1/* 2 * unbound-anchor.c - update the root anchor if necessary. 3 * 4 * Copyright (c) 2010, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36/** 37 * \file 38 * 39 * This file checks to see that the current 5011 keys work to prime the 40 * current root anchor. If not a certificate is used to update the anchor, 41 * with RFC7958 https xml fetch. 42 * 43 * This is a concept solution for distribution of the DNSSEC root 44 * trust anchor. It is a small tool, called "unbound-anchor", that 45 * runs before the main validator starts. I.e. in the init script: 46 * unbound-anchor; unbound. Thus it is meant to run at system boot time. 47 * 48 * Management-Abstract: 49 * * first run: fill root.key file with hardcoded DS record. 50 * * mostly: use RFC5011 tracking, quick . DNSKEY UDP query. 51 * * failover: use RFC7958 builtin certificate, do https and update. 52 * Special considerations: 53 * * 30-days RFC5011 timer saves a lot of https traffic. 54 * * DNSKEY probe must be NOERROR, saves a lot of https traffic. 55 * * fail if clock before sign date of the root, if cert expired. 56 * * if the root goes back to unsigned, deals with it. 57 * 58 * It has hardcoded the root DS anchors and the ICANN CA root certificate. 59 * It allows with options to override those. It also takes root-hints (it 60 * has to do a DNS resolve), and also has hardcoded defaults for those. 61 * 62 * Once it starts, just before the validator starts, it quickly checks if 63 * the root anchor file needs to be updated. First it tries to use 64 * RFC5011-tracking of the root key. If that fails (and for 30-days since 65 * last successful probe), then it attempts to update using the 66 * certificate. So most of the time, the RFC5011 tracking will work fine, 67 * and within a couple milliseconds, the main daemon can start. It will 68 * have only probed the . DNSKEY, not done expensive https transfers on the 69 * root infrastructure. 70 * 71 * If there is no root key in the root.key file, it bootstraps the 72 * RFC5011-tracking with its builtin DS anchors; if that fails it 73 * bootstraps the RFC5011-tracking using the certificate. (again to avoid 74 * https, and it is also faster). 75 * 76 * It uses the XML file by converting it to DS records and writing that to the 77 * key file. Unbound can detect that the 'special comments' are gone, and 78 * the file contains a list of normal DNSKEY/DS records, and uses that to 79 * bootstrap 5011 (the KSK is made VALID). 80 * 81 * The certificate RFC7958 update is done by fetching root-anchors.xml and 82 * root-anchors.p7s via SSL. The HTTPS certificate can be logged but is 83 * not validated (https for channel security; the security comes from the 84 * certificate). The 'data.iana.org' domain name A and AAAA are resolved 85 * without DNSSEC. It tries a random IP until the transfer succeeds. It 86 * then checks the p7s signature. 87 * 88 * On any failure, it leaves the root key file untouched. The main 89 * validator has to cope with it, it cannot fix things (So a failure does 90 * not go 'without DNSSEC', no downgrade). If it used its builtin stuff or 91 * did the https, it exits with an exit code, so that this can trigger the 92 * init script to log the event and potentially alert the operator that can 93 * do a manual check. 94 * 95 * The date is also checked. Before 2010-07-15 is a failure (root not 96 * signed yet; avoids attacks on system clock). The 97 * last-successful-RFC5011-probe (if available) has to be more than 30 days 98 * in the past (otherwise, RFC5011 should have worked). This keeps 99 * unnecessary https traffic down. If the main certificate is expired, it 100 * fails. 101 * 102 * The dates on the keys in the xml are checked (uses the libexpat xml 103 * parser), only the valid ones are used to re-enstate RFC5011 tracking. 104 * If 0 keys are valid, the zone has gone to insecure (a special marker is 105 * written in the keyfile that tells the main validator daemon the zone is 106 * insecure). 107 * 108 * Only the root ICANN CA is shipped, not the intermediate ones. The 109 * intermediate CAs are included in the p7s file that was downloaded. (the 110 * root cert is valid to 2028 and the intermediate to 2014, today). 111 * 112 * Obviously, the tool also has options so the operator can provide a new 113 * keyfile, a new certificate and new URLs, and fresh root hints. By 114 * default it logs nothing on failure and success; it 'just works'. 115 * 116 */ 117 118#include "config.h" 119#include "libunbound/unbound.h" 120#include "sldns/rrdef.h" 121#include "sldns/parseutil.h" 122#include <expat.h> 123#ifndef HAVE_EXPAT_H 124#error "need libexpat to parse root-anchors.xml file." 125#endif 126#ifdef HAVE_GETOPT_H 127#include <getopt.h> 128#endif 129#ifdef HAVE_OPENSSL_SSL_H 130#include <openssl/ssl.h> 131#endif 132#ifdef HAVE_OPENSSL_ERR_H 133#include <openssl/err.h> 134#endif 135#ifdef HAVE_OPENSSL_RAND_H 136#include <openssl/rand.h> 137#endif 138#include <openssl/x509.h> 139#include <openssl/x509v3.h> 140#include <openssl/pem.h> 141 142/** name of server in URL to fetch HTTPS from */ 143#define URLNAME "data.iana.org" 144/** path on HTTPS server to xml file */ 145#define XMLNAME "root-anchors/root-anchors.xml" 146/** path on HTTPS server to p7s file */ 147#define P7SNAME "root-anchors/root-anchors.p7s" 148/** name of the signer of the certificate */ 149#define P7SIGNER "dnssec@iana.org" 150/** port number for https access */ 151#define HTTPS_PORT 443 152 153#ifdef USE_WINSOCK 154/* sneakily reuse the the wsa_strerror function, on windows */ 155char* wsa_strerror(int err); 156#endif 157 158static const char ICANN_UPDATE_CA[] = 159 /* The ICANN CA fetched at 24 Sep 2010. Valid to 2028 */ 160 "-----BEGIN CERTIFICATE-----\n" 161 "MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n" 162 "TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n" 163 "BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n" 164 "DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n" 165 "IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n" 166 "MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n" 167 "cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n" 168 "G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n" 169 "ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n" 170 "paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n" 171 "MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n" 172 "iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n" 173 "Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n" 174 "DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n" 175 "6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n" 176 "2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n" 177 "15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n" 178 "0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n" 179 "j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n" 180 "-----END CERTIFICATE-----\n"; 181 182static const char DS_TRUST_ANCHOR[] = 183 /* The anchors must start on a new line with ". IN DS and end with \n"[;] 184 * because the makedist script greps on the source here */ 185 /* anchor 20326 is from 2017 */ 186". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n"; 187 188/** verbosity for this application */ 189static int verb = 0; 190 191/** list of IP addresses */ 192struct ip_list { 193 /** next in list */ 194 struct ip_list* next; 195 /** length of addr */ 196 socklen_t len; 197 /** address ready to connect to */ 198 struct sockaddr_storage addr; 199 /** has the address been used */ 200 int used; 201}; 202 203/** Give unbound-anchor usage, and exit (1). */ 204static void 205usage(void) 206{ 207 printf("Usage: local-unbound-anchor [opts]\n"); 208 printf(" Setup or update root anchor. " 209 "Most options have defaults.\n"); 210 printf(" Run this program before you start the validator.\n"); 211 printf("\n"); 212 printf(" The anchor and cert have default builtin content\n"); 213 printf(" if the file does not exist or is empty.\n"); 214 printf("\n"); 215 printf("-a file root key file, default %s\n", ROOT_ANCHOR_FILE); 216 printf(" The key is input and output for this tool.\n"); 217 printf("-c file cert file, default %s\n", ROOT_CERT_FILE); 218 printf("-l list builtin key and cert on stdout\n"); 219 printf("-u name server in https url, default %s\n", URLNAME); 220 printf("-S do not use SNI for the https connection\n"); 221 printf("-x path pathname to xml in url, default %s\n", XMLNAME); 222 printf("-s path pathname to p7s in url, default %s\n", P7SNAME); 223 printf("-n name signer's subject emailAddress, default %s\n", P7SIGNER); 224 printf("-b address source address to bind to\n"); 225 printf("-4 work using IPv4 only\n"); 226 printf("-6 work using IPv6 only\n"); 227 printf("-f resolv.conf use given resolv.conf\n"); 228 printf("-r root.hints use given root.hints\n" 229 " builtin root hints are used by default\n"); 230 printf("-R fallback from -f to root query on error\n"); 231 printf("-v more verbose\n"); 232 printf("-C conf debug, read config\n"); 233 printf("-P port use port for https connect, default 443\n"); 234 printf("-F debug, force update with cert\n"); 235 printf("-h show this usage help\n"); 236 printf("Version %s\n", PACKAGE_VERSION); 237 printf("BSD licensed, see LICENSE in source package for details.\n"); 238 printf("Report bugs to %s\n", PACKAGE_BUGREPORT); 239 exit(1); 240} 241 242/** return the built in root update certificate */ 243static const char* 244get_builtin_cert(void) 245{ 246 return ICANN_UPDATE_CA; 247} 248 249/** return the built in root DS trust anchor */ 250static const char* 251get_builtin_ds(void) 252{ 253 return DS_TRUST_ANCHOR; 254} 255 256/** print hex data */ 257static void 258print_data(const char* msg, const char* data, size_t len) 259{ 260 size_t i; 261 printf("%s: ", msg); 262 for(i=0; i<len; i++) { 263 printf(" %2.2x", (unsigned char)data[i]); 264 } 265 printf("\n"); 266} 267 268/** print ub context creation error and exit */ 269static void 270ub_ctx_error_exit(struct ub_ctx* ctx, const char* str, const char* str2) 271{ 272 ub_ctx_delete(ctx); 273 if(str && str2 && verb) printf("%s: %s\n", str, str2); 274 if(verb) printf("error: could not create unbound resolver context\n"); 275 exit(0); 276} 277 278/** 279 * Create a new unbound context with the commandline settings applied 280 */ 281static struct ub_ctx* 282create_unbound_context(const char* res_conf, const char* root_hints, 283 const char* debugconf, const char* srcaddr, int ip4only, int ip6only) 284{ 285 int r; 286 struct ub_ctx* ctx = ub_ctx_create(); 287 if(!ctx) { 288 if(verb) printf("out of memory\n"); 289 exit(0); 290 } 291 /* do not waste time and network traffic to fetch extra nameservers */ 292 r = ub_ctx_set_option(ctx, "target-fetch-policy:", "0 0 0 0 0"); 293 if(r && verb) printf("ctx targetfetchpolicy: %s\n", ub_strerror(r)); 294 /* read config file first, so its settings can be overridden */ 295 if(debugconf) { 296 r = ub_ctx_config(ctx, debugconf); 297 if(r) ub_ctx_error_exit(ctx, debugconf, ub_strerror(r)); 298 } 299 if(res_conf) { 300 r = ub_ctx_resolvconf(ctx, res_conf); 301 if(r) ub_ctx_error_exit(ctx, res_conf, ub_strerror(r)); 302 } 303 if(root_hints) { 304 r = ub_ctx_set_option(ctx, "root-hints:", root_hints); 305 if(r) ub_ctx_error_exit(ctx, root_hints, ub_strerror(r)); 306 } 307 if(srcaddr) { 308 r = ub_ctx_set_option(ctx, "outgoing-interface:", srcaddr); 309 if(r) ub_ctx_error_exit(ctx, srcaddr, ub_strerror(r)); 310 } 311 if(ip4only) { 312 r = ub_ctx_set_option(ctx, "do-ip6:", "no"); 313 if(r) ub_ctx_error_exit(ctx, "ip4only", ub_strerror(r)); 314 } 315 if(ip6only) { 316 r = ub_ctx_set_option(ctx, "do-ip4:", "no"); 317 if(r) ub_ctx_error_exit(ctx, "ip6only", ub_strerror(r)); 318 } 319 return ctx; 320} 321 322/** printout certificate in detail */ 323static void 324verb_cert(const char* msg, X509* x) 325{ 326 if(verb == 0 || verb == 1) return; 327 if(verb == 2) { 328 if(msg) printf("%s\n", msg); 329 X509_print_ex_fp(stdout, x, 0, (unsigned long)-1 330 ^(X509_FLAG_NO_SUBJECT 331 |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY)); 332 return; 333 } 334 if(msg) printf("%s\n", msg); 335 X509_print_fp(stdout, x); 336} 337 338/** printout certificates in detail */ 339static void 340verb_certs(const char* msg, STACK_OF(X509)* sk) 341{ 342 int i, num = sk_X509_num(sk); 343 if(verb == 0 || verb == 1) return; 344 for(i=0; i<num; i++) { 345 printf("%s (%d/%d)\n", msg, i, num); 346 verb_cert(NULL, sk_X509_value(sk, i)); 347 } 348} 349 350/** read certificates from a PEM bio */ 351static STACK_OF(X509)* 352read_cert_bio(BIO* bio) 353{ 354 STACK_OF(X509) *sk = sk_X509_new_null(); 355 if(!sk) { 356 if(verb) printf("out of memory\n"); 357 exit(0); 358 } 359 while(!BIO_eof(bio)) { 360 X509* x = PEM_read_bio_X509(bio, NULL, NULL, NULL); 361 if(x == NULL) { 362 if(verb) { 363 printf("failed to read X509\n"); 364 ERR_print_errors_fp(stdout); 365 } 366 continue; 367 } 368 if(!sk_X509_push(sk, x)) { 369 if(verb) printf("out of memory\n"); 370 exit(0); 371 } 372 } 373 return sk; 374} 375 376/* read the certificate file */ 377static STACK_OF(X509)* 378read_cert_file(const char* file) 379{ 380 STACK_OF(X509)* sk; 381 FILE* in; 382 int content = 0; 383 char buf[128]; 384 if(file == NULL || strcmp(file, "") == 0) { 385 return NULL; 386 } 387 sk = sk_X509_new_null(); 388 if(!sk) { 389 if(verb) printf("out of memory\n"); 390 exit(0); 391 } 392 in = fopen(file, "r"); 393 if(!in) { 394 if(verb) printf("%s: %s\n", file, strerror(errno)); 395#ifndef S_SPLINT_S 396 sk_X509_pop_free(sk, X509_free); 397#endif 398 return NULL; 399 } 400 while(!feof(in)) { 401 X509* x = PEM_read_X509(in, NULL, NULL, NULL); 402 if(x == NULL) { 403 if(verb) { 404 printf("failed to read X509 file\n"); 405 ERR_print_errors_fp(stdout); 406 } 407 continue; 408 } 409 if(!sk_X509_push(sk, x)) { 410 if(verb) printf("out of memory\n"); 411 fclose(in); 412 exit(0); 413 } 414 content = 1; 415 /* read away newline after --END CERT-- */ 416 if(!fgets(buf, (int)sizeof(buf), in)) 417 break; 418 } 419 fclose(in); 420 if(!content) { 421 if(verb) printf("%s is empty\n", file); 422#ifndef S_SPLINT_S 423 sk_X509_pop_free(sk, X509_free); 424#endif 425 return NULL; 426 } 427 return sk; 428} 429 430/** read certificates from the builtin certificate */ 431static STACK_OF(X509)* 432read_builtin_cert(void) 433{ 434 const char* builtin_cert = get_builtin_cert(); 435 STACK_OF(X509)* sk; 436 BIO *bio = BIO_new_mem_buf(builtin_cert, 437 (int)strlen(builtin_cert)); 438 if(!bio) { 439 if(verb) printf("out of memory\n"); 440 exit(0); 441 } 442 sk = read_cert_bio(bio); 443 if(!sk) { 444 if(verb) printf("internal error, out of memory\n"); 445 exit(0); 446 } 447 BIO_free(bio); 448 return sk; 449} 450 451/** read update cert file or use builtin */ 452static STACK_OF(X509)* 453read_cert_or_builtin(const char* file) 454{ 455 STACK_OF(X509) *sk = read_cert_file(file); 456 if(!sk) { 457 if(verb) printf("using builtin certificate\n"); 458 sk = read_builtin_cert(); 459 } 460 if(verb) printf("have %d trusted certificates\n", sk_X509_num(sk)); 461 verb_certs("trusted certificates", sk); 462 return sk; 463} 464 465static void 466do_list_builtin(void) 467{ 468 const char* builtin_cert = get_builtin_cert(); 469 const char* builtin_ds = get_builtin_ds(); 470 printf("%s\n", builtin_ds); 471 printf("%s\n", builtin_cert); 472 exit(0); 473} 474 475/** printout IP address with message */ 476static void 477verb_addr(const char* msg, struct ip_list* ip) 478{ 479 if(verb) { 480 char out[100]; 481 void* a = &((struct sockaddr_in*)&ip->addr)->sin_addr; 482 if(ip->len != (socklen_t)sizeof(struct sockaddr_in)) 483 a = &((struct sockaddr_in6*)&ip->addr)->sin6_addr; 484 485 if(inet_ntop((int)((struct sockaddr_in*)&ip->addr)->sin_family, 486 a, out, (socklen_t)sizeof(out))==0) 487 printf("%s (inet_ntop error)\n", msg); 488 else printf("%s %s\n", msg, out); 489 } 490} 491 492/** free ip_list */ 493static void 494ip_list_free(struct ip_list* p) 495{ 496 struct ip_list* np; 497 while(p) { 498 np = p->next; 499 free(p); 500 p = np; 501 } 502} 503 504/** create ip_list entry for a RR record */ 505static struct ip_list* 506RR_to_ip(int tp, char* data, int len, int port) 507{ 508 struct ip_list* ip = (struct ip_list*)calloc(1, sizeof(*ip)); 509 uint16_t p = (uint16_t)port; 510 if(tp == LDNS_RR_TYPE_A) { 511 struct sockaddr_in* sa = (struct sockaddr_in*)&ip->addr; 512 ip->len = (socklen_t)sizeof(*sa); 513 sa->sin_family = AF_INET; 514 sa->sin_port = (in_port_t)htons(p); 515 if(len != (int)sizeof(sa->sin_addr)) { 516 if(verb) printf("skipped badly formatted A\n"); 517 free(ip); 518 return NULL; 519 } 520 memmove(&sa->sin_addr, data, sizeof(sa->sin_addr)); 521 522 } else if(tp == LDNS_RR_TYPE_AAAA) { 523 struct sockaddr_in6* sa = (struct sockaddr_in6*)&ip->addr; 524 ip->len = (socklen_t)sizeof(*sa); 525 sa->sin6_family = AF_INET6; 526 sa->sin6_port = (in_port_t)htons(p); 527 if(len != (int)sizeof(sa->sin6_addr)) { 528 if(verb) printf("skipped badly formatted AAAA\n"); 529 free(ip); 530 return NULL; 531 } 532 memmove(&sa->sin6_addr, data, sizeof(sa->sin6_addr)); 533 } else { 534 if(verb) printf("internal error: bad type in RRtoip\n"); 535 free(ip); 536 return NULL; 537 } 538 verb_addr("resolved server address", ip); 539 return ip; 540} 541 542/** Resolve name, type, class and add addresses to iplist */ 543static void 544resolve_host_ip(struct ub_ctx* ctx, const char* host, int port, int tp, int cl, 545 struct ip_list** head) 546{ 547 struct ub_result* res = NULL; 548 int r; 549 int i; 550 551 r = ub_resolve(ctx, host, tp, cl, &res); 552 if(r) { 553 if(verb) printf("error: resolve %s %s: %s\n", host, 554 (tp==LDNS_RR_TYPE_A)?"A":"AAAA", ub_strerror(r)); 555 return; 556 } 557 if(!res) { 558 if(verb) printf("out of memory\n"); 559 ub_ctx_delete(ctx); 560 exit(0); 561 } 562 if(!res->havedata || res->rcode || !res->data) { 563 if(verb) printf("resolve %s %s: no result\n", host, 564 (tp==LDNS_RR_TYPE_A)?"A":"AAAA"); 565 return; 566 } 567 for(i = 0; res->data[i]; i++) { 568 struct ip_list* ip = RR_to_ip(tp, res->data[i], res->len[i], 569 port); 570 if(!ip) continue; 571 ip->next = *head; 572 *head = ip; 573 } 574 ub_resolve_free(res); 575} 576 577/** parse a text IP address into a sockaddr */ 578static struct ip_list* 579parse_ip_addr(const char* str, int port) 580{ 581 socklen_t len = 0; 582 union { 583 struct sockaddr_in6 a6; 584 struct sockaddr_in a; 585 } addr; 586 struct ip_list* ip; 587 uint16_t p = (uint16_t)port; 588 memset(&addr, 0, sizeof(addr)); 589 590 if(inet_pton(AF_INET6, str, &addr.a6.sin6_addr) > 0) { 591 /* it is an IPv6 */ 592 addr.a6.sin6_family = AF_INET6; 593 addr.a6.sin6_port = (in_port_t)htons(p); 594 len = (socklen_t)sizeof(addr.a6); 595 } 596 if(inet_pton(AF_INET, str, &addr.a.sin_addr) > 0) { 597 /* it is an IPv4 */ 598 addr.a.sin_family = AF_INET; 599 addr.a.sin_port = (in_port_t)htons(p); 600 len = (socklen_t)sizeof(struct sockaddr_in); 601 } 602 if(!len) return NULL; 603 ip = (struct ip_list*)calloc(1, sizeof(*ip)); 604 if(!ip) { 605 if(verb) printf("out of memory\n"); 606 exit(0); 607 } 608 ip->len = len; 609 memmove(&ip->addr, &addr, len); 610 if(verb) printf("server address is %s\n", str); 611 return ip; 612} 613 614/** 615 * Resolve a domain name (even though the resolver is down and there is 616 * no trust anchor). Without DNSSEC validation. 617 * @param host: the name to resolve. 618 * If this name is an IP4 or IP6 address this address is returned. 619 * @param port: the port number used for the returned IP structs. 620 * @param res_conf: resolv.conf (if any). 621 * @param root_hints: root hints (if any). 622 * @param debugconf: unbound.conf for debugging options. 623 * @param srcaddr: source address option (if any). 624 * @param ip4only: use only ip4 for resolve and only lookup A 625 * @param ip6only: use only ip6 for resolve and only lookup AAAA 626 * default is to lookup A and AAAA using ip4 and ip6. 627 * @return list of IP addresses. 628 */ 629static struct ip_list* 630resolve_name(const char* host, int port, const char* res_conf, 631 const char* root_hints, const char* debugconf, 632 const char* srcaddr, int ip4only, int ip6only) 633{ 634 struct ub_ctx* ctx; 635 struct ip_list* list = NULL; 636 /* first see if name is an IP address itself */ 637 if( (list=parse_ip_addr(host, port)) ) { 638 return list; 639 } 640 641 /* create resolver context */ 642 ctx = create_unbound_context(res_conf, root_hints, debugconf, 643 srcaddr, ip4only, ip6only); 644 645 /* try resolution of A */ 646 if(!ip6only) { 647 resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_A, 648 LDNS_RR_CLASS_IN, &list); 649 } 650 651 /* try resolution of AAAA */ 652 if(!ip4only) { 653 resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_AAAA, 654 LDNS_RR_CLASS_IN, &list); 655 } 656 657 ub_ctx_delete(ctx); 658 if(!list) { 659 if(verb) printf("%s has no IP addresses I can use\n", host); 660 exit(0); 661 } 662 return list; 663} 664 665/** clear used flags */ 666static void 667wipe_ip_usage(struct ip_list* p) 668{ 669 while(p) { 670 p->used = 0; 671 p = p->next; 672 } 673} 674 675/** count unused IPs */ 676static int 677count_unused(struct ip_list* p) 678{ 679 int num = 0; 680 while(p) { 681 if(!p->used) num++; 682 p = p->next; 683 } 684 return num; 685} 686 687/** pick random unused element from IP list */ 688static struct ip_list* 689pick_random_ip(struct ip_list* list) 690{ 691 struct ip_list* p = list; 692 int num = count_unused(list); 693 int sel; 694 if(num == 0) return NULL; 695 /* not perfect, but random enough */ 696 sel = (int)arc4random_uniform((uint32_t)num); 697 /* skip over unused elements that we did not select */ 698 while(sel > 0 && p) { 699 if(!p->used) sel--; 700 p = p->next; 701 } 702 /* find the next unused element */ 703 while(p && p->used) 704 p = p->next; 705 if(!p) return NULL; /* robustness */ 706 return p; 707} 708 709/** close the fd */ 710static void 711fd_close(int fd) 712{ 713#ifndef USE_WINSOCK 714 close(fd); 715#else 716 closesocket(fd); 717#endif 718} 719 720/** printout socket errno */ 721static void 722print_sock_err(const char* msg) 723{ 724#ifndef USE_WINSOCK 725 if(verb) printf("%s: %s\n", msg, strerror(errno)); 726#else 727 if(verb) printf("%s: %s\n", msg, wsa_strerror(WSAGetLastError())); 728#endif 729} 730 731/** connect to IP address */ 732static int 733connect_to_ip(struct ip_list* ip, struct ip_list* src) 734{ 735 int fd; 736 verb_addr("connect to", ip); 737 fd = socket(ip->len==(socklen_t)sizeof(struct sockaddr_in)? 738 AF_INET:AF_INET6, SOCK_STREAM, 0); 739 if(fd == -1) { 740 print_sock_err("socket"); 741 return -1; 742 } 743 if(src && bind(fd, (struct sockaddr*)&src->addr, src->len) < 0) { 744 print_sock_err("bind"); 745 fd_close(fd); 746 return -1; 747 } 748 if(connect(fd, (struct sockaddr*)&ip->addr, ip->len) < 0) { 749 print_sock_err("connect"); 750 fd_close(fd); 751 return -1; 752 } 753 return fd; 754} 755 756/** create SSL context */ 757static SSL_CTX* 758setup_sslctx(void) 759{ 760 SSL_CTX* sslctx = SSL_CTX_new(SSLv23_client_method()); 761 if(!sslctx) { 762 if(verb) printf("SSL_CTX_new error\n"); 763 return NULL; 764 } 765 return sslctx; 766} 767 768/** initiate TLS on a connection */ 769static SSL* 770TLS_initiate(SSL_CTX* sslctx, int fd, const char* urlname, int use_sni) 771{ 772 X509* x; 773 int r; 774 SSL* ssl = SSL_new(sslctx); 775 if(!ssl) { 776 if(verb) printf("SSL_new error\n"); 777 return NULL; 778 } 779 SSL_set_connect_state(ssl); 780 (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY); 781 if(!SSL_set_fd(ssl, fd)) { 782 if(verb) printf("SSL_set_fd error\n"); 783 SSL_free(ssl); 784 return NULL; 785 } 786 if(use_sni) { 787 (void)SSL_set_tlsext_host_name(ssl, urlname); 788 } 789 while(1) { 790 ERR_clear_error(); 791 if( (r=SSL_do_handshake(ssl)) == 1) 792 break; 793 r = SSL_get_error(ssl, r); 794 if(r != SSL_ERROR_WANT_READ && r != SSL_ERROR_WANT_WRITE) { 795 if(verb) printf("SSL handshake failed\n"); 796 SSL_free(ssl); 797 return NULL; 798 } 799 /* wants to be called again */ 800 } 801 x = SSL_get_peer_certificate(ssl); 802 if(!x) { 803 if(verb) printf("Server presented no peer certificate\n"); 804 SSL_free(ssl); 805 return NULL; 806 } 807 verb_cert("server SSL certificate", x); 808 X509_free(x); 809 return ssl; 810} 811 812/** perform neat TLS shutdown */ 813static void 814TLS_shutdown(int fd, SSL* ssl, SSL_CTX* sslctx) 815{ 816 /* shutdown the SSL connection nicely */ 817 if(SSL_shutdown(ssl) == 0) { 818 SSL_shutdown(ssl); 819 } 820 SSL_free(ssl); 821 SSL_CTX_free(sslctx); 822 fd_close(fd); 823} 824 825/** write a line over SSL */ 826static int 827write_ssl_line(SSL* ssl, const char* str, const char* sec) 828{ 829 char buf[1024]; 830 size_t l; 831 if(sec) { 832 snprintf(buf, sizeof(buf), str, sec); 833 } else { 834 snprintf(buf, sizeof(buf), "%s", str); 835 } 836 l = strlen(buf); 837 if(l+2 >= sizeof(buf)) { 838 if(verb) printf("line too long\n"); 839 return 0; 840 } 841 if(verb >= 2) printf("SSL_write: %s\n", buf); 842 buf[l] = '\r'; 843 buf[l+1] = '\n'; 844 buf[l+2] = 0; 845 /* add \r\n */ 846 if(SSL_write(ssl, buf, (int)strlen(buf)) <= 0) { 847 if(verb) printf("could not SSL_write %s", str); 848 return 0; 849 } 850 return 1; 851} 852 853/** process header line, check rcode and keeping track of size */ 854static int 855process_one_header(char* buf, size_t* clen, int* chunked) 856{ 857 if(verb>=2) printf("header: '%s'\n", buf); 858 if(strncasecmp(buf, "HTTP/1.1 ", 9) == 0) { 859 /* check returncode */ 860 if(buf[9] != '2') { 861 if(verb) printf("bad status %s\n", buf+9); 862 return 0; 863 } 864 } else if(strncasecmp(buf, "Content-Length: ", 16) == 0) { 865 if(!*chunked) 866 *clen = (size_t)atoi(buf+16); 867 } else if(strncasecmp(buf, "Transfer-Encoding: chunked", 19+7) == 0) { 868 *clen = 0; 869 *chunked = 1; 870 } 871 return 1; 872} 873 874/** 875 * Read one line from SSL 876 * zero terminates. 877 * skips "\r\n" (but not copied to buf). 878 * @param ssl: the SSL connection to read from (blocking). 879 * @param buf: buffer to return line in. 880 * @param len: size of the buffer. 881 * @return 0 on error, 1 on success. 882 */ 883static int 884read_ssl_line(SSL* ssl, char* buf, size_t len) 885{ 886 size_t n = 0; 887 int r; 888 int endnl = 0; 889 while(1) { 890 if(n >= len) { 891 if(verb) printf("line too long\n"); 892 return 0; 893 } 894 if((r = SSL_read(ssl, buf+n, 1)) <= 0) { 895 if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) { 896 /* EOF */ 897 break; 898 } 899 if(verb) printf("could not SSL_read\n"); 900 return 0; 901 } 902 if(endnl && buf[n] == '\n') { 903 break; 904 } else if(endnl) { 905 /* bad data */ 906 if(verb) printf("error: stray linefeeds\n"); 907 return 0; 908 } else if(buf[n] == '\r') { 909 /* skip \r, and also \n on the wire */ 910 endnl = 1; 911 continue; 912 } else if(buf[n] == '\n') { 913 /* skip the \n, we are done */ 914 break; 915 } else n++; 916 } 917 buf[n] = 0; 918 return 1; 919} 920 921/** read http headers and process them */ 922static size_t 923read_http_headers(SSL* ssl, size_t* clen) 924{ 925 char buf[1024]; 926 int chunked = 0; 927 *clen = 0; 928 while(read_ssl_line(ssl, buf, sizeof(buf))) { 929 if(buf[0] == 0) 930 return 1; 931 if(!process_one_header(buf, clen, &chunked)) 932 return 0; 933 } 934 return 0; 935} 936 937/** read a data chunk */ 938static char* 939read_data_chunk(SSL* ssl, size_t len) 940{ 941 size_t got = 0; 942 int r; 943 char* data; 944 if((unsigned)len >= (unsigned)0xfffffff0) 945 return NULL; /* to protect against integer overflow in malloc*/ 946 data = malloc(len+1); 947 if(!data) { 948 if(verb) printf("out of memory\n"); 949 return NULL; 950 } 951 while(got < len) { 952 if((r = SSL_read(ssl, data+got, (int)(len-got))) <= 0) { 953 if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) { 954 /* EOF */ 955 if(verb) printf("could not SSL_read: unexpected EOF\n"); 956 free(data); 957 return NULL; 958 } 959 if(verb) printf("could not SSL_read\n"); 960 free(data); 961 return NULL; 962 } 963 if(verb >= 2) printf("at %d/%d\n", (int)got, (int)len); 964 got += r; 965 } 966 if(verb>=2) printf("read %d data\n", (int)len); 967 data[len] = 0; 968 return data; 969} 970 971/** parse chunk header */ 972static int 973parse_chunk_header(char* buf, size_t* result) 974{ 975 char* e = NULL; 976 size_t v = (size_t)strtol(buf, &e, 16); 977 if(e == buf) 978 return 0; 979 *result = v; 980 return 1; 981} 982 983/** read chunked data from connection */ 984static BIO* 985do_chunked_read(SSL* ssl) 986{ 987 char buf[1024]; 988 size_t len; 989 char* body; 990 BIO* mem = BIO_new(BIO_s_mem()); 991 if(verb>=3) printf("do_chunked_read\n"); 992 if(!mem) { 993 if(verb) printf("out of memory\n"); 994 return NULL; 995 } 996 while(read_ssl_line(ssl, buf, sizeof(buf))) { 997 /* read the chunked start line */ 998 if(verb>=2) printf("chunk header: %s\n", buf); 999 if(!parse_chunk_header(buf, &len)) { 1000 BIO_free(mem); 1001 if(verb>=3) printf("could not parse chunk header\n"); 1002 return NULL; 1003 } 1004 if(verb>=2) printf("chunk len: %d\n", (int)len); 1005 /* are we done? */ 1006 if(len == 0) { 1007 char z = 0; 1008 /* skip end-of-chunk-trailer lines, 1009 * until the empty line after that */ 1010 do { 1011 if(!read_ssl_line(ssl, buf, sizeof(buf))) { 1012 BIO_free(mem); 1013 return NULL; 1014 } 1015 } while (strlen(buf) > 0); 1016 /* end of chunks, zero terminate it */ 1017 if(BIO_write(mem, &z, 1) <= 0) { 1018 if(verb) printf("out of memory\n"); 1019 BIO_free(mem); 1020 return NULL; 1021 } 1022 return mem; 1023 } 1024 /* read the chunked body */ 1025 body = read_data_chunk(ssl, len); 1026 if(!body) { 1027 BIO_free(mem); 1028 return NULL; 1029 } 1030 if(BIO_write(mem, body, (int)len) <= 0) { 1031 if(verb) printf("out of memory\n"); 1032 free(body); 1033 BIO_free(mem); 1034 return NULL; 1035 } 1036 free(body); 1037 /* skip empty line after data chunk */ 1038 if(!read_ssl_line(ssl, buf, sizeof(buf))) { 1039 BIO_free(mem); 1040 return NULL; 1041 } 1042 } 1043 BIO_free(mem); 1044 return NULL; 1045} 1046 1047/** start HTTP1.1 transaction on SSL */ 1048static int 1049write_http_get(SSL* ssl, const char* pathname, const char* urlname) 1050{ 1051 if(write_ssl_line(ssl, "GET /%s HTTP/1.1", pathname) && 1052 write_ssl_line(ssl, "Host: %s", urlname) && 1053 write_ssl_line(ssl, "User-Agent: unbound-anchor/%s", 1054 PACKAGE_VERSION) && 1055 /* We do not really do multiple queries per connection, 1056 * but this header setting is also not needed. 1057 * write_ssl_line(ssl, "Connection: close", NULL) &&*/ 1058 write_ssl_line(ssl, "", NULL)) { 1059 return 1; 1060 } 1061 return 0; 1062} 1063 1064/** read chunked data and zero terminate; len is without zero */ 1065static char* 1066read_chunked_zero_terminate(SSL* ssl, size_t* len) 1067{ 1068 /* do the chunked version */ 1069 BIO* tmp = do_chunked_read(ssl); 1070 char* data, *d = NULL; 1071 size_t l; 1072 if(!tmp) { 1073 if(verb) printf("could not read from https\n"); 1074 return NULL; 1075 } 1076 l = (size_t)BIO_get_mem_data(tmp, &d); 1077 if(verb>=2) printf("chunked data is %d\n", (int)l); 1078 if(l == 0 || d == NULL) { 1079 if(verb) printf("out of memory\n"); 1080 return NULL; 1081 } 1082 *len = l-1; 1083 data = (char*)malloc(l); 1084 if(data == NULL) { 1085 if(verb) printf("out of memory\n"); 1086 return NULL; 1087 } 1088 memcpy(data, d, l); 1089 BIO_free(tmp); 1090 return data; 1091} 1092 1093/** read HTTP result from SSL */ 1094static BIO* 1095read_http_result(SSL* ssl) 1096{ 1097 size_t len = 0; 1098 char* data; 1099 BIO* m; 1100 if(!read_http_headers(ssl, &len)) { 1101 return NULL; 1102 } 1103 if(len == 0) { 1104 data = read_chunked_zero_terminate(ssl, &len); 1105 } else { 1106 data = read_data_chunk(ssl, len); 1107 } 1108 if(!data) return NULL; 1109 if(verb >= 4) print_data("read data", data, len); 1110 m = BIO_new(BIO_s_mem()); 1111 if(!m) { 1112 if(verb) printf("out of memory\n"); 1113 free(data); 1114 exit(0); 1115 } 1116 BIO_write(m, data, (int)len); 1117 free(data); 1118 return m; 1119} 1120 1121/** https to an IP addr, return BIO with pathname or NULL */ 1122static BIO* 1123https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname, 1124 struct ip_list* src, int use_sni) 1125{ 1126 int fd; 1127 SSL* ssl; 1128 BIO* bio; 1129 SSL_CTX* sslctx = setup_sslctx(); 1130 if(!sslctx) { 1131 return NULL; 1132 } 1133 fd = connect_to_ip(ip, src); 1134 if(fd == -1) { 1135 SSL_CTX_free(sslctx); 1136 return NULL; 1137 } 1138 ssl = TLS_initiate(sslctx, fd, urlname, use_sni); 1139 if(!ssl) { 1140 SSL_CTX_free(sslctx); 1141 fd_close(fd); 1142 return NULL; 1143 } 1144 if(!write_http_get(ssl, pathname, urlname)) { 1145 if(verb) printf("could not write to server\n"); 1146 SSL_free(ssl); 1147 SSL_CTX_free(sslctx); 1148 fd_close(fd); 1149 return NULL; 1150 } 1151 bio = read_http_result(ssl); 1152 TLS_shutdown(fd, ssl, sslctx); 1153 return bio; 1154} 1155 1156/** 1157 * Do a HTTPS, HTTP1.1 over TLS, to fetch a file 1158 * @param ip_list: list of IP addresses to use to fetch from. 1159 * @param pathname: pathname of file on server to GET. 1160 * @param urlname: name to pass as the virtual host for this request. 1161 * @param src: if nonNULL, source address to bind to. 1162 * @param use_sni: if SNI will be used. 1163 * @return a memory BIO with the file in it. 1164 */ 1165static BIO* 1166https(struct ip_list* ip_list, const char* pathname, const char* urlname, 1167 struct ip_list* src, int use_sni) 1168{ 1169 struct ip_list* ip; 1170 BIO* bio = NULL; 1171 /* try random address first, and work through the list */ 1172 wipe_ip_usage(ip_list); 1173 while( (ip = pick_random_ip(ip_list)) ) { 1174 ip->used = 1; 1175 bio = https_to_ip(ip, pathname, urlname, src, use_sni); 1176 if(bio) break; 1177 } 1178 if(!bio) { 1179 if(verb) printf("could not fetch %s\n", pathname); 1180 exit(0); 1181 } else { 1182 if(verb) printf("fetched %s (%d bytes)\n", 1183 pathname, (int)BIO_ctrl_pending(bio)); 1184 } 1185 return bio; 1186} 1187 1188/** XML parse private data during the parse */ 1189struct xml_data { 1190 /** the parser, reference */ 1191 XML_Parser parser; 1192 /** the current tag; malloced; or NULL outside of tags */ 1193 char* tag; 1194 /** current date to use during the parse */ 1195 time_t date; 1196 /** number of keys usefully read in */ 1197 int num_keys; 1198 /** the compiled anchors as DS records */ 1199 BIO* ds; 1200 1201 /** do we want to use this anchor? */ 1202 int use_key; 1203 /** the current anchor: Zone */ 1204 BIO* czone; 1205 /** the current anchor: KeyTag */ 1206 BIO* ctag; 1207 /** the current anchor: Algorithm */ 1208 BIO* calgo; 1209 /** the current anchor: DigestType */ 1210 BIO* cdigtype; 1211 /** the current anchor: Digest*/ 1212 BIO* cdigest; 1213}; 1214 1215/** The BIO for the tag */ 1216static BIO* 1217xml_selectbio(struct xml_data* data, const char* tag) 1218{ 1219 BIO* b = NULL; 1220 if(strcasecmp(tag, "KeyTag") == 0) 1221 b = data->ctag; 1222 else if(strcasecmp(tag, "Algorithm") == 0) 1223 b = data->calgo; 1224 else if(strcasecmp(tag, "DigestType") == 0) 1225 b = data->cdigtype; 1226 else if(strcasecmp(tag, "Digest") == 0) 1227 b = data->cdigest; 1228 return b; 1229} 1230 1231/** 1232 * XML handle character data, the data inside an element. 1233 * @param userData: xml_data structure 1234 * @param s: the character data. May not all be in one callback. 1235 * NOT zero terminated. 1236 * @param len: length of this part of the data. 1237 */ 1238static void 1239xml_charhandle(void *userData, const XML_Char *s, int len) 1240{ 1241 struct xml_data* data = (struct xml_data*)userData; 1242 BIO* b = NULL; 1243 /* skip characters outside of elements */ 1244 if(!data->tag) 1245 return; 1246 if(verb>=4) { 1247 int i; 1248 printf("%s%s charhandle: '", 1249 data->use_key?"use ":"", 1250 data->tag?data->tag:"none"); 1251 for(i=0; i<len; i++) 1252 printf("%c", s[i]); 1253 printf("'\n"); 1254 } 1255 if(strcasecmp(data->tag, "Zone") == 0) { 1256 if(BIO_write(data->czone, s, len) < 0) { 1257 if(verb) printf("out of memory in BIO_write\n"); 1258 exit(0); 1259 } 1260 return; 1261 } 1262 /* only store if key is used */ 1263 if(!data->use_key) 1264 return; 1265 b = xml_selectbio(data, data->tag); 1266 if(b) { 1267 if(BIO_write(b, s, len) < 0) { 1268 if(verb) printf("out of memory in BIO_write\n"); 1269 exit(0); 1270 } 1271 } 1272} 1273 1274/** 1275 * XML fetch value of particular attribute(by name) or NULL if not present. 1276 * @param atts: attribute array (from xml_startelem). 1277 * @param name: name of attribute to look for. 1278 * @return the value or NULL. (ptr into atts). 1279 */ 1280static const XML_Char* 1281find_att(const XML_Char **atts, const XML_Char* name) 1282{ 1283 int i; 1284 for(i=0; atts[i]; i+=2) { 1285 if(strcasecmp(atts[i], name) == 0) 1286 return atts[i+1]; 1287 } 1288 return NULL; 1289} 1290 1291/** 1292 * XML convert DateTime element to time_t. 1293 * [-]CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] 1294 * (with optional .ssssss fractional seconds) 1295 * @param str: the string 1296 * @return a time_t representation or 0 on failure. 1297 */ 1298static time_t 1299xml_convertdate(const char* str) 1300{ 1301 time_t t = 0; 1302 struct tm tm; 1303 const char* s; 1304 /* for this application, ignore minus in front; 1305 * only positive dates are expected */ 1306 s = str; 1307 if(s[0] == '-') s++; 1308 memset(&tm, 0, sizeof(tm)); 1309 /* parse initial content of the string (lots of whitespace allowed) */ 1310 s = strptime(s, "%t%Y%t-%t%m%t-%t%d%tT%t%H%t:%t%M%t:%t%S%t", &tm); 1311 if(!s) { 1312 if(verb) printf("xml_convertdate parse failure %s\n", str); 1313 return 0; 1314 } 1315 /* parse remainder of date string */ 1316 if(*s == '.') { 1317 /* optional '.' and fractional seconds */ 1318 int frac = 0, n = 0; 1319 if(sscanf(s+1, "%d%n", &frac, &n) < 1) { 1320 if(verb) printf("xml_convertdate f failure %s\n", str); 1321 return 0; 1322 } 1323 /* fraction is not used, time_t has second accuracy */ 1324 s++; 1325 s+=n; 1326 } 1327 if(*s == 'Z' || *s == 'z') { 1328 /* nothing to do for this */ 1329 s++; 1330 } else if(*s == '+' || *s == '-') { 1331 /* optional timezone spec: Z or +hh:mm or -hh:mm */ 1332 int hr = 0, mn = 0, n = 0; 1333 if(sscanf(s+1, "%d:%d%n", &hr, &mn, &n) < 2) { 1334 if(verb) printf("xml_convertdate tz failure %s\n", str); 1335 return 0; 1336 } 1337 if(*s == '+') { 1338 tm.tm_hour += hr; 1339 tm.tm_min += mn; 1340 } else { 1341 tm.tm_hour -= hr; 1342 tm.tm_min -= mn; 1343 } 1344 s++; 1345 s += n; 1346 } 1347 if(*s != 0) { 1348 /* not ended properly */ 1349 /* but ignore, (lenient) */ 1350 } 1351 1352 t = sldns_mktime_from_utc(&tm); 1353 if(t == (time_t)-1) { 1354 if(verb) printf("xml_convertdate mktime failure\n"); 1355 return 0; 1356 } 1357 return t; 1358} 1359 1360/** 1361 * XML handle the KeyDigest start tag, check validity periods. 1362 */ 1363static void 1364handle_keydigest(struct xml_data* data, const XML_Char **atts) 1365{ 1366 data->use_key = 0; 1367 if(find_att(atts, "validFrom")) { 1368 time_t from = xml_convertdate(find_att(atts, "validFrom")); 1369 if(from == 0) { 1370 if(verb) printf("error: xml cannot be parsed\n"); 1371 exit(0); 1372 } 1373 if(data->date < from) 1374 return; 1375 } 1376 if(find_att(atts, "validUntil")) { 1377 time_t until = xml_convertdate(find_att(atts, "validUntil")); 1378 if(until == 0) { 1379 if(verb) printf("error: xml cannot be parsed\n"); 1380 exit(0); 1381 } 1382 if(data->date > until) 1383 return; 1384 } 1385 /* yes we want to use this key */ 1386 data->use_key = 1; 1387 (void)BIO_reset(data->ctag); 1388 (void)BIO_reset(data->calgo); 1389 (void)BIO_reset(data->cdigtype); 1390 (void)BIO_reset(data->cdigest); 1391} 1392 1393/** See if XML element equals the zone name */ 1394static int 1395xml_is_zone_name(BIO* zone, const char* name) 1396{ 1397 char buf[1024]; 1398 char* z = NULL; 1399 long zlen; 1400 (void)BIO_seek(zone, 0); 1401 zlen = BIO_get_mem_data(zone, &z); 1402 if(!zlen || !z) return 0; 1403 /* zero terminate */ 1404 if(zlen >= (long)sizeof(buf)) return 0; 1405 memmove(buf, z, (size_t)zlen); 1406 buf[zlen] = 0; 1407 /* compare */ 1408 return (strncasecmp(buf, name, strlen(name)) == 0); 1409} 1410 1411/** 1412 * XML start of element. This callback is called whenever an XML tag starts. 1413 * XML_Char is UTF8. 1414 * @param userData: the xml_data structure. 1415 * @param name: the tag that starts. 1416 * @param atts: array of strings, pairs of attr = value, ends with NULL. 1417 * i.e. att[0]="att[1]" att[2]="att[3]" att[4]isNull 1418 */ 1419static void 1420xml_startelem(void *userData, const XML_Char *name, const XML_Char **atts) 1421{ 1422 struct xml_data* data = (struct xml_data*)userData; 1423 BIO* b; 1424 if(verb>=4) printf("xml tag start '%s'\n", name); 1425 free(data->tag); 1426 data->tag = strdup(name); 1427 if(!data->tag) { 1428 if(verb) printf("out of memory\n"); 1429 exit(0); 1430 } 1431 if(verb>=4) { 1432 int i; 1433 for(i=0; atts[i]; i+=2) { 1434 printf(" %s='%s'\n", atts[i], atts[i+1]); 1435 } 1436 } 1437 /* handle attributes to particular types */ 1438 if(strcasecmp(name, "KeyDigest") == 0) { 1439 handle_keydigest(data, atts); 1440 return; 1441 } else if(strcasecmp(name, "Zone") == 0) { 1442 (void)BIO_reset(data->czone); 1443 return; 1444 } 1445 1446 /* for other types we prepare to pick up the data */ 1447 if(!data->use_key) 1448 return; 1449 b = xml_selectbio(data, data->tag); 1450 if(b) { 1451 /* empty it */ 1452 (void)BIO_reset(b); 1453 } 1454} 1455 1456/** Append str to bio */ 1457static void 1458xml_append_str(BIO* b, const char* s) 1459{ 1460 if(BIO_write(b, s, (int)strlen(s)) < 0) { 1461 if(verb) printf("out of memory in BIO_write\n"); 1462 exit(0); 1463 } 1464} 1465 1466/** Append bio to bio */ 1467static void 1468xml_append_bio(BIO* b, BIO* a) 1469{ 1470 char* z = NULL; 1471 long i, len; 1472 (void)BIO_seek(a, 0); 1473 len = BIO_get_mem_data(a, &z); 1474 if(!len || !z) { 1475 if(verb) printf("out of memory in BIO_write\n"); 1476 exit(0); 1477 } 1478 /* remove newlines in the data here */ 1479 for(i=0; i<len; i++) { 1480 if(z[i] == '\r' || z[i] == '\n') 1481 z[i] = ' '; 1482 } 1483 /* write to BIO */ 1484 if(BIO_write(b, z, len) < 0) { 1485 if(verb) printf("out of memory in BIO_write\n"); 1486 exit(0); 1487 } 1488} 1489 1490/** write the parsed xml-DS to the DS list */ 1491static void 1492xml_append_ds(struct xml_data* data) 1493{ 1494 /* write DS to accumulated DS */ 1495 xml_append_str(data->ds, ". IN DS "); 1496 xml_append_bio(data->ds, data->ctag); 1497 xml_append_str(data->ds, " "); 1498 xml_append_bio(data->ds, data->calgo); 1499 xml_append_str(data->ds, " "); 1500 xml_append_bio(data->ds, data->cdigtype); 1501 xml_append_str(data->ds, " "); 1502 xml_append_bio(data->ds, data->cdigest); 1503 xml_append_str(data->ds, "\n"); 1504 data->num_keys++; 1505} 1506 1507/** 1508 * XML end of element. This callback is called whenever an XML tag ends. 1509 * XML_Char is UTF8. 1510 * @param userData: the xml_data structure 1511 * @param name: the tag that ends. 1512 */ 1513static void 1514xml_endelem(void *userData, const XML_Char *name) 1515{ 1516 struct xml_data* data = (struct xml_data*)userData; 1517 if(verb>=4) printf("xml tag end '%s'\n", name); 1518 free(data->tag); 1519 data->tag = NULL; 1520 if(strcasecmp(name, "KeyDigest") == 0) { 1521 if(data->use_key) 1522 xml_append_ds(data); 1523 data->use_key = 0; 1524 } else if(strcasecmp(name, "Zone") == 0) { 1525 if(!xml_is_zone_name(data->czone, ".")) { 1526 if(verb) printf("xml not for the right zone\n"); 1527 exit(0); 1528 } 1529 } 1530} 1531 1532/* Stop the parser when an entity declaration is encountered. For safety. */ 1533static void 1534xml_entitydeclhandler(void *userData, 1535 const XML_Char *ATTR_UNUSED(entityName), 1536 int ATTR_UNUSED(is_parameter_entity), 1537 const XML_Char *ATTR_UNUSED(value), int ATTR_UNUSED(value_length), 1538 const XML_Char *ATTR_UNUSED(base), 1539 const XML_Char *ATTR_UNUSED(systemId), 1540 const XML_Char *ATTR_UNUSED(publicId), 1541 const XML_Char *ATTR_UNUSED(notationName)) 1542{ 1543#if HAVE_DECL_XML_STOPPARSER 1544 (void)XML_StopParser((XML_Parser)userData, XML_FALSE); 1545#else 1546 (void)userData; 1547#endif 1548} 1549 1550/** 1551 * XML parser setup of the callbacks for the tags 1552 */ 1553static void 1554xml_parse_setup(XML_Parser parser, struct xml_data* data, time_t now) 1555{ 1556 char buf[1024]; 1557 memset(data, 0, sizeof(*data)); 1558 XML_SetUserData(parser, data); 1559 data->parser = parser; 1560 data->date = now; 1561 data->ds = BIO_new(BIO_s_mem()); 1562 data->ctag = BIO_new(BIO_s_mem()); 1563 data->czone = BIO_new(BIO_s_mem()); 1564 data->calgo = BIO_new(BIO_s_mem()); 1565 data->cdigtype = BIO_new(BIO_s_mem()); 1566 data->cdigest = BIO_new(BIO_s_mem()); 1567 if(!data->ds || !data->ctag || !data->calgo || !data->czone || 1568 !data->cdigtype || !data->cdigest) { 1569 if(verb) printf("out of memory\n"); 1570 exit(0); 1571 } 1572 snprintf(buf, sizeof(buf), "; created by unbound-anchor on %s", 1573 ctime(&now)); 1574 if(BIO_write(data->ds, buf, (int)strlen(buf)) < 0) { 1575 if(verb) printf("out of memory\n"); 1576 exit(0); 1577 } 1578 XML_SetEntityDeclHandler(parser, xml_entitydeclhandler); 1579 XML_SetElementHandler(parser, xml_startelem, xml_endelem); 1580 XML_SetCharacterDataHandler(parser, xml_charhandle); 1581} 1582 1583/** 1584 * Perform XML parsing of the root-anchors file 1585 * Its format description can be found in RFC 7958. 1586 * It uses libexpat. 1587 * @param xml: BIO with xml data. 1588 * @param now: the current time for checking DS validity periods. 1589 * @return memoryBIO with the DS data in zone format. 1590 * or NULL if the zone is insecure. 1591 * (It exit()s on error) 1592 */ 1593static BIO* 1594xml_parse(BIO* xml, time_t now) 1595{ 1596 char* pp; 1597 int len; 1598 XML_Parser parser; 1599 struct xml_data data; 1600 1601 parser = XML_ParserCreate(NULL); 1602 if(!parser) { 1603 if(verb) printf("could not XML_ParserCreate\n"); 1604 exit(0); 1605 } 1606 1607 /* setup callbacks */ 1608 xml_parse_setup(parser, &data, now); 1609 1610 /* parse it */ 1611 (void)BIO_seek(xml, 0); 1612 len = (int)BIO_get_mem_data(xml, &pp); 1613 if(!len || !pp) { 1614 if(verb) printf("out of memory\n"); 1615 exit(0); 1616 } 1617 if(!XML_Parse(parser, pp, len, 1 /*isfinal*/ )) { 1618 const char *e = XML_ErrorString(XML_GetErrorCode(parser)); 1619 if(verb) printf("XML_Parse failure %s\n", e?e:""); 1620 exit(0); 1621 } 1622 1623 /* parsed */ 1624 if(verb) printf("XML was parsed successfully, %d keys\n", 1625 data.num_keys); 1626 free(data.tag); 1627 XML_ParserFree(parser); 1628 1629 if(verb >= 4) { 1630 (void)BIO_seek(data.ds, 0); 1631 len = BIO_get_mem_data(data.ds, &pp); 1632 printf("got DS bio %d: '", len); 1633 if(!fwrite(pp, (size_t)len, 1, stdout)) 1634 /* compilers do not allow us to ignore fwrite .. */ 1635 fprintf(stderr, "error writing to stdout\n"); 1636 printf("'\n"); 1637 } 1638 BIO_free(data.czone); 1639 BIO_free(data.ctag); 1640 BIO_free(data.calgo); 1641 BIO_free(data.cdigtype); 1642 BIO_free(data.cdigest); 1643 1644 if(data.num_keys == 0) { 1645 /* the root zone seems to have gone insecure */ 1646 BIO_free(data.ds); 1647 return NULL; 1648 } else { 1649 return data.ds; 1650 } 1651} 1652 1653/* get key usage out of its extension, returns 0 if no key_usage extension */ 1654static unsigned long 1655get_usage_of_ex(X509* cert) 1656{ 1657 unsigned long val = 0; 1658 ASN1_BIT_STRING* s; 1659 if((s=X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL))) { 1660 if(s->length > 0) { 1661 val = s->data[0]; 1662 if(s->length > 1) 1663 val |= s->data[1] << 8; 1664 } 1665 ASN1_BIT_STRING_free(s); 1666 } 1667 return val; 1668} 1669 1670/** get valid signers from the list of signers in the signature */ 1671static STACK_OF(X509)* 1672get_valid_signers(PKCS7* p7, const char* p7signer) 1673{ 1674 int i; 1675 STACK_OF(X509)* validsigners = sk_X509_new_null(); 1676 STACK_OF(X509)* signers = PKCS7_get0_signers(p7, NULL, 0); 1677 unsigned long usage = 0; 1678 if(!validsigners) { 1679 if(verb) printf("out of memory\n"); 1680 sk_X509_free(signers); 1681 return NULL; 1682 } 1683 if(!signers) { 1684 if(verb) printf("no signers in pkcs7 signature\n"); 1685 sk_X509_free(validsigners); 1686 return NULL; 1687 } 1688 for(i=0; i<sk_X509_num(signers); i++) { 1689 X509_NAME* nm = X509_get_subject_name( 1690 sk_X509_value(signers, i)); 1691 char buf[1024]; 1692 if(!nm) { 1693 if(verb) printf("signer %d: cert has no subject name\n", i); 1694 continue; 1695 } 1696 if(verb && nm) { 1697 char* nmline = X509_NAME_oneline(nm, buf, 1698 (int)sizeof(buf)); 1699 printf("signer %d: Subject: %s\n", i, 1700 nmline?nmline:"no subject"); 1701 if(verb >= 3 && X509_NAME_get_text_by_NID(nm, 1702 NID_commonName, buf, (int)sizeof(buf))) 1703 printf("commonName: %s\n", buf); 1704 if(verb >= 3 && X509_NAME_get_text_by_NID(nm, 1705 NID_pkcs9_emailAddress, buf, (int)sizeof(buf))) 1706 printf("emailAddress: %s\n", buf); 1707 } 1708 if(verb) { 1709 int ku_loc = X509_get_ext_by_NID( 1710 sk_X509_value(signers, i), NID_key_usage, -1); 1711 if(verb >= 3 && ku_loc >= 0) { 1712 X509_EXTENSION *ex = X509_get_ext( 1713 sk_X509_value(signers, i), ku_loc); 1714 if(ex) { 1715 printf("keyUsage: "); 1716 X509V3_EXT_print_fp(stdout, ex, 0, 0); 1717 printf("\n"); 1718 } 1719 } 1720 } 1721 if(!p7signer || strcmp(p7signer, "")==0) { 1722 /* there is no name to check, return all records */ 1723 if(verb) printf("did not check commonName of signer\n"); 1724 } else { 1725 if(!X509_NAME_get_text_by_NID(nm, 1726 NID_pkcs9_emailAddress, 1727 buf, (int)sizeof(buf))) { 1728 if(verb) printf("removed cert with no name\n"); 1729 continue; /* no name, no use */ 1730 } 1731 if(strcmp(buf, p7signer) != 0) { 1732 if(verb) printf("removed cert with wrong name\n"); 1733 continue; /* wrong name, skip it */ 1734 } 1735 } 1736 1737 /* check that the key usage allows digital signatures 1738 * (the p7s) */ 1739 usage = get_usage_of_ex(sk_X509_value(signers, i)); 1740 if(!(usage & KU_DIGITAL_SIGNATURE)) { 1741 if(verb) printf("removed cert with no key usage Digital Signature allowed\n"); 1742 continue; 1743 } 1744 1745 /* we like this cert, add it to our list of valid 1746 * signers certificates */ 1747 sk_X509_push(validsigners, sk_X509_value(signers, i)); 1748 } 1749 sk_X509_free(signers); 1750 return validsigners; 1751} 1752 1753/** verify a PKCS7 signature, false on failure */ 1754static int 1755verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, const char* p7signer) 1756{ 1757 PKCS7* p7; 1758 X509_STORE *store = X509_STORE_new(); 1759 STACK_OF(X509)* validsigners; 1760 int secure = 0; 1761 int i; 1762#ifdef X509_V_FLAG_CHECK_SS_SIGNATURE 1763 X509_VERIFY_PARAM* param = X509_VERIFY_PARAM_new(); 1764 if(!param) { 1765 if(verb) printf("out of memory\n"); 1766 X509_STORE_free(store); 1767 return 0; 1768 } 1769 /* do the selfcheck on the root certificate; it checks that the 1770 * input is valid */ 1771 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CHECK_SS_SIGNATURE); 1772 if(store) X509_STORE_set1_param(store, param); 1773#endif 1774 if(!store) { 1775 if(verb) printf("out of memory\n"); 1776#ifdef X509_V_FLAG_CHECK_SS_SIGNATURE 1777 X509_VERIFY_PARAM_free(param); 1778#endif 1779 return 0; 1780 } 1781#ifdef X509_V_FLAG_CHECK_SS_SIGNATURE 1782 X509_VERIFY_PARAM_free(param); 1783#endif 1784 1785 (void)BIO_seek(p7s, 0); 1786 (void)BIO_seek(data, 0); 1787 1788 /* convert p7s to p7 (the signature) */ 1789 p7 = d2i_PKCS7_bio(p7s, NULL); 1790 if(!p7) { 1791 if(verb) printf("could not parse p7s signature file\n"); 1792 X509_STORE_free(store); 1793 return 0; 1794 } 1795 if(verb >= 2) printf("parsed the PKCS7 signature\n"); 1796 1797 /* convert trust to trusted certificate store */ 1798 for(i=0; i<sk_X509_num(trust); i++) { 1799 if(!X509_STORE_add_cert(store, sk_X509_value(trust, i))) { 1800 if(verb) printf("failed X509_STORE_add_cert\n"); 1801 X509_STORE_free(store); 1802 PKCS7_free(p7); 1803 return 0; 1804 } 1805 } 1806 if(verb >= 2) printf("setup the X509_STORE\n"); 1807 1808 /* check what is in the Subject name of the certificates, 1809 * and build a stack that contains only the right certificates */ 1810 validsigners = get_valid_signers(p7, p7signer); 1811 if(!validsigners) { 1812 X509_STORE_free(store); 1813 PKCS7_free(p7); 1814 return 0; 1815 } 1816 if(PKCS7_verify(p7, validsigners, store, data, NULL, PKCS7_NOINTERN) == 1) { 1817 secure = 1; 1818 if(verb) printf("the PKCS7 signature verified\n"); 1819 } else { 1820 if(verb) { 1821 ERR_print_errors_fp(stdout); 1822 } 1823 } 1824 1825 sk_X509_free(validsigners); 1826 X509_STORE_free(store); 1827 PKCS7_free(p7); 1828 return secure; 1829} 1830 1831/** open a temp file */ 1832static FILE* 1833tempfile_open(char* tempf, size_t tempflen, const char* fname, const char* mode) 1834{ 1835 snprintf(tempf, tempflen, "%s~", fname); 1836 return fopen(tempf, mode); 1837} 1838 1839/** close an open temp file and replace the original with it */ 1840static void 1841tempfile_close(FILE* fd, const char* tempf, const char* fname) 1842{ 1843 fflush(fd); 1844#ifdef HAVE_FSYNC 1845 fsync(fileno(fd)); 1846#else 1847 FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(fd))); 1848#endif 1849 if(fclose(fd) != 0) { 1850 printf("could not complete write: %s: %s\n", 1851 tempf, strerror(errno)); 1852 unlink(tempf); 1853 return; 1854 } 1855 /* success; overwrite actual file */ 1856#ifdef USE_WINSOCK 1857 (void)unlink(fname); /* windows does not replace file with rename() */ 1858#endif 1859 if(rename(tempf, fname) < 0) { 1860 printf("rename(%s to %s): %s", tempf, fname, strerror(errno)); 1861 } 1862} 1863 1864/** write unsigned root anchor file, a 5011 revoked tp */ 1865static void 1866write_unsigned_root(const char* root_anchor_file) 1867{ 1868 FILE* out; 1869 time_t now = time(NULL); 1870 char tempf[2048]; 1871 out = tempfile_open(tempf, sizeof(tempf), root_anchor_file, "w"); 1872 if(!out) { 1873 if(verb) printf("%s: %s\n", tempf, strerror(errno)); 1874 return; 1875 } 1876 if(fprintf(out, "; autotrust trust anchor file\n" 1877 ";;REVOKED\n" 1878 ";;id: . 1\n" 1879 "; This file was written by unbound-anchor on %s" 1880 "; It indicates that the root does not use DNSSEC\n" 1881 "; to restart DNSSEC overwrite this file with a\n" 1882 "; valid trustanchor or (empty-it and run unbound-anchor)\n" 1883 , ctime(&now)) < 0) { 1884 if(verb) printf("failed to write 'unsigned' to %s\n", 1885 root_anchor_file); 1886 if(verb && errno != 0) printf("%s\n", strerror(errno)); 1887 } 1888 tempfile_close(out, tempf, root_anchor_file); 1889} 1890 1891/** write root anchor file */ 1892static void 1893write_root_anchor(const char* root_anchor_file, BIO* ds) 1894{ 1895 char* pp = NULL; 1896 int len; 1897 FILE* out; 1898 char tempf[2048]; 1899 (void)BIO_seek(ds, 0); 1900 len = BIO_get_mem_data(ds, &pp); 1901 if(!len || !pp) { 1902 if(verb) printf("out of memory\n"); 1903 return; 1904 } 1905 out = tempfile_open(tempf, sizeof(tempf), root_anchor_file, "w"); 1906 if(!out) { 1907 if(verb) printf("%s: %s\n", tempf, strerror(errno)); 1908 return; 1909 } 1910 if(fwrite(pp, (size_t)len, 1, out) != 1) { 1911 if(verb) printf("failed to write all data to %s\n", 1912 tempf); 1913 if(verb && errno != 0) printf("%s\n", strerror(errno)); 1914 } 1915 tempfile_close(out, tempf, root_anchor_file); 1916} 1917 1918/** Perform the verification and update of the trustanchor file */ 1919static void 1920verify_and_update_anchor(const char* root_anchor_file, BIO* xml, BIO* p7s, 1921 STACK_OF(X509)* cert, const char* p7signer) 1922{ 1923 BIO* ds; 1924 1925 /* verify xml file */ 1926 if(!verify_p7sig(xml, p7s, cert, p7signer)) { 1927 printf("the PKCS7 signature failed\n"); 1928 exit(0); 1929 } 1930 1931 /* parse the xml file into DS records */ 1932 ds = xml_parse(xml, time(NULL)); 1933 if(!ds) { 1934 /* the root zone is unsigned now */ 1935 write_unsigned_root(root_anchor_file); 1936 } else { 1937 /* reinstate 5011 tracking */ 1938 write_root_anchor(root_anchor_file, ds); 1939 } 1940 BIO_free(ds); 1941} 1942 1943#ifdef USE_WINSOCK 1944static void do_wsa_cleanup(void) { WSACleanup(); } 1945#endif 1946 1947/** perform actual certupdate work */ 1948static int 1949do_certupdate(const char* root_anchor_file, const char* root_cert_file, 1950 const char* urlname, const char* xmlname, const char* p7sname, 1951 const char* p7signer, const char* res_conf, const char* root_hints, 1952 const char* debugconf, const char* srcaddr, int ip4only, int ip6only, 1953 int port, int use_sni) 1954 1955{ 1956 STACK_OF(X509)* cert; 1957 BIO *xml, *p7s; 1958 struct ip_list* ip_list = NULL; 1959 struct ip_list* src = NULL; 1960 1961 /* read pem file or provide builtin */ 1962 cert = read_cert_or_builtin(root_cert_file); 1963 1964 /* lookup A, AAAA for the urlname (or parse urlname if IP address) */ 1965 ip_list = resolve_name(urlname, port, res_conf, root_hints, debugconf, 1966 srcaddr, ip4only, ip6only); 1967 1968 if(srcaddr && !(src = parse_ip_addr(srcaddr, 0))) { 1969 if(verb) printf("cannot parse source address: %s\n", srcaddr); 1970 exit(0); 1971 } 1972 1973#ifdef USE_WINSOCK 1974 if(1) { /* libunbound finished, startup WSA for the https connection */ 1975 WSADATA wsa_data; 1976 int r; 1977 if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0) { 1978 if(verb) printf("WSAStartup failed: %s\n", 1979 wsa_strerror(r)); 1980 exit(0); 1981 } 1982 atexit(&do_wsa_cleanup); 1983 } 1984#endif 1985 1986 /* fetch the necessary files over HTTPS */ 1987 xml = https(ip_list, xmlname, urlname, src, use_sni); 1988 p7s = https(ip_list, p7sname, urlname, src, use_sni); 1989 1990 /* verify and update the root anchor */ 1991 verify_and_update_anchor(root_anchor_file, xml, p7s, cert, p7signer); 1992 if(verb) printf("success: the anchor has been updated " 1993 "using the cert\n"); 1994 1995 BIO_free(xml); 1996 BIO_free(p7s); 1997#ifndef S_SPLINT_S 1998 sk_X509_pop_free(cert, X509_free); 1999#endif 2000 ip_list_free(ip_list); 2001 return 1; 2002} 2003 2004/** 2005 * Try to read the root RFC5011 autotrust anchor file, 2006 * @param file: filename. 2007 * @return: 2008 * 0 if does not exist or empty 2009 * 1 if trust-point-revoked-5011 2010 * 2 if it is OK. 2011 */ 2012static int 2013try_read_anchor(const char* file) 2014{ 2015 int empty = 1; 2016 char line[10240]; 2017 char* p; 2018 FILE* in = fopen(file, "r"); 2019 if(!in) { 2020 /* only if the file does not exist, can we fix it */ 2021 if(errno != ENOENT) { 2022 if(verb) printf("%s: %s\n", file, strerror(errno)); 2023 if(verb) printf("error: cannot access the file\n"); 2024 exit(0); 2025 } 2026 if(verb) printf("%s does not exist\n", file); 2027 return 0; 2028 } 2029 while(fgets(line, (int)sizeof(line), in)) { 2030 line[sizeof(line)-1] = 0; 2031 if(strncmp(line, ";;REVOKED", 9) == 0) { 2032 fclose(in); 2033 if(verb) printf("%s : the trust point is revoked\n" 2034 "and the zone is considered unsigned.\n" 2035 "if you wish to re-enable, delete the file\n", 2036 file); 2037 return 1; 2038 } 2039 p=line; 2040 while(*p == ' ' || *p == '\t') 2041 p++; 2042 if(p[0]==0 || p[0]=='\n' || p[0]==';') continue; 2043 /* this line is a line of content */ 2044 empty = 0; 2045 } 2046 fclose(in); 2047 if(empty) { 2048 if(verb) printf("%s is empty\n", file); 2049 return 0; 2050 } 2051 if(verb) printf("%s has content\n", file); 2052 return 2; 2053} 2054 2055/** Write the builtin root anchor to a file */ 2056static void 2057write_builtin_anchor(const char* file) 2058{ 2059 char tempf[2048]; 2060 const char* builtin_root_anchor = get_builtin_ds(); 2061 FILE* out = tempfile_open(tempf, sizeof(tempf), file, "w"); 2062 if(!out) { 2063 printf("could not write builtin anchor, to file %s: %s\n", 2064 tempf, strerror(errno)); 2065 return; 2066 } 2067 if(!fwrite(builtin_root_anchor, strlen(builtin_root_anchor), 1, out)) { 2068 printf("could not complete write builtin anchor, to file %s: %s\n", 2069 tempf, strerror(errno)); 2070 } 2071 tempfile_close(out, tempf, file); 2072} 2073 2074/** 2075 * Check the root anchor file. 2076 * If does not exist, provide builtin and write file. 2077 * If empty, provide builtin and write file. 2078 * If trust-point-revoked-5011 file: make the program exit. 2079 * @param root_anchor_file: filename of the root anchor. 2080 * @param used_builtin: set to 1 if the builtin is written. 2081 * @return 0 if trustpoint is insecure, 1 on success. Exit on failure. 2082 */ 2083static int 2084provide_builtin(const char* root_anchor_file, int* used_builtin) 2085{ 2086 /* try to read it */ 2087 switch(try_read_anchor(root_anchor_file)) 2088 { 2089 case 0: /* no exist or empty */ 2090 write_builtin_anchor(root_anchor_file); 2091 *used_builtin = 1; 2092 break; 2093 case 1: /* revoked tp */ 2094 return 0; 2095 case 2: /* it is fine */ 2096 default: 2097 break; 2098 } 2099 return 1; 2100} 2101 2102/** 2103 * add an autotrust anchor for the root to the context 2104 */ 2105static void 2106add_5011_probe_root(struct ub_ctx* ctx, const char* root_anchor_file) 2107{ 2108 int r; 2109 r = ub_ctx_set_option(ctx, "auto-trust-anchor-file:", root_anchor_file); 2110 if(r) { 2111 if(verb) printf("add 5011 probe to ctx: %s\n", ub_strerror(r)); 2112 ub_ctx_delete(ctx); 2113 exit(0); 2114 } 2115} 2116 2117/** 2118 * Prime the root key and return the result. Exit on error. 2119 * @param ctx: the unbound context to perform the priming with. 2120 * @return: the result of the prime, on error it exit()s. 2121 */ 2122static struct ub_result* 2123prime_root_key(struct ub_ctx* ctx) 2124{ 2125 struct ub_result* res = NULL; 2126 int r; 2127 r = ub_resolve(ctx, ".", LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, &res); 2128 if(r) { 2129 if(verb) printf("resolve DNSKEY: %s\n", ub_strerror(r)); 2130 ub_ctx_delete(ctx); 2131 exit(0); 2132 } 2133 if(!res) { 2134 if(verb) printf("out of memory\n"); 2135 ub_ctx_delete(ctx); 2136 exit(0); 2137 } 2138 return res; 2139} 2140 2141/** see if ADDPEND keys exist in autotrust file (if possible) */ 2142static int 2143read_if_pending_keys(const char* file) 2144{ 2145 FILE* in = fopen(file, "r"); 2146 char line[8192]; 2147 if(!in) { 2148 if(verb>=2) printf("%s: %s\n", file, strerror(errno)); 2149 return 0; 2150 } 2151 while(fgets(line, (int)sizeof(line), in)) { 2152 if(line[0]==';') continue; 2153 if(strstr(line, "[ ADDPEND ]")) { 2154 fclose(in); 2155 if(verb) printf("RFC5011-state has ADDPEND keys\n"); 2156 return 1; 2157 } 2158 } 2159 fclose(in); 2160 return 0; 2161} 2162 2163/** read last successful probe time from autotrust file (if possible) */ 2164static int32_t 2165read_last_success_time(const char* file) 2166{ 2167 FILE* in = fopen(file, "r"); 2168 char line[1024]; 2169 if(!in) { 2170 if(verb) printf("%s: %s\n", file, strerror(errno)); 2171 return 0; 2172 } 2173 while(fgets(line, (int)sizeof(line), in)) { 2174 if(strncmp(line, ";;last_success: ", 16) == 0) { 2175 char* e; 2176 time_t x = (unsigned int)strtol(line+16, &e, 10); 2177 fclose(in); 2178 if(line+16 == e) { 2179 if(verb) printf("failed to parse " 2180 "last_success probe time\n"); 2181 return 0; 2182 } 2183 if(verb) printf("last successful probe: %s", ctime(&x)); 2184 return (int32_t)x; 2185 } 2186 } 2187 fclose(in); 2188 if(verb) printf("no last_success probe time in anchor file\n"); 2189 return 0; 2190} 2191 2192/** 2193 * Read autotrust 5011 probe file and see if the date 2194 * compared to the current date allows a certupdate. 2195 * If the last successful probe was recent then 5011 cannot be behind, 2196 * and the failure cannot be solved with a certupdate. 2197 * The debugconf is to validation-override the date for testing. 2198 * @param root_anchor_file: filename of root key 2199 * @return true if certupdate is ok. 2200 */ 2201static int 2202probe_date_allows_certupdate(const char* root_anchor_file) 2203{ 2204 int has_pending_keys = read_if_pending_keys(root_anchor_file); 2205 int32_t last_success = read_last_success_time(root_anchor_file); 2206 int32_t now = (int32_t)time(NULL); 2207 int32_t leeway = 30 * 24 * 3600; /* 30 days leeway */ 2208 /* if the date is before 2010-07-15:00.00.00 then the root has not 2209 * been signed yet, and thus we refuse to take action. */ 2210 if(time(NULL) < xml_convertdate("2010-07-15T00:00:00")) { 2211 if(verb) printf("the date is before the root was first signed," 2212 " please correct the clock\n"); 2213 return 0; 2214 } 2215 if(last_success == 0) 2216 return 1; /* no probe time */ 2217 if(has_pending_keys) 2218 return 1; /* key in ADDPEND state, a previous probe has 2219 inserted that, and it was present in all recent probes, 2220 but it has not become active. The 30 day timer may not have 2221 expired, but we know(for sure) there is a rollover going on. 2222 If we only managed to pickup the new key on its last day 2223 of announcement (for example) this can happen. */ 2224 if(now - last_success < 0) { 2225 if(verb) printf("the last successful probe is in the future," 2226 " clock was modified\n"); 2227 return 0; 2228 } 2229 if(now - last_success >= leeway) { 2230 if(verb) printf("the last successful probe was more than 30 " 2231 "days ago\n"); 2232 return 1; 2233 } 2234 if(verb) printf("the last successful probe is recent\n"); 2235 return 0; 2236} 2237 2238static struct ub_result * 2239fetch_root_key(const char* root_anchor_file, const char* res_conf, 2240 const char* root_hints, const char* debugconf, const char* srcaddr, 2241 int ip4only, int ip6only) 2242{ 2243 struct ub_ctx* ctx; 2244 struct ub_result* dnskey; 2245 2246 ctx = create_unbound_context(res_conf, root_hints, debugconf, 2247 srcaddr, ip4only, ip6only); 2248 add_5011_probe_root(ctx, root_anchor_file); 2249 dnskey = prime_root_key(ctx); 2250 ub_ctx_delete(ctx); 2251 return dnskey; 2252} 2253 2254/** perform the unbound-anchor work */ 2255static int 2256do_root_update_work(const char* root_anchor_file, const char* root_cert_file, 2257 const char* urlname, const char* xmlname, const char* p7sname, 2258 const char* p7signer, const char* res_conf, const char* root_hints, 2259 const char* debugconf, const char* srcaddr, int ip4only, int ip6only, 2260 int force, int res_conf_fallback, int port, int use_sni) 2261{ 2262 struct ub_result* dnskey; 2263 int used_builtin = 0; 2264 int rcode; 2265 2266 /* see if builtin rootanchor needs to be provided, or if 2267 * rootanchor is 'revoked-trust-point' */ 2268 if(!provide_builtin(root_anchor_file, &used_builtin)) 2269 return 0; 2270 2271 /* make unbound context with 5011-probe for root anchor, 2272 * and probe . DNSKEY */ 2273 dnskey = fetch_root_key(root_anchor_file, res_conf, 2274 root_hints, debugconf, srcaddr, ip4only, ip6only); 2275 rcode = dnskey->rcode; 2276 2277 if (res_conf_fallback && res_conf && !dnskey->secure) { 2278 if (verb) printf("%s failed, retrying direct\n", res_conf); 2279 ub_resolve_free(dnskey); 2280 /* try direct query without res_conf */ 2281 dnskey = fetch_root_key(root_anchor_file, NULL, 2282 root_hints, debugconf, srcaddr, ip4only, ip6only); 2283 if (rcode != 0 && dnskey->rcode == 0) { 2284 res_conf = NULL; 2285 rcode = 0; 2286 } 2287 } 2288 2289 /* if secure: exit */ 2290 if(dnskey->secure && !force) { 2291 if(verb) printf("success: the anchor is ok\n"); 2292 ub_resolve_free(dnskey); 2293 return used_builtin; 2294 } 2295 if(force && verb) printf("debug cert update forced\n"); 2296 ub_resolve_free(dnskey); 2297 2298 /* if not (and NOERROR): check date and do certupdate */ 2299 if((rcode == 0 && 2300 probe_date_allows_certupdate(root_anchor_file)) || force) { 2301 if(do_certupdate(root_anchor_file, root_cert_file, urlname, 2302 xmlname, p7sname, p7signer, res_conf, root_hints, 2303 debugconf, srcaddr, ip4only, ip6only, port, use_sni)) 2304 return 1; 2305 return used_builtin; 2306 } 2307 if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n"); 2308 return used_builtin; 2309} 2310 2311/** getopt global, in case header files fail to declare it. */ 2312extern int optind; 2313/** getopt global, in case header files fail to declare it. */ 2314extern char* optarg; 2315 2316/** Main routine for unbound-anchor */ 2317int main(int argc, char* argv[]) 2318{ 2319 int c; 2320 const char* root_anchor_file = ROOT_ANCHOR_FILE; 2321 const char* root_cert_file = ROOT_CERT_FILE; 2322 const char* urlname = URLNAME; 2323 const char* xmlname = XMLNAME; 2324 const char* p7sname = P7SNAME; 2325 const char* p7signer = P7SIGNER; 2326 const char* res_conf = NULL; 2327 const char* root_hints = NULL; 2328 const char* debugconf = NULL; 2329 const char* srcaddr = NULL; 2330 int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT; 2331 int res_conf_fallback = 0; 2332 int use_sni = 1; 2333 /* parse the options */ 2334 while( (c=getopt(argc, argv, "46C:FRSP:a:b:c:f:hln:r:s:u:vx:")) != -1) { 2335 switch(c) { 2336 case 'l': 2337 dolist = 1; 2338 break; 2339 case '4': 2340 ip4only = 1; 2341 break; 2342 case '6': 2343 ip6only = 1; 2344 break; 2345 case 'a': 2346 root_anchor_file = optarg; 2347 break; 2348 case 'b': 2349 srcaddr = optarg; 2350 break; 2351 case 'c': 2352 root_cert_file = optarg; 2353 break; 2354 case 'u': 2355 urlname = optarg; 2356 break; 2357 case 'S': 2358 use_sni = 0; 2359 break; 2360 case 'x': 2361 xmlname = optarg; 2362 break; 2363 case 's': 2364 p7sname = optarg; 2365 break; 2366 case 'n': 2367 p7signer = optarg; 2368 break; 2369 case 'f': 2370 res_conf = optarg; 2371 break; 2372 case 'r': 2373 root_hints = optarg; 2374 break; 2375 case 'R': 2376 res_conf_fallback = 1; 2377 break; 2378 case 'C': 2379 debugconf = optarg; 2380 break; 2381 case 'F': 2382 force = 1; 2383 break; 2384 case 'P': 2385 port = atoi(optarg); 2386 break; 2387 case 'v': 2388 verb++; 2389 break; 2390 case '?': 2391 case 'h': 2392 default: 2393 usage(); 2394 } 2395 } 2396 argc -= optind; 2397 /* argv += optind; not using further arguments */ 2398 if(argc != 0) 2399 usage(); 2400 2401#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS 2402 ERR_load_crypto_strings(); 2403#endif 2404#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL) 2405 ERR_load_SSL_strings(); 2406#endif 2407#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO) 2408# ifndef S_SPLINT_S 2409 OpenSSL_add_all_algorithms(); 2410# endif 2411#else 2412 OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS 2413 | OPENSSL_INIT_ADD_ALL_DIGESTS 2414 | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); 2415#endif 2416#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL) 2417 (void)SSL_library_init(); 2418#else 2419 (void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); 2420#endif 2421 2422 if(dolist) do_list_builtin(); 2423 2424 return do_root_update_work(root_anchor_file, root_cert_file, urlname, 2425 xmlname, p7sname, p7signer, res_conf, root_hints, debugconf, 2426 srcaddr, ip4only, ip6only, force, res_conf_fallback, port, use_sni); 2427} 2428