924{ 925 char buf[1024]; 926 int chunked = 0; 927 *clen = 0; 928 while(read_ssl_line(ssl, buf, sizeof(buf))) { 929 if(buf[0] == 0) 930 return 1; 931 if(!process_one_header(buf, clen, &chunked)) 932 return 0; 933 } 934 return 0; 935} 936 937/** read a data chunk */ 938static char* 939read_data_chunk(SSL* ssl, size_t len) 940{ 941 size_t got = 0; 942 int r; 943 char* data; 944 if((unsigned)len >= (unsigned)0xfffffff0) 945 return NULL; /* to protect against integer overflow in malloc*/ 946 data = malloc(len+1); 947 if(!data) { 948 if(verb) printf("out of memory\n"); 949 return NULL; 950 } 951 while(got < len) { 952 if((r = SSL_read(ssl, data+got, (int)(len-got))) <= 0) { 953 if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) { 954 /* EOF */ 955 if(verb) printf("could not SSL_read: unexpected EOF\n"); 956 free(data); 957 return NULL; 958 } 959 if(verb) printf("could not SSL_read\n"); 960 free(data); 961 return NULL; 962 } 963 if(verb >= 2) printf("at %d/%d\n", (int)got, (int)len); 964 got += r; 965 } 966 if(verb>=2) printf("read %d data\n", (int)len); 967 data[len] = 0; 968 return data; 969} 970 971/** parse chunk header */ 972static int 973parse_chunk_header(char* buf, size_t* result) 974{ 975 char* e = NULL; 976 size_t v = (size_t)strtol(buf, &e, 16); 977 if(e == buf) 978 return 0; 979 *result = v; 980 return 1; 981} 982 983/** read chunked data from connection */ 984static BIO* 985do_chunked_read(SSL* ssl) 986{ 987 char buf[1024]; 988 size_t len; 989 char* body; 990 BIO* mem = BIO_new(BIO_s_mem()); 991 if(verb>=3) printf("do_chunked_read\n"); 992 if(!mem) { 993 if(verb) printf("out of memory\n"); 994 return NULL; 995 } 996 while(read_ssl_line(ssl, buf, sizeof(buf))) { 997 /* read the chunked start line */ 998 if(verb>=2) printf("chunk header: %s\n", buf); 999 if(!parse_chunk_header(buf, &len)) { 1000 BIO_free(mem); 1001 if(verb>=3) printf("could not parse chunk header\n"); 1002 return NULL; 1003 } 1004 if(verb>=2) printf("chunk len: %d\n", (int)len); 1005 /* are we done? */ 1006 if(len == 0) { 1007 char z = 0; 1008 /* skip end-of-chunk-trailer lines, 1009 * until the empty line after that */ 1010 do { 1011 if(!read_ssl_line(ssl, buf, sizeof(buf))) { 1012 BIO_free(mem); 1013 return NULL; 1014 } 1015 } while (strlen(buf) > 0); 1016 /* end of chunks, zero terminate it */ 1017 if(BIO_write(mem, &z, 1) <= 0) { 1018 if(verb) printf("out of memory\n"); 1019 BIO_free(mem); 1020 return NULL; 1021 } 1022 return mem; 1023 } 1024 /* read the chunked body */ 1025 body = read_data_chunk(ssl, len); 1026 if(!body) { 1027 BIO_free(mem); 1028 return NULL; 1029 } 1030 if(BIO_write(mem, body, (int)len) <= 0) { 1031 if(verb) printf("out of memory\n"); 1032 free(body); 1033 BIO_free(mem); 1034 return NULL; 1035 } 1036 free(body); 1037 /* skip empty line after data chunk */ 1038 if(!read_ssl_line(ssl, buf, sizeof(buf))) { 1039 BIO_free(mem); 1040 return NULL; 1041 } 1042 } 1043 BIO_free(mem); 1044 return NULL; 1045} 1046 1047/** start HTTP1.1 transaction on SSL */ 1048static int 1049write_http_get(SSL* ssl, const char* pathname, const char* urlname) 1050{ 1051 if(write_ssl_line(ssl, "GET /%s HTTP/1.1", pathname) && 1052 write_ssl_line(ssl, "Host: %s", urlname) && 1053 write_ssl_line(ssl, "User-Agent: unbound-anchor/%s", 1054 PACKAGE_VERSION) && 1055 /* We do not really do multiple queries per connection, 1056 * but this header setting is also not needed. 1057 * write_ssl_line(ssl, "Connection: close", NULL) &&*/ 1058 write_ssl_line(ssl, "", NULL)) { 1059 return 1; 1060 } 1061 return 0; 1062} 1063 1064/** read chunked data and zero terminate; len is without zero */ 1065static char* 1066read_chunked_zero_terminate(SSL* ssl, size_t* len) 1067{ 1068 /* do the chunked version */ 1069 BIO* tmp = do_chunked_read(ssl); 1070 char* data, *d = NULL; 1071 size_t l; 1072 if(!tmp) { 1073 if(verb) printf("could not read from https\n"); 1074 return NULL; 1075 } 1076 l = (size_t)BIO_get_mem_data(tmp, &d); 1077 if(verb>=2) printf("chunked data is %d\n", (int)l); 1078 if(l == 0 || d == NULL) { 1079 if(verb) printf("out of memory\n"); 1080 return NULL; 1081 } 1082 *len = l-1; 1083 data = (char*)malloc(l); 1084 if(data == NULL) { 1085 if(verb) printf("out of memory\n"); 1086 return NULL; 1087 } 1088 memcpy(data, d, l); 1089 BIO_free(tmp); 1090 return data; 1091} 1092 1093/** read HTTP result from SSL */ 1094static BIO* 1095read_http_result(SSL* ssl) 1096{ 1097 size_t len = 0; 1098 char* data; 1099 BIO* m; 1100 if(!read_http_headers(ssl, &len)) { 1101 return NULL; 1102 } 1103 if(len == 0) { 1104 data = read_chunked_zero_terminate(ssl, &len); 1105 } else { 1106 data = read_data_chunk(ssl, len); 1107 } 1108 if(!data) return NULL; 1109 if(verb >= 4) print_data("read data", data, len); 1110 m = BIO_new(BIO_s_mem()); 1111 if(!m) { 1112 if(verb) printf("out of memory\n"); 1113 free(data); 1114 exit(0); 1115 } 1116 BIO_write(m, data, (int)len); 1117 free(data); 1118 return m; 1119} 1120 1121/** https to an IP addr, return BIO with pathname or NULL */ 1122static BIO* 1123https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname, 1124 struct ip_list* src, int use_sni) 1125{ 1126 int fd; 1127 SSL* ssl; 1128 BIO* bio; 1129 SSL_CTX* sslctx = setup_sslctx(); 1130 if(!sslctx) { 1131 return NULL; 1132 } 1133 fd = connect_to_ip(ip, src); 1134 if(fd == -1) { 1135 SSL_CTX_free(sslctx); 1136 return NULL; 1137 } 1138 ssl = TLS_initiate(sslctx, fd, urlname, use_sni); 1139 if(!ssl) { 1140 SSL_CTX_free(sslctx); 1141 fd_close(fd); 1142 return NULL; 1143 } 1144 if(!write_http_get(ssl, pathname, urlname)) { 1145 if(verb) printf("could not write to server\n"); 1146 SSL_free(ssl); 1147 SSL_CTX_free(sslctx); 1148 fd_close(fd); 1149 return NULL; 1150 } 1151 bio = read_http_result(ssl); 1152 TLS_shutdown(fd, ssl, sslctx); 1153 return bio; 1154} 1155 1156/** 1157 * Do a HTTPS, HTTP1.1 over TLS, to fetch a file 1158 * @param ip_list: list of IP addresses to use to fetch from. 1159 * @param pathname: pathname of file on server to GET. 1160 * @param urlname: name to pass as the virtual host for this request. 1161 * @param src: if nonNULL, source address to bind to. 1162 * @param use_sni: if SNI will be used. 1163 * @return a memory BIO with the file in it. 1164 */ 1165static BIO* 1166https(struct ip_list* ip_list, const char* pathname, const char* urlname, 1167 struct ip_list* src, int use_sni) 1168{ 1169 struct ip_list* ip; 1170 BIO* bio = NULL; 1171 /* try random address first, and work through the list */ 1172 wipe_ip_usage(ip_list); 1173 while( (ip = pick_random_ip(ip_list)) ) { 1174 ip->used = 1; 1175 bio = https_to_ip(ip, pathname, urlname, src, use_sni); 1176 if(bio) break; 1177 } 1178 if(!bio) { 1179 if(verb) printf("could not fetch %s\n", pathname); 1180 exit(0); 1181 } else { 1182 if(verb) printf("fetched %s (%d bytes)\n", 1183 pathname, (int)BIO_ctrl_pending(bio)); 1184 } 1185 return bio; 1186} 1187 1188/** XML parse private data during the parse */ 1189struct xml_data { 1190 /** the parser, reference */ 1191 XML_Parser parser; 1192 /** the current tag; malloced; or NULL outside of tags */ 1193 char* tag; 1194 /** current date to use during the parse */ 1195 time_t date; 1196 /** number of keys usefully read in */ 1197 int num_keys; 1198 /** the compiled anchors as DS records */ 1199 BIO* ds; 1200 1201 /** do we want to use this anchor? */ 1202 int use_key; 1203 /** the current anchor: Zone */ 1204 BIO* czone; 1205 /** the current anchor: KeyTag */ 1206 BIO* ctag; 1207 /** the current anchor: Algorithm */ 1208 BIO* calgo; 1209 /** the current anchor: DigestType */ 1210 BIO* cdigtype; 1211 /** the current anchor: Digest*/ 1212 BIO* cdigest; 1213}; 1214 1215/** The BIO for the tag */ 1216static BIO* 1217xml_selectbio(struct xml_data* data, const char* tag) 1218{ 1219 BIO* b = NULL; 1220 if(strcasecmp(tag, "KeyTag") == 0) 1221 b = data->ctag; 1222 else if(strcasecmp(tag, "Algorithm") == 0) 1223 b = data->calgo; 1224 else if(strcasecmp(tag, "DigestType") == 0) 1225 b = data->cdigtype; 1226 else if(strcasecmp(tag, "Digest") == 0) 1227 b = data->cdigest; 1228 return b; 1229} 1230 1231/** 1232 * XML handle character data, the data inside an element. 1233 * @param userData: xml_data structure 1234 * @param s: the character data. May not all be in one callback. 1235 * NOT zero terminated. 1236 * @param len: length of this part of the data. 1237 */ 1238static void 1239xml_charhandle(void *userData, const XML_Char *s, int len) 1240{ 1241 struct xml_data* data = (struct xml_data*)userData; 1242 BIO* b = NULL; 1243 /* skip characters outside of elements */ 1244 if(!data->tag) 1245 return; 1246 if(verb>=4) { 1247 int i; 1248 printf("%s%s charhandle: '", 1249 data->use_key?"use ":"", 1250 data->tag?data->tag:"none"); 1251 for(i=0; i<len; i++) 1252 printf("%c", s[i]); 1253 printf("'\n"); 1254 } 1255 if(strcasecmp(data->tag, "Zone") == 0) { 1256 if(BIO_write(data->czone, s, len) < 0) { 1257 if(verb) printf("out of memory in BIO_write\n"); 1258 exit(0); 1259 } 1260 return; 1261 } 1262 /* only store if key is used */ 1263 if(!data->use_key) 1264 return; 1265 b = xml_selectbio(data, data->tag); 1266 if(b) { 1267 if(BIO_write(b, s, len) < 0) { 1268 if(verb) printf("out of memory in BIO_write\n"); 1269 exit(0); 1270 } 1271 } 1272} 1273 1274/** 1275 * XML fetch value of particular attribute(by name) or NULL if not present. 1276 * @param atts: attribute array (from xml_startelem). 1277 * @param name: name of attribute to look for. 1278 * @return the value or NULL. (ptr into atts). 1279 */ 1280static const XML_Char* 1281find_att(const XML_Char **atts, const XML_Char* name) 1282{ 1283 int i; 1284 for(i=0; atts[i]; i+=2) { 1285 if(strcasecmp(atts[i], name) == 0) 1286 return atts[i+1]; 1287 } 1288 return NULL; 1289} 1290 1291/** 1292 * XML convert DateTime element to time_t. 1293 * [-]CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] 1294 * (with optional .ssssss fractional seconds) 1295 * @param str: the string 1296 * @return a time_t representation or 0 on failure. 1297 */ 1298static time_t 1299xml_convertdate(const char* str) 1300{ 1301 time_t t = 0; 1302 struct tm tm; 1303 const char* s; 1304 /* for this application, ignore minus in front; 1305 * only positive dates are expected */ 1306 s = str; 1307 if(s[0] == '-') s++; 1308 memset(&tm, 0, sizeof(tm)); 1309 /* parse initial content of the string (lots of whitespace allowed) */ 1310 s = strptime(s, "%t%Y%t-%t%m%t-%t%d%tT%t%H%t:%t%M%t:%t%S%t", &tm); 1311 if(!s) { 1312 if(verb) printf("xml_convertdate parse failure %s\n", str); 1313 return 0; 1314 } 1315 /* parse remainder of date string */ 1316 if(*s == '.') { 1317 /* optional '.' and fractional seconds */ 1318 int frac = 0, n = 0; 1319 if(sscanf(s+1, "%d%n", &frac, &n) < 1) { 1320 if(verb) printf("xml_convertdate f failure %s\n", str); 1321 return 0; 1322 } 1323 /* fraction is not used, time_t has second accuracy */ 1324 s++; 1325 s+=n; 1326 } 1327 if(*s == 'Z' || *s == 'z') { 1328 /* nothing to do for this */ 1329 s++; 1330 } else if(*s == '+' || *s == '-') { 1331 /* optional timezone spec: Z or +hh:mm or -hh:mm */ 1332 int hr = 0, mn = 0, n = 0; 1333 if(sscanf(s+1, "%d:%d%n", &hr, &mn, &n) < 2) { 1334 if(verb) printf("xml_convertdate tz failure %s\n", str); 1335 return 0; 1336 } 1337 if(*s == '+') { 1338 tm.tm_hour += hr; 1339 tm.tm_min += mn; 1340 } else { 1341 tm.tm_hour -= hr; 1342 tm.tm_min -= mn; 1343 } 1344 s++; 1345 s += n; 1346 } 1347 if(*s != 0) { 1348 /* not ended properly */ 1349 /* but ignore, (lenient) */ 1350 } 1351 1352 t = sldns_mktime_from_utc(&tm); 1353 if(t == (time_t)-1) { 1354 if(verb) printf("xml_convertdate mktime failure\n"); 1355 return 0; 1356 } 1357 return t; 1358} 1359 1360/** 1361 * XML handle the KeyDigest start tag, check validity periods. 1362 */ 1363static void 1364handle_keydigest(struct xml_data* data, const XML_Char **atts) 1365{ 1366 data->use_key = 0; 1367 if(find_att(atts, "validFrom")) { 1368 time_t from = xml_convertdate(find_att(atts, "validFrom")); 1369 if(from == 0) { 1370 if(verb) printf("error: xml cannot be parsed\n"); 1371 exit(0); 1372 } 1373 if(data->date < from) 1374 return; 1375 } 1376 if(find_att(atts, "validUntil")) { 1377 time_t until = xml_convertdate(find_att(atts, "validUntil")); 1378 if(until == 0) { 1379 if(verb) printf("error: xml cannot be parsed\n"); 1380 exit(0); 1381 } 1382 if(data->date > until) 1383 return; 1384 } 1385 /* yes we want to use this key */ 1386 data->use_key = 1; 1387 (void)BIO_reset(data->ctag); 1388 (void)BIO_reset(data->calgo); 1389 (void)BIO_reset(data->cdigtype); 1390 (void)BIO_reset(data->cdigest); 1391} 1392 1393/** See if XML element equals the zone name */ 1394static int 1395xml_is_zone_name(BIO* zone, const char* name) 1396{ 1397 char buf[1024]; 1398 char* z = NULL; 1399 long zlen; 1400 (void)BIO_seek(zone, 0); 1401 zlen = BIO_get_mem_data(zone, &z); 1402 if(!zlen || !z) return 0; 1403 /* zero terminate */ 1404 if(zlen >= (long)sizeof(buf)) return 0; 1405 memmove(buf, z, (size_t)zlen); 1406 buf[zlen] = 0; 1407 /* compare */ 1408 return (strncasecmp(buf, name, strlen(name)) == 0); 1409} 1410 1411/** 1412 * XML start of element. This callback is called whenever an XML tag starts. 1413 * XML_Char is UTF8. 1414 * @param userData: the xml_data structure. 1415 * @param name: the tag that starts. 1416 * @param atts: array of strings, pairs of attr = value, ends with NULL. 1417 * i.e. att[0]="att[1]" att[2]="att[3]" att[4]isNull 1418 */ 1419static void 1420xml_startelem(void *userData, const XML_Char *name, const XML_Char **atts) 1421{ 1422 struct xml_data* data = (struct xml_data*)userData; 1423 BIO* b; 1424 if(verb>=4) printf("xml tag start '%s'\n", name); 1425 free(data->tag); 1426 data->tag = strdup(name); 1427 if(!data->tag) { 1428 if(verb) printf("out of memory\n"); 1429 exit(0); 1430 } 1431 if(verb>=4) { 1432 int i; 1433 for(i=0; atts[i]; i+=2) { 1434 printf(" %s='%s'\n", atts[i], atts[i+1]); 1435 } 1436 } 1437 /* handle attributes to particular types */ 1438 if(strcasecmp(name, "KeyDigest") == 0) { 1439 handle_keydigest(data, atts); 1440 return; 1441 } else if(strcasecmp(name, "Zone") == 0) { 1442 (void)BIO_reset(data->czone); 1443 return; 1444 } 1445 1446 /* for other types we prepare to pick up the data */ 1447 if(!data->use_key) 1448 return; 1449 b = xml_selectbio(data, data->tag); 1450 if(b) { 1451 /* empty it */ 1452 (void)BIO_reset(b); 1453 } 1454} 1455 1456/** Append str to bio */ 1457static void 1458xml_append_str(BIO* b, const char* s) 1459{ 1460 if(BIO_write(b, s, (int)strlen(s)) < 0) { 1461 if(verb) printf("out of memory in BIO_write\n"); 1462 exit(0); 1463 } 1464} 1465 1466/** Append bio to bio */ 1467static void 1468xml_append_bio(BIO* b, BIO* a) 1469{ 1470 char* z = NULL; 1471 long i, len; 1472 (void)BIO_seek(a, 0); 1473 len = BIO_get_mem_data(a, &z); 1474 if(!len || !z) { 1475 if(verb) printf("out of memory in BIO_write\n"); 1476 exit(0); 1477 } 1478 /* remove newlines in the data here */ 1479 for(i=0; i<len; i++) { 1480 if(z[i] == '\r' || z[i] == '\n') 1481 z[i] = ' '; 1482 } 1483 /* write to BIO */ 1484 if(BIO_write(b, z, len) < 0) { 1485 if(verb) printf("out of memory in BIO_write\n"); 1486 exit(0); 1487 } 1488} 1489 1490/** write the parsed xml-DS to the DS list */ 1491static void 1492xml_append_ds(struct xml_data* data) 1493{ 1494 /* write DS to accumulated DS */ 1495 xml_append_str(data->ds, ". IN DS "); 1496 xml_append_bio(data->ds, data->ctag); 1497 xml_append_str(data->ds, " "); 1498 xml_append_bio(data->ds, data->calgo); 1499 xml_append_str(data->ds, " "); 1500 xml_append_bio(data->ds, data->cdigtype); 1501 xml_append_str(data->ds, " "); 1502 xml_append_bio(data->ds, data->cdigest); 1503 xml_append_str(data->ds, "\n"); 1504 data->num_keys++; 1505} 1506 1507/** 1508 * XML end of element. This callback is called whenever an XML tag ends. 1509 * XML_Char is UTF8. 1510 * @param userData: the xml_data structure 1511 * @param name: the tag that ends. 1512 */ 1513static void 1514xml_endelem(void *userData, const XML_Char *name) 1515{ 1516 struct xml_data* data = (struct xml_data*)userData; 1517 if(verb>=4) printf("xml tag end '%s'\n", name); 1518 free(data->tag); 1519 data->tag = NULL; 1520 if(strcasecmp(name, "KeyDigest") == 0) { 1521 if(data->use_key) 1522 xml_append_ds(data); 1523 data->use_key = 0; 1524 } else if(strcasecmp(name, "Zone") == 0) { 1525 if(!xml_is_zone_name(data->czone, ".")) { 1526 if(verb) printf("xml not for the right zone\n"); 1527 exit(0); 1528 } 1529 } 1530} 1531 1532/* Stop the parser when an entity declaration is encountered. For safety. */ 1533static void 1534xml_entitydeclhandler(void *userData, 1535 const XML_Char *ATTR_UNUSED(entityName), 1536 int ATTR_UNUSED(is_parameter_entity), 1537 const XML_Char *ATTR_UNUSED(value), int ATTR_UNUSED(value_length), 1538 const XML_Char *ATTR_UNUSED(base), 1539 const XML_Char *ATTR_UNUSED(systemId), 1540 const XML_Char *ATTR_UNUSED(publicId), 1541 const XML_Char *ATTR_UNUSED(notationName)) 1542{ 1543#if HAVE_DECL_XML_STOPPARSER 1544 (void)XML_StopParser((XML_Parser)userData, XML_FALSE); 1545#else 1546 (void)userData; 1547#endif 1548} 1549 1550/** 1551 * XML parser setup of the callbacks for the tags 1552 */ 1553static void 1554xml_parse_setup(XML_Parser parser, struct xml_data* data, time_t now) 1555{ 1556 char buf[1024]; 1557 memset(data, 0, sizeof(*data)); 1558 XML_SetUserData(parser, data); 1559 data->parser = parser; 1560 data->date = now; 1561 data->ds = BIO_new(BIO_s_mem()); 1562 data->ctag = BIO_new(BIO_s_mem()); 1563 data->czone = BIO_new(BIO_s_mem()); 1564 data->calgo = BIO_new(BIO_s_mem()); 1565 data->cdigtype = BIO_new(BIO_s_mem()); 1566 data->cdigest = BIO_new(BIO_s_mem()); 1567 if(!data->ds || !data->ctag || !data->calgo || !data->czone || 1568 !data->cdigtype || !data->cdigest) { 1569 if(verb) printf("out of memory\n"); 1570 exit(0); 1571 } 1572 snprintf(buf, sizeof(buf), "; created by unbound-anchor on %s", 1573 ctime(&now)); 1574 if(BIO_write(data->ds, buf, (int)strlen(buf)) < 0) { 1575 if(verb) printf("out of memory\n"); 1576 exit(0); 1577 } 1578 XML_SetEntityDeclHandler(parser, xml_entitydeclhandler); 1579 XML_SetElementHandler(parser, xml_startelem, xml_endelem); 1580 XML_SetCharacterDataHandler(parser, xml_charhandle); 1581} 1582 1583/** 1584 * Perform XML parsing of the root-anchors file 1585 * Its format description can be read here 1586 * https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt 1587 * It uses libexpat. 1588 * @param xml: BIO with xml data. 1589 * @param now: the current time for checking DS validity periods. 1590 * @return memoryBIO with the DS data in zone format. 1591 * or NULL if the zone is insecure. 1592 * (It exit()s on error) 1593 */ 1594static BIO* 1595xml_parse(BIO* xml, time_t now) 1596{ 1597 char* pp; 1598 int len; 1599 XML_Parser parser; 1600 struct xml_data data; 1601 1602 parser = XML_ParserCreate(NULL); 1603 if(!parser) { 1604 if(verb) printf("could not XML_ParserCreate\n"); 1605 exit(0); 1606 } 1607 1608 /* setup callbacks */ 1609 xml_parse_setup(parser, &data, now); 1610 1611 /* parse it */ 1612 (void)BIO_seek(xml, 0); 1613 len = (int)BIO_get_mem_data(xml, &pp); 1614 if(!len || !pp) { 1615 if(verb) printf("out of memory\n"); 1616 exit(0); 1617 } 1618 if(!XML_Parse(parser, pp, len, 1 /*isfinal*/ )) { 1619 const char *e = XML_ErrorString(XML_GetErrorCode(parser)); 1620 if(verb) printf("XML_Parse failure %s\n", e?e:""); 1621 exit(0); 1622 } 1623 1624 /* parsed */ 1625 if(verb) printf("XML was parsed successfully, %d keys\n", 1626 data.num_keys); 1627 free(data.tag); 1628 XML_ParserFree(parser); 1629 1630 if(verb >= 4) { 1631 (void)BIO_seek(data.ds, 0); 1632 len = BIO_get_mem_data(data.ds, &pp); 1633 printf("got DS bio %d: '", len); 1634 if(!fwrite(pp, (size_t)len, 1, stdout)) 1635 /* compilers do not allow us to ignore fwrite .. */ 1636 fprintf(stderr, "error writing to stdout\n"); 1637 printf("'\n"); 1638 } 1639 BIO_free(data.czone); 1640 BIO_free(data.ctag); 1641 BIO_free(data.calgo); 1642 BIO_free(data.cdigtype); 1643 BIO_free(data.cdigest); 1644 1645 if(data.num_keys == 0) { 1646 /* the root zone seems to have gone insecure */ 1647 BIO_free(data.ds); 1648 return NULL; 1649 } else { 1650 return data.ds; 1651 } 1652} 1653 1654/* get key usage out of its extension, returns 0 if no key_usage extension */ 1655static unsigned long 1656get_usage_of_ex(X509* cert) 1657{ 1658 unsigned long val = 0; 1659 ASN1_BIT_STRING* s; 1660 if((s=X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL))) { 1661 if(s->length > 0) { 1662 val = s->data[0]; 1663 if(s->length > 1) 1664 val |= s->data[1] << 8; 1665 } 1666 ASN1_BIT_STRING_free(s); 1667 } 1668 return val; 1669} 1670 1671/** get valid signers from the list of signers in the signature */ 1672static STACK_OF(X509)* 1673get_valid_signers(PKCS7* p7, const char* p7signer) 1674{ 1675 int i; 1676 STACK_OF(X509)* validsigners = sk_X509_new_null(); 1677 STACK_OF(X509)* signers = PKCS7_get0_signers(p7, NULL, 0); 1678 unsigned long usage = 0; 1679 if(!validsigners) { 1680 if(verb) printf("out of memory\n"); 1681 sk_X509_free(signers); 1682 return NULL; 1683 } 1684 if(!signers) { 1685 if(verb) printf("no signers in pkcs7 signature\n"); 1686 sk_X509_free(validsigners); 1687 return NULL; 1688 } 1689 for(i=0; i<sk_X509_num(signers); i++) { 1690 X509_NAME* nm = X509_get_subject_name( 1691 sk_X509_value(signers, i)); 1692 char buf[1024]; 1693 if(!nm) { 1694 if(verb) printf("signer %d: cert has no subject name\n", i); 1695 continue; 1696 } 1697 if(verb && nm) { 1698 char* nmline = X509_NAME_oneline(nm, buf, 1699 (int)sizeof(buf)); 1700 printf("signer %d: Subject: %s\n", i, 1701 nmline?nmline:"no subject"); 1702 if(verb >= 3 && X509_NAME_get_text_by_NID(nm, 1703 NID_commonName, buf, (int)sizeof(buf))) 1704 printf("commonName: %s\n", buf); 1705 if(verb >= 3 && X509_NAME_get_text_by_NID(nm, 1706 NID_pkcs9_emailAddress, buf, (int)sizeof(buf))) 1707 printf("emailAddress: %s\n", buf); 1708 } 1709 if(verb) { 1710 int ku_loc = X509_get_ext_by_NID( 1711 sk_X509_value(signers, i), NID_key_usage, -1); 1712 if(verb >= 3 && ku_loc >= 0) { 1713 X509_EXTENSION *ex = X509_get_ext( 1714 sk_X509_value(signers, i), ku_loc); 1715 if(ex) { 1716 printf("keyUsage: "); 1717 X509V3_EXT_print_fp(stdout, ex, 0, 0); 1718 printf("\n"); 1719 } 1720 } 1721 } 1722 if(!p7signer || strcmp(p7signer, "")==0) { 1723 /* there is no name to check, return all records */ 1724 if(verb) printf("did not check commonName of signer\n"); 1725 } else { 1726 if(!X509_NAME_get_text_by_NID(nm, 1727 NID_pkcs9_emailAddress, 1728 buf, (int)sizeof(buf))) { 1729 if(verb) printf("removed cert with no name\n"); 1730 continue; /* no name, no use */ 1731 } 1732 if(strcmp(buf, p7signer) != 0) { 1733 if(verb) printf("removed cert with wrong name\n"); 1734 continue; /* wrong name, skip it */ 1735 } 1736 } 1737 1738 /* check that the key usage allows digital signatures 1739 * (the p7s) */ 1740 usage = get_usage_of_ex(sk_X509_value(signers, i)); 1741 if(!(usage & KU_DIGITAL_SIGNATURE)) { 1742 if(verb) printf("removed cert with no key usage Digital Signature allowed\n"); 1743 continue; 1744 } 1745 1746 /* we like this cert, add it to our list of valid 1747 * signers certificates */ 1748 sk_X509_push(validsigners, sk_X509_value(signers, i)); 1749 } 1750 sk_X509_free(signers); 1751 return validsigners; 1752} 1753 1754/** verify a PKCS7 signature, false on failure */ 1755static int 1756verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, const char* p7signer) 1757{ 1758 PKCS7* p7; 1759 X509_STORE *store = X509_STORE_new(); 1760 STACK_OF(X509)* validsigners; 1761 int secure = 0; 1762 int i; 1763#ifdef X509_V_FLAG_CHECK_SS_SIGNATURE 1764 X509_VERIFY_PARAM* param = X509_VERIFY_PARAM_new(); 1765 if(!param) { 1766 if(verb) printf("out of memory\n"); 1767 X509_STORE_free(store); 1768 return 0; 1769 } 1770 /* do the selfcheck on the root certificate; it checks that the 1771 * input is valid */ 1772 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CHECK_SS_SIGNATURE); 1773 if(store) X509_STORE_set1_param(store, param); 1774#endif 1775 if(!store) { 1776 if(verb) printf("out of memory\n"); 1777#ifdef X509_V_FLAG_CHECK_SS_SIGNATURE 1778 X509_VERIFY_PARAM_free(param); 1779#endif 1780 return 0; 1781 } 1782#ifdef X509_V_FLAG_CHECK_SS_SIGNATURE 1783 X509_VERIFY_PARAM_free(param); 1784#endif 1785 1786 (void)BIO_seek(p7s, 0); 1787 (void)BIO_seek(data, 0); 1788 1789 /* convert p7s to p7 (the signature) */ 1790 p7 = d2i_PKCS7_bio(p7s, NULL); 1791 if(!p7) { 1792 if(verb) printf("could not parse p7s signature file\n"); 1793 X509_STORE_free(store); 1794 return 0; 1795 } 1796 if(verb >= 2) printf("parsed the PKCS7 signature\n"); 1797 1798 /* convert trust to trusted certificate store */ 1799 for(i=0; i<sk_X509_num(trust); i++) { 1800 if(!X509_STORE_add_cert(store, sk_X509_value(trust, i))) { 1801 if(verb) printf("failed X509_STORE_add_cert\n"); 1802 X509_STORE_free(store); 1803 PKCS7_free(p7); 1804 return 0; 1805 } 1806 } 1807 if(verb >= 2) printf("setup the X509_STORE\n"); 1808 1809 /* check what is in the Subject name of the certificates, 1810 * and build a stack that contains only the right certificates */ 1811 validsigners = get_valid_signers(p7, p7signer); 1812 if(!validsigners) { 1813 X509_STORE_free(store); 1814 PKCS7_free(p7); 1815 return 0; 1816 } 1817 if(PKCS7_verify(p7, validsigners, store, data, NULL, PKCS7_NOINTERN) == 1) { 1818 secure = 1; 1819 if(verb) printf("the PKCS7 signature verified\n"); 1820 } else { 1821 if(verb) { 1822 ERR_print_errors_fp(stdout); 1823 } 1824 } 1825 1826 sk_X509_free(validsigners); 1827 X509_STORE_free(store); 1828 PKCS7_free(p7); 1829 return secure; 1830} 1831 1832/** write unsigned root anchor file, a 5011 revoked tp */ 1833static void 1834write_unsigned_root(const char* root_anchor_file) 1835{ 1836 FILE* out; 1837 time_t now = time(NULL); 1838 out = fopen(root_anchor_file, "w"); 1839 if(!out) { 1840 if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno)); 1841 return; 1842 } 1843 if(fprintf(out, "; autotrust trust anchor file\n" 1844 ";;REVOKED\n" 1845 ";;id: . 1\n" 1846 "; This file was written by unbound-anchor on %s" 1847 "; It indicates that the root does not use DNSSEC\n" 1848 "; to restart DNSSEC overwrite this file with a\n" 1849 "; valid trustanchor or (empty-it and run unbound-anchor)\n" 1850 , ctime(&now)) < 0) { 1851 if(verb) printf("failed to write 'unsigned' to %s\n", 1852 root_anchor_file); 1853 if(verb && errno != 0) printf("%s\n", strerror(errno)); 1854 } 1855 fflush(out); 1856#ifdef HAVE_FSYNC 1857 fsync(fileno(out)); 1858#else 1859 FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(out))); 1860#endif 1861 fclose(out); 1862} 1863 1864/** write root anchor file */ 1865static void 1866write_root_anchor(const char* root_anchor_file, BIO* ds) 1867{ 1868 char* pp = NULL; 1869 int len; 1870 FILE* out; 1871 (void)BIO_seek(ds, 0); 1872 len = BIO_get_mem_data(ds, &pp); 1873 if(!len || !pp) { 1874 if(verb) printf("out of memory\n"); 1875 return; 1876 } 1877 out = fopen(root_anchor_file, "w"); 1878 if(!out) { 1879 if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno)); 1880 return; 1881 } 1882 if(fwrite(pp, (size_t)len, 1, out) != 1) { 1883 if(verb) printf("failed to write all data to %s\n", 1884 root_anchor_file); 1885 if(verb && errno != 0) printf("%s\n", strerror(errno)); 1886 } 1887 fflush(out); 1888#ifdef HAVE_FSYNC 1889 fsync(fileno(out)); 1890#else 1891 FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(out))); 1892#endif 1893 fclose(out); 1894} 1895 1896/** Perform the verification and update of the trustanchor file */ 1897static void 1898verify_and_update_anchor(const char* root_anchor_file, BIO* xml, BIO* p7s, 1899 STACK_OF(X509)* cert, const char* p7signer) 1900{ 1901 BIO* ds; 1902 1903 /* verify xml file */ 1904 if(!verify_p7sig(xml, p7s, cert, p7signer)) { 1905 printf("the PKCS7 signature failed\n"); 1906 exit(0); 1907 } 1908 1909 /* parse the xml file into DS records */ 1910 ds = xml_parse(xml, time(NULL)); 1911 if(!ds) { 1912 /* the root zone is unsigned now */ 1913 write_unsigned_root(root_anchor_file); 1914 } else { 1915 /* reinstate 5011 tracking */ 1916 write_root_anchor(root_anchor_file, ds); 1917 } 1918 BIO_free(ds); 1919} 1920 1921#ifdef USE_WINSOCK 1922static void do_wsa_cleanup(void) { WSACleanup(); } 1923#endif 1924 1925/** perform actual certupdate work */ 1926static int 1927do_certupdate(const char* root_anchor_file, const char* root_cert_file, 1928 const char* urlname, const char* xmlname, const char* p7sname, 1929 const char* p7signer, const char* res_conf, const char* root_hints, 1930 const char* debugconf, const char* srcaddr, int ip4only, int ip6only, 1931 int port, int use_sni) 1932 1933{ 1934 STACK_OF(X509)* cert; 1935 BIO *xml, *p7s; 1936 struct ip_list* ip_list = NULL; 1937 struct ip_list* src = NULL; 1938 1939 /* read pem file or provide builtin */ 1940 cert = read_cert_or_builtin(root_cert_file); 1941 1942 /* lookup A, AAAA for the urlname (or parse urlname if IP address) */ 1943 ip_list = resolve_name(urlname, port, res_conf, root_hints, debugconf, 1944 srcaddr, ip4only, ip6only); 1945 1946 if(srcaddr && !(src = parse_ip_addr(srcaddr, 0))) { 1947 if(verb) printf("cannot parse source address: %s\n", srcaddr); 1948 exit(0); 1949 } 1950 1951#ifdef USE_WINSOCK 1952 if(1) { /* libunbound finished, startup WSA for the https connection */ 1953 WSADATA wsa_data; 1954 int r; 1955 if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0) { 1956 if(verb) printf("WSAStartup failed: %s\n", 1957 wsa_strerror(r)); 1958 exit(0); 1959 } 1960 atexit(&do_wsa_cleanup); 1961 } 1962#endif 1963 1964 /* fetch the necessary files over HTTPS */ 1965 xml = https(ip_list, xmlname, urlname, src, use_sni); 1966 p7s = https(ip_list, p7sname, urlname, src, use_sni); 1967 1968 /* verify and update the root anchor */ 1969 verify_and_update_anchor(root_anchor_file, xml, p7s, cert, p7signer); 1970 if(verb) printf("success: the anchor has been updated " 1971 "using the cert\n"); 1972 1973 BIO_free(xml); 1974 BIO_free(p7s); 1975#ifndef S_SPLINT_S 1976 sk_X509_pop_free(cert, X509_free); 1977#endif 1978 ip_list_free(ip_list); 1979 return 1; 1980} 1981 1982/** 1983 * Try to read the root RFC5011 autotrust anchor file, 1984 * @param file: filename. 1985 * @return: 1986 * 0 if does not exist or empty 1987 * 1 if trust-point-revoked-5011 1988 * 2 if it is OK. 1989 */ 1990static int 1991try_read_anchor(const char* file) 1992{ 1993 int empty = 1; 1994 char line[10240]; 1995 char* p; 1996 FILE* in = fopen(file, "r"); 1997 if(!in) { 1998 /* only if the file does not exist, can we fix it */ 1999 if(errno != ENOENT) { 2000 if(verb) printf("%s: %s\n", file, strerror(errno)); 2001 if(verb) printf("error: cannot access the file\n"); 2002 exit(0); 2003 } 2004 if(verb) printf("%s does not exist\n", file); 2005 return 0; 2006 } 2007 while(fgets(line, (int)sizeof(line), in)) { 2008 line[sizeof(line)-1] = 0; 2009 if(strncmp(line, ";;REVOKED", 9) == 0) { 2010 fclose(in); 2011 if(verb) printf("%s : the trust point is revoked\n" 2012 "and the zone is considered unsigned.\n" 2013 "if you wish to re-enable, delete the file\n", 2014 file); 2015 return 1; 2016 } 2017 p=line; 2018 while(*p == ' ' || *p == '\t') 2019 p++; 2020 if(p[0]==0 || p[0]=='\n' || p[0]==';') continue; 2021 /* this line is a line of content */ 2022 empty = 0; 2023 } 2024 fclose(in); 2025 if(empty) { 2026 if(verb) printf("%s is empty\n", file); 2027 return 0; 2028 } 2029 if(verb) printf("%s has content\n", file); 2030 return 2; 2031} 2032 2033/** Write the builtin root anchor to a file */ 2034static void 2035write_builtin_anchor(const char* file) 2036{ 2037 const char* builtin_root_anchor = get_builtin_ds(); 2038 FILE* out = fopen(file, "w"); 2039 if(!out) { 2040 if(verb) printf("%s: %s\n", file, strerror(errno)); 2041 if(verb) printf(" could not write builtin anchor\n"); 2042 return; 2043 } 2044 if(!fwrite(builtin_root_anchor, strlen(builtin_root_anchor), 1, out)) { 2045 if(verb) printf("%s: %s\n", file, strerror(errno)); 2046 if(verb) printf(" could not complete write builtin anchor\n"); 2047 } 2048 fclose(out); 2049} 2050 2051/** 2052 * Check the root anchor file. 2053 * If does not exist, provide builtin and write file. 2054 * If empty, provide builtin and write file. 2055 * If trust-point-revoked-5011 file: make the program exit. 2056 * @param root_anchor_file: filename of the root anchor. 2057 * @param used_builtin: set to 1 if the builtin is written. 2058 * @return 0 if trustpoint is insecure, 1 on success. Exit on failure. 2059 */ 2060static int 2061provide_builtin(const char* root_anchor_file, int* used_builtin) 2062{ 2063 /* try to read it */ 2064 switch(try_read_anchor(root_anchor_file)) 2065 { 2066 case 0: /* no exist or empty */ 2067 write_builtin_anchor(root_anchor_file); 2068 *used_builtin = 1; 2069 break; 2070 case 1: /* revoked tp */ 2071 return 0; 2072 case 2: /* it is fine */ 2073 default: 2074 break; 2075 } 2076 return 1; 2077} 2078 2079/** 2080 * add an autotrust anchor for the root to the context 2081 */ 2082static void 2083add_5011_probe_root(struct ub_ctx* ctx, const char* root_anchor_file) 2084{ 2085 int r; 2086 r = ub_ctx_set_option(ctx, "auto-trust-anchor-file:", root_anchor_file); 2087 if(r) { 2088 if(verb) printf("add 5011 probe to ctx: %s\n", ub_strerror(r)); 2089 ub_ctx_delete(ctx); 2090 exit(0); 2091 } 2092} 2093 2094/** 2095 * Prime the root key and return the result. Exit on error. 2096 * @param ctx: the unbound context to perform the priming with. 2097 * @return: the result of the prime, on error it exit()s. 2098 */ 2099static struct ub_result* 2100prime_root_key(struct ub_ctx* ctx) 2101{ 2102 struct ub_result* res = NULL; 2103 int r; 2104 r = ub_resolve(ctx, ".", LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, &res); 2105 if(r) { 2106 if(verb) printf("resolve DNSKEY: %s\n", ub_strerror(r)); 2107 ub_ctx_delete(ctx); 2108 exit(0); 2109 } 2110 if(!res) { 2111 if(verb) printf("out of memory\n"); 2112 ub_ctx_delete(ctx); 2113 exit(0); 2114 } 2115 return res; 2116} 2117 2118/** see if ADDPEND keys exist in autotrust file (if possible) */ 2119static int 2120read_if_pending_keys(const char* file) 2121{ 2122 FILE* in = fopen(file, "r"); 2123 char line[8192]; 2124 if(!in) { 2125 if(verb>=2) printf("%s: %s\n", file, strerror(errno)); 2126 return 0; 2127 } 2128 while(fgets(line, (int)sizeof(line), in)) { 2129 if(line[0]==';') continue; 2130 if(strstr(line, "[ ADDPEND ]")) { 2131 fclose(in); 2132 if(verb) printf("RFC5011-state has ADDPEND keys\n"); 2133 return 1; 2134 } 2135 } 2136 fclose(in); 2137 return 0; 2138} 2139 2140/** read last successful probe time from autotrust file (if possible) */ 2141static int32_t 2142read_last_success_time(const char* file) 2143{ 2144 FILE* in = fopen(file, "r"); 2145 char line[1024]; 2146 if(!in) { 2147 if(verb) printf("%s: %s\n", file, strerror(errno)); 2148 return 0; 2149 } 2150 while(fgets(line, (int)sizeof(line), in)) { 2151 if(strncmp(line, ";;last_success: ", 16) == 0) { 2152 char* e; 2153 time_t x = (unsigned int)strtol(line+16, &e, 10); 2154 fclose(in); 2155 if(line+16 == e) { 2156 if(verb) printf("failed to parse " 2157 "last_success probe time\n"); 2158 return 0; 2159 } 2160 if(verb) printf("last successful probe: %s", ctime(&x)); 2161 return (int32_t)x; 2162 } 2163 } 2164 fclose(in); 2165 if(verb) printf("no last_success probe time in anchor file\n"); 2166 return 0; 2167} 2168 2169/** 2170 * Read autotrust 5011 probe file and see if the date 2171 * compared to the current date allows a certupdate. 2172 * If the last successful probe was recent then 5011 cannot be behind, 2173 * and the failure cannot be solved with a certupdate. 2174 * The debugconf is to validation-override the date for testing. 2175 * @param root_anchor_file: filename of root key 2176 * @return true if certupdate is ok. 2177 */ 2178static int 2179probe_date_allows_certupdate(const char* root_anchor_file) 2180{ 2181 int has_pending_keys = read_if_pending_keys(root_anchor_file); 2182 int32_t last_success = read_last_success_time(root_anchor_file); 2183 int32_t now = (int32_t)time(NULL); 2184 int32_t leeway = 30 * 24 * 3600; /* 30 days leeway */ 2185 /* if the date is before 2010-07-15:00.00.00 then the root has not 2186 * been signed yet, and thus we refuse to take action. */ 2187 if(time(NULL) < xml_convertdate("2010-07-15T00:00:00")) { 2188 if(verb) printf("the date is before the root was first signed," 2189 " please correct the clock\n"); 2190 return 0; 2191 } 2192 if(last_success == 0) 2193 return 1; /* no probe time */ 2194 if(has_pending_keys) 2195 return 1; /* key in ADDPEND state, a previous probe has 2196 inserted that, and it was present in all recent probes, 2197 but it has not become active. The 30 day timer may not have 2198 expired, but we know(for sure) there is a rollover going on. 2199 If we only managed to pickup the new key on its last day 2200 of announcement (for example) this can happen. */ 2201 if(now - last_success < 0) { 2202 if(verb) printf("the last successful probe is in the future," 2203 " clock was modified\n"); 2204 return 0; 2205 } 2206 if(now - last_success >= leeway) { 2207 if(verb) printf("the last successful probe was more than 30 " 2208 "days ago\n"); 2209 return 1; 2210 } 2211 if(verb) printf("the last successful probe is recent\n"); 2212 return 0; 2213} 2214 2215static struct ub_result * 2216fetch_root_key(const char* root_anchor_file, const char* res_conf, 2217 const char* root_hints, const char* debugconf, const char* srcaddr, 2218 int ip4only, int ip6only) 2219{ 2220 struct ub_ctx* ctx; 2221 struct ub_result* dnskey; 2222 2223 ctx = create_unbound_context(res_conf, root_hints, debugconf, 2224 srcaddr, ip4only, ip6only); 2225 add_5011_probe_root(ctx, root_anchor_file); 2226 dnskey = prime_root_key(ctx); 2227 ub_ctx_delete(ctx); 2228 return dnskey; 2229} 2230 2231/** perform the unbound-anchor work */ 2232static int 2233do_root_update_work(const char* root_anchor_file, const char* root_cert_file, 2234 const char* urlname, const char* xmlname, const char* p7sname, 2235 const char* p7signer, const char* res_conf, const char* root_hints, 2236 const char* debugconf, const char* srcaddr, int ip4only, int ip6only, 2237 int force, int res_conf_fallback, int port, int use_sni) 2238{ 2239 struct ub_result* dnskey; 2240 int used_builtin = 0; 2241 int rcode; 2242 2243 /* see if builtin rootanchor needs to be provided, or if 2244 * rootanchor is 'revoked-trust-point' */ 2245 if(!provide_builtin(root_anchor_file, &used_builtin)) 2246 return 0; 2247 2248 /* make unbound context with 5011-probe for root anchor, 2249 * and probe . DNSKEY */ 2250 dnskey = fetch_root_key(root_anchor_file, res_conf, 2251 root_hints, debugconf, srcaddr, ip4only, ip6only); 2252 rcode = dnskey->rcode; 2253 2254 if (res_conf_fallback && res_conf && !dnskey->secure) { 2255 if (verb) printf("%s failed, retrying direct\n", res_conf); 2256 ub_resolve_free(dnskey); 2257 /* try direct query without res_conf */ 2258 dnskey = fetch_root_key(root_anchor_file, NULL, 2259 root_hints, debugconf, srcaddr, ip4only, ip6only); 2260 if (rcode != 0 && dnskey->rcode == 0) { 2261 res_conf = NULL; 2262 rcode = 0; 2263 } 2264 } 2265 2266 /* if secure: exit */ 2267 if(dnskey->secure && !force) { 2268 if(verb) printf("success: the anchor is ok\n"); 2269 ub_resolve_free(dnskey); 2270 return used_builtin; 2271 } 2272 if(force && verb) printf("debug cert update forced\n"); 2273 ub_resolve_free(dnskey); 2274 2275 /* if not (and NOERROR): check date and do certupdate */ 2276 if((rcode == 0 && 2277 probe_date_allows_certupdate(root_anchor_file)) || force) { 2278 if(do_certupdate(root_anchor_file, root_cert_file, urlname, 2279 xmlname, p7sname, p7signer, res_conf, root_hints, 2280 debugconf, srcaddr, ip4only, ip6only, port, use_sni)) 2281 return 1; 2282 return used_builtin; 2283 } 2284 if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n"); 2285 return used_builtin; 2286} 2287 2288/** getopt global, in case header files fail to declare it. */ 2289extern int optind; 2290/** getopt global, in case header files fail to declare it. */ 2291extern char* optarg; 2292 2293/** Main routine for unbound-anchor */ 2294int main(int argc, char* argv[]) 2295{ 2296 int c; 2297 const char* root_anchor_file = ROOT_ANCHOR_FILE; 2298 const char* root_cert_file = ROOT_CERT_FILE; 2299 const char* urlname = URLNAME; 2300 const char* xmlname = XMLNAME; 2301 const char* p7sname = P7SNAME; 2302 const char* p7signer = P7SIGNER; 2303 const char* res_conf = NULL; 2304 const char* root_hints = NULL; 2305 const char* debugconf = NULL; 2306 const char* srcaddr = NULL; 2307 int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT; 2308 int res_conf_fallback = 0; 2309 int use_sni = 1; 2310 /* parse the options */ 2311 while( (c=getopt(argc, argv, "46C:FRSP:a:b:c:f:hln:r:s:u:vx:")) != -1) { 2312 switch(c) { 2313 case 'l': 2314 dolist = 1; 2315 break; 2316 case '4': 2317 ip4only = 1; 2318 break; 2319 case '6': 2320 ip6only = 1; 2321 break; 2322 case 'a': 2323 root_anchor_file = optarg; 2324 break; 2325 case 'b': 2326 srcaddr = optarg; 2327 break; 2328 case 'c': 2329 root_cert_file = optarg; 2330 break; 2331 case 'u': 2332 urlname = optarg; 2333 break; 2334 case 'S': 2335 use_sni = 0; 2336 break; 2337 case 'x': 2338 xmlname = optarg; 2339 break; 2340 case 's': 2341 p7sname = optarg; 2342 break; 2343 case 'n': 2344 p7signer = optarg; 2345 break; 2346 case 'f': 2347 res_conf = optarg; 2348 break; 2349 case 'r': 2350 root_hints = optarg; 2351 break; 2352 case 'R': 2353 res_conf_fallback = 1; 2354 break; 2355 case 'C': 2356 debugconf = optarg; 2357 break; 2358 case 'F': 2359 force = 1; 2360 break; 2361 case 'P': 2362 port = atoi(optarg); 2363 break; 2364 case 'v': 2365 verb++; 2366 break; 2367 case '?': 2368 case 'h': 2369 default: 2370 usage(); 2371 } 2372 } 2373 argc -= optind; 2374 /* argv += optind; not using further arguments */ 2375 if(argc != 0) 2376 usage(); 2377 2378#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS 2379 ERR_load_crypto_strings(); 2380#endif 2381#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL) 2382 ERR_load_SSL_strings(); 2383#endif 2384#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO) 2385# ifndef S_SPLINT_S 2386 OpenSSL_add_all_algorithms(); 2387# endif 2388#else 2389 OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS 2390 | OPENSSL_INIT_ADD_ALL_DIGESTS 2391 | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); 2392#endif 2393#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL) 2394 (void)SSL_library_init(); 2395#else 2396 (void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); 2397#endif 2398 2399 if(dolist) do_list_builtin(); 2400 2401 return do_root_update_work(root_anchor_file, root_cert_file, urlname, 2402 xmlname, p7sname, p7signer, res_conf, root_hints, debugconf, 2403 srcaddr, ip4only, ip6only, force, res_conf_fallback, port, use_sni); 2404} 2405