1 /* 2 * unbound-anchor.c - update the root anchor if necessary. 3 * 4 * Copyright (c) 2010, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file checks to see that the current 5011 keys work to prime the 40 * current root anchor. If not a certificate is used to update the anchor, 41 * with RFC7958 https xml fetch. 42 * 43 * This is a concept solution for distribution of the DNSSEC root 44 * trust anchor. It is a small tool, called "unbound-anchor", that 45 * runs before the main validator starts. I.e. in the init script: 46 * unbound-anchor; unbound. Thus it is meant to run at system boot time. 47 * 48 * Management-Abstract: 49 * * first run: fill root.key file with hardcoded DS record. 50 * * mostly: use RFC5011 tracking, quick . DNSKEY UDP query. 51 * * failover: use RFC7958 builtin certificate, do https and update. 52 * Special considerations: 53 * * 30-days RFC5011 timer saves a lot of https traffic. 54 * * DNSKEY probe must be NOERROR, saves a lot of https traffic. 55 * * fail if clock before sign date of the root, if cert expired. 56 * * if the root goes back to unsigned, deals with it. 57 * 58 * It has hardcoded the root DS anchors and the ICANN CA root certificate. 59 * It allows with options to override those. It also takes root-hints (it 60 * has to do a DNS resolve), and also has hardcoded defaults for those. 61 * 62 * Once it starts, just before the validator starts, it quickly checks if 63 * the root anchor file needs to be updated. First it tries to use 64 * RFC5011-tracking of the root key. If that fails (and for 30-days since 65 * last successful probe), then it attempts to update using the 66 * certificate. So most of the time, the RFC5011 tracking will work fine, 67 * and within a couple milliseconds, the main daemon can start. It will 68 * have only probed the . DNSKEY, not done expensive https transfers on the 69 * root infrastructure. 70 * 71 * If there is no root key in the root.key file, it bootstraps the 72 * RFC5011-tracking with its builtin DS anchors; if that fails it 73 * bootstraps the RFC5011-tracking using the certificate. (again to avoid 74 * https, and it is also faster). 75 * 76 * It uses the XML file by converting it to DS records and writing that to the 77 * key file. Unbound can detect that the 'special comments' are gone, and 78 * the file contains a list of normal DNSKEY/DS records, and uses that to 79 * bootstrap 5011 (the KSK is made VALID). 80 * 81 * The certificate RFC7958 update is done by fetching root-anchors.xml and 82 * root-anchors.p7s via SSL. The HTTPS certificate can be logged but is 83 * not validated (https for channel security; the security comes from the 84 * certificate). The 'data.iana.org' domain name A and AAAA are resolved 85 * without DNSSEC. It tries a random IP until the transfer succeeds. It 86 * then checks the p7s signature. 87 * 88 * On any failure, it leaves the root key file untouched. The main 89 * validator has to cope with it, it cannot fix things (So a failure does 90 * not go 'without DNSSEC', no downgrade). If it used its builtin stuff or 91 * did the https, it exits with an exit code, so that this can trigger the 92 * init script to log the event and potentially alert the operator that can 93 * do a manual check. 94 * 95 * The date is also checked. Before 2010-07-15 is a failure (root not 96 * signed yet; avoids attacks on system clock). The 97 * last-successful-RFC5011-probe (if available) has to be more than 30 days 98 * in the past (otherwise, RFC5011 should have worked). This keeps 99 * unnecessary https traffic down. If the main certificate is expired, it 100 * fails. 101 * 102 * The dates on the keys in the xml are checked (uses the libexpat xml 103 * parser), only the valid ones are used to re-enstate RFC5011 tracking. 104 * If 0 keys are valid, the zone has gone to insecure (a special marker is 105 * written in the keyfile that tells the main validator daemon the zone is 106 * insecure). 107 * 108 * Only the root ICANN CA is shipped, not the intermediate ones. The 109 * intermediate CAs are included in the p7s file that was downloaded. (the 110 * root cert is valid to 2028 and the intermediate to 2014, today). 111 * 112 * Obviously, the tool also has options so the operator can provide a new 113 * keyfile, a new certificate and new URLs, and fresh root hints. By 114 * default it logs nothing on failure and success; it 'just works'. 115 * 116 */ 117 118 #include "config.h" 119 #include "libunbound/unbound.h" 120 #include "sldns/rrdef.h" 121 #include "sldns/parseutil.h" 122 #include <expat.h> 123 #ifndef HAVE_EXPAT_H 124 #error "need libexpat to parse root-anchors.xml file." 125 #endif 126 #ifdef HAVE_GETOPT_H 127 #include <getopt.h> 128 #endif 129 #ifdef HAVE_OPENSSL_SSL_H 130 #include <openssl/ssl.h> 131 #endif 132 #ifdef HAVE_OPENSSL_ERR_H 133 #include <openssl/err.h> 134 #endif 135 #ifdef HAVE_OPENSSL_RAND_H 136 #include <openssl/rand.h> 137 #endif 138 #include <openssl/x509.h> 139 #include <openssl/x509v3.h> 140 #include <openssl/pem.h> 141 142 /** name of server in URL to fetch HTTPS from */ 143 #define URLNAME "data.iana.org" 144 /** path on HTTPS server to xml file */ 145 #define XMLNAME "root-anchors/root-anchors.xml" 146 /** path on HTTPS server to p7s file */ 147 #define P7SNAME "root-anchors/root-anchors.p7s" 148 /** name of the signer of the certificate */ 149 #define P7SIGNER "dnssec@iana.org" 150 /** port number for https access */ 151 #define HTTPS_PORT 443 152 153 #ifdef USE_WINSOCK 154 /* sneakily reuse the the wsa_strerror function, on windows */ 155 char* wsa_strerror(int err); 156 #endif 157 158 static const char ICANN_UPDATE_CA[] = 159 /* The ICANN CA fetched at 24 Sep 2010. Valid to 2028 */ 160 "-----BEGIN CERTIFICATE-----\n" 161 "MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n" 162 "TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n" 163 "BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n" 164 "DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n" 165 "IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n" 166 "MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n" 167 "cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n" 168 "G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n" 169 "ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n" 170 "paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n" 171 "MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n" 172 "iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n" 173 "Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n" 174 "DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n" 175 "6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n" 176 "2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n" 177 "15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n" 178 "0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n" 179 "j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n" 180 "-----END CERTIFICATE-----\n"; 181 182 static const char DS_TRUST_ANCHOR[] = 183 /* The anchors must start on a new line with ". IN DS and end with \n"[;] 184 * because the makedist script greps on the source here */ 185 /* anchor 20326 is from 2017 */ 186 ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n"; 187 188 /** verbosity for this application */ 189 static int verb = 0; 190 191 /** list of IP addresses */ 192 struct ip_list { 193 /** next in list */ 194 struct ip_list* next; 195 /** length of addr */ 196 socklen_t len; 197 /** address ready to connect to */ 198 struct sockaddr_storage addr; 199 /** has the address been used */ 200 int used; 201 }; 202 203 /** Give unbound-anchor usage, and exit (1). */ 204 static void 205 usage(void) 206 { 207 printf("Usage: local-unbound-anchor [opts]\n"); 208 printf(" Setup or update root anchor. " 209 "Most options have defaults.\n"); 210 printf(" Run this program before you start the validator.\n"); 211 printf("\n"); 212 printf(" The anchor and cert have default builtin content\n"); 213 printf(" if the file does not exist or is empty.\n"); 214 printf("\n"); 215 printf("-a file root key file, default %s\n", ROOT_ANCHOR_FILE); 216 printf(" The key is input and output for this tool.\n"); 217 printf("-c file cert file, default %s\n", ROOT_CERT_FILE); 218 printf("-l list builtin key and cert on stdout\n"); 219 printf("-u name server in https url, default %s\n", URLNAME); 220 printf("-S do not use SNI for the https connection\n"); 221 printf("-x path pathname to xml in url, default %s\n", XMLNAME); 222 printf("-s path pathname to p7s in url, default %s\n", P7SNAME); 223 printf("-n name signer's subject emailAddress, default %s\n", P7SIGNER); 224 printf("-b address source address to bind to\n"); 225 printf("-4 work using IPv4 only\n"); 226 printf("-6 work using IPv6 only\n"); 227 printf("-f resolv.conf use given resolv.conf\n"); 228 printf("-r root.hints use given root.hints\n" 229 " builtin root hints are used by default\n"); 230 printf("-R fallback from -f to root query on error\n"); 231 printf("-v more verbose\n"); 232 printf("-C conf debug, read config\n"); 233 printf("-P port use port for https connect, default 443\n"); 234 printf("-F debug, force update with cert\n"); 235 printf("-h show this usage help\n"); 236 printf("Version %s\n", PACKAGE_VERSION); 237 printf("BSD licensed, see LICENSE in source package for details.\n"); 238 printf("Report bugs to %s\n", PACKAGE_BUGREPORT); 239 exit(1); 240 } 241 242 /** return the built in root update certificate */ 243 static const char* 244 get_builtin_cert(void) 245 { 246 return ICANN_UPDATE_CA; 247 } 248 249 /** return the built in root DS trust anchor */ 250 static const char* 251 get_builtin_ds(void) 252 { 253 return DS_TRUST_ANCHOR; 254 } 255 256 /** print hex data */ 257 static void 258 print_data(const char* msg, const char* data, size_t len) 259 { 260 size_t i; 261 printf("%s: ", msg); 262 for(i=0; i<len; i++) { 263 printf(" %2.2x", (unsigned char)data[i]); 264 } 265 printf("\n"); 266 } 267 268 /** print ub context creation error and exit */ 269 static void 270 ub_ctx_error_exit(struct ub_ctx* ctx, const char* str, const char* str2) 271 { 272 ub_ctx_delete(ctx); 273 if(str && str2 && verb) printf("%s: %s\n", str, str2); 274 if(verb) printf("error: could not create unbound resolver context\n"); 275 exit(0); 276 } 277 278 /** 279 * Create a new unbound context with the commandline settings applied 280 */ 281 static struct ub_ctx* 282 create_unbound_context(const char* res_conf, const char* root_hints, 283 const char* debugconf, const char* srcaddr, int ip4only, int ip6only) 284 { 285 int r; 286 struct ub_ctx* ctx = ub_ctx_create(); 287 if(!ctx) { 288 if(verb) printf("out of memory\n"); 289 exit(0); 290 } 291 /* do not waste time and network traffic to fetch extra nameservers */ 292 r = ub_ctx_set_option(ctx, "target-fetch-policy:", "0 0 0 0 0"); 293 if(r && verb) printf("ctx targetfetchpolicy: %s\n", ub_strerror(r)); 294 /* read config file first, so its settings can be overridden */ 295 if(debugconf) { 296 r = ub_ctx_config(ctx, debugconf); 297 if(r) ub_ctx_error_exit(ctx, debugconf, ub_strerror(r)); 298 } 299 if(res_conf) { 300 r = ub_ctx_resolvconf(ctx, res_conf); 301 if(r) ub_ctx_error_exit(ctx, res_conf, ub_strerror(r)); 302 } 303 if(root_hints) { 304 r = ub_ctx_set_option(ctx, "root-hints:", root_hints); 305 if(r) ub_ctx_error_exit(ctx, root_hints, ub_strerror(r)); 306 } 307 if(srcaddr) { 308 r = ub_ctx_set_option(ctx, "outgoing-interface:", srcaddr); 309 if(r) ub_ctx_error_exit(ctx, srcaddr, ub_strerror(r)); 310 } 311 if(ip4only) { 312 r = ub_ctx_set_option(ctx, "do-ip6:", "no"); 313 if(r) ub_ctx_error_exit(ctx, "ip4only", ub_strerror(r)); 314 } 315 if(ip6only) { 316 r = ub_ctx_set_option(ctx, "do-ip4:", "no"); 317 if(r) ub_ctx_error_exit(ctx, "ip6only", ub_strerror(r)); 318 } 319 return ctx; 320 } 321 322 /** printout certificate in detail */ 323 static void 324 verb_cert(const char* msg, X509* x) 325 { 326 if(verb == 0 || verb == 1) return; 327 if(verb == 2) { 328 if(msg) printf("%s\n", msg); 329 X509_print_ex_fp(stdout, x, 0, (unsigned long)-1 330 ^(X509_FLAG_NO_SUBJECT 331 |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY)); 332 return; 333 } 334 if(msg) printf("%s\n", msg); 335 X509_print_fp(stdout, x); 336 } 337 338 /** printout certificates in detail */ 339 static void 340 verb_certs(const char* msg, STACK_OF(X509)* sk) 341 { 342 int i, num = sk_X509_num(sk); 343 if(verb == 0 || verb == 1) return; 344 for(i=0; i<num; i++) { 345 printf("%s (%d/%d)\n", msg, i, num); 346 verb_cert(NULL, sk_X509_value(sk, i)); 347 } 348 } 349 350 /** read certificates from a PEM bio */ 351 static STACK_OF(X509)* 352 read_cert_bio(BIO* bio) 353 { 354 STACK_OF(X509) *sk = sk_X509_new_null(); 355 if(!sk) { 356 if(verb) printf("out of memory\n"); 357 exit(0); 358 } 359 while(!BIO_eof(bio)) { 360 X509* x = PEM_read_bio_X509(bio, NULL, NULL, NULL); 361 if(x == NULL) { 362 if(verb) { 363 printf("failed to read X509\n"); 364 ERR_print_errors_fp(stdout); 365 } 366 continue; 367 } 368 if(!sk_X509_push(sk, x)) { 369 if(verb) printf("out of memory\n"); 370 exit(0); 371 } 372 } 373 return sk; 374 } 375 376 /* read the certificate file */ 377 static STACK_OF(X509)* 378 read_cert_file(const char* file) 379 { 380 STACK_OF(X509)* sk; 381 FILE* in; 382 int content = 0; 383 char buf[128]; 384 if(file == NULL || strcmp(file, "") == 0) { 385 return NULL; 386 } 387 sk = sk_X509_new_null(); 388 if(!sk) { 389 if(verb) printf("out of memory\n"); 390 exit(0); 391 } 392 in = fopen(file, "r"); 393 if(!in) { 394 if(verb) printf("%s: %s\n", file, strerror(errno)); 395 #ifndef S_SPLINT_S 396 sk_X509_pop_free(sk, X509_free); 397 #endif 398 return NULL; 399 } 400 while(!feof(in)) { 401 X509* x = PEM_read_X509(in, NULL, NULL, NULL); 402 if(x == NULL) { 403 if(verb) { 404 printf("failed to read X509 file\n"); 405 ERR_print_errors_fp(stdout); 406 } 407 continue; 408 } 409 if(!sk_X509_push(sk, x)) { 410 if(verb) printf("out of memory\n"); 411 fclose(in); 412 exit(0); 413 } 414 content = 1; 415 /* read away newline after --END CERT-- */ 416 if(!fgets(buf, (int)sizeof(buf), in)) 417 break; 418 } 419 fclose(in); 420 if(!content) { 421 if(verb) printf("%s is empty\n", file); 422 #ifndef S_SPLINT_S 423 sk_X509_pop_free(sk, X509_free); 424 #endif 425 return NULL; 426 } 427 return sk; 428 } 429 430 /** read certificates from the builtin certificate */ 431 static STACK_OF(X509)* 432 read_builtin_cert(void) 433 { 434 const char* builtin_cert = get_builtin_cert(); 435 STACK_OF(X509)* sk; 436 BIO *bio = BIO_new_mem_buf(builtin_cert, 437 (int)strlen(builtin_cert)); 438 if(!bio) { 439 if(verb) printf("out of memory\n"); 440 exit(0); 441 } 442 sk = read_cert_bio(bio); 443 if(!sk) { 444 if(verb) printf("internal error, out of memory\n"); 445 exit(0); 446 } 447 BIO_free(bio); 448 return sk; 449 } 450 451 /** read update cert file or use builtin */ 452 static STACK_OF(X509)* 453 read_cert_or_builtin(const char* file) 454 { 455 STACK_OF(X509) *sk = read_cert_file(file); 456 if(!sk) { 457 if(verb) printf("using builtin certificate\n"); 458 sk = read_builtin_cert(); 459 } 460 if(verb) printf("have %d trusted certificates\n", sk_X509_num(sk)); 461 verb_certs("trusted certificates", sk); 462 return sk; 463 } 464 465 static void 466 do_list_builtin(void) 467 { 468 const char* builtin_cert = get_builtin_cert(); 469 const char* builtin_ds = get_builtin_ds(); 470 printf("%s\n", builtin_ds); 471 printf("%s\n", builtin_cert); 472 exit(0); 473 } 474 475 /** printout IP address with message */ 476 static void 477 verb_addr(const char* msg, struct ip_list* ip) 478 { 479 if(verb) { 480 char out[100]; 481 void* a = &((struct sockaddr_in*)&ip->addr)->sin_addr; 482 if(ip->len != (socklen_t)sizeof(struct sockaddr_in)) 483 a = &((struct sockaddr_in6*)&ip->addr)->sin6_addr; 484 485 if(inet_ntop((int)((struct sockaddr_in*)&ip->addr)->sin_family, 486 a, out, (socklen_t)sizeof(out))==0) 487 printf("%s (inet_ntop error)\n", msg); 488 else printf("%s %s\n", msg, out); 489 } 490 } 491 492 /** free ip_list */ 493 static void 494 ip_list_free(struct ip_list* p) 495 { 496 struct ip_list* np; 497 while(p) { 498 np = p->next; 499 free(p); 500 p = np; 501 } 502 } 503 504 /** create ip_list entry for a RR record */ 505 static struct ip_list* 506 RR_to_ip(int tp, char* data, int len, int port) 507 { 508 struct ip_list* ip = (struct ip_list*)calloc(1, sizeof(*ip)); 509 uint16_t p = (uint16_t)port; 510 if(tp == LDNS_RR_TYPE_A) { 511 struct sockaddr_in* sa = (struct sockaddr_in*)&ip->addr; 512 ip->len = (socklen_t)sizeof(*sa); 513 sa->sin_family = AF_INET; 514 sa->sin_port = (in_port_t)htons(p); 515 if(len != (int)sizeof(sa->sin_addr)) { 516 if(verb) printf("skipped badly formatted A\n"); 517 free(ip); 518 return NULL; 519 } 520 memmove(&sa->sin_addr, data, sizeof(sa->sin_addr)); 521 522 } else if(tp == LDNS_RR_TYPE_AAAA) { 523 struct sockaddr_in6* sa = (struct sockaddr_in6*)&ip->addr; 524 ip->len = (socklen_t)sizeof(*sa); 525 sa->sin6_family = AF_INET6; 526 sa->sin6_port = (in_port_t)htons(p); 527 if(len != (int)sizeof(sa->sin6_addr)) { 528 if(verb) printf("skipped badly formatted AAAA\n"); 529 free(ip); 530 return NULL; 531 } 532 memmove(&sa->sin6_addr, data, sizeof(sa->sin6_addr)); 533 } else { 534 if(verb) printf("internal error: bad type in RRtoip\n"); 535 free(ip); 536 return NULL; 537 } 538 verb_addr("resolved server address", ip); 539 return ip; 540 } 541 542 /** Resolve name, type, class and add addresses to iplist */ 543 static void 544 resolve_host_ip(struct ub_ctx* ctx, const char* host, int port, int tp, int cl, 545 struct ip_list** head) 546 { 547 struct ub_result* res = NULL; 548 int r; 549 int i; 550 551 r = ub_resolve(ctx, host, tp, cl, &res); 552 if(r) { 553 if(verb) printf("error: resolve %s %s: %s\n", host, 554 (tp==LDNS_RR_TYPE_A)?"A":"AAAA", ub_strerror(r)); 555 return; 556 } 557 if(!res) { 558 if(verb) printf("out of memory\n"); 559 ub_ctx_delete(ctx); 560 exit(0); 561 } 562 if(!res->havedata || res->rcode || !res->data) { 563 if(verb) printf("resolve %s %s: no result\n", host, 564 (tp==LDNS_RR_TYPE_A)?"A":"AAAA"); 565 return; 566 } 567 for(i = 0; res->data[i]; i++) { 568 struct ip_list* ip = RR_to_ip(tp, res->data[i], res->len[i], 569 port); 570 if(!ip) continue; 571 ip->next = *head; 572 *head = ip; 573 } 574 ub_resolve_free(res); 575 } 576 577 /** parse a text IP address into a sockaddr */ 578 static struct ip_list* 579 parse_ip_addr(const char* str, int port) 580 { 581 socklen_t len = 0; 582 union { 583 struct sockaddr_in6 a6; 584 struct sockaddr_in a; 585 } addr; 586 struct ip_list* ip; 587 uint16_t p = (uint16_t)port; 588 memset(&addr, 0, sizeof(addr)); 589 590 if(inet_pton(AF_INET6, str, &addr.a6.sin6_addr) > 0) { 591 /* it is an IPv6 */ 592 addr.a6.sin6_family = AF_INET6; 593 addr.a6.sin6_port = (in_port_t)htons(p); 594 len = (socklen_t)sizeof(addr.a6); 595 } 596 if(inet_pton(AF_INET, str, &addr.a.sin_addr) > 0) { 597 /* it is an IPv4 */ 598 addr.a.sin_family = AF_INET; 599 addr.a.sin_port = (in_port_t)htons(p); 600 len = (socklen_t)sizeof(struct sockaddr_in); 601 } 602 if(!len) return NULL; 603 ip = (struct ip_list*)calloc(1, sizeof(*ip)); 604 if(!ip) { 605 if(verb) printf("out of memory\n"); 606 exit(0); 607 } 608 ip->len = len; 609 memmove(&ip->addr, &addr, len); 610 if(verb) printf("server address is %s\n", str); 611 return ip; 612 } 613 614 /** 615 * Resolve a domain name (even though the resolver is down and there is 616 * no trust anchor). Without DNSSEC validation. 617 * @param host: the name to resolve. 618 * If this name is an IP4 or IP6 address this address is returned. 619 * @param port: the port number used for the returned IP structs. 620 * @param res_conf: resolv.conf (if any). 621 * @param root_hints: root hints (if any). 622 * @param debugconf: unbound.conf for debugging options. 623 * @param srcaddr: source address option (if any). 624 * @param ip4only: use only ip4 for resolve and only lookup A 625 * @param ip6only: use only ip6 for resolve and only lookup AAAA 626 * default is to lookup A and AAAA using ip4 and ip6. 627 * @return list of IP addresses. 628 */ 629 static struct ip_list* 630 resolve_name(const char* host, int port, const char* res_conf, 631 const char* root_hints, const char* debugconf, 632 const char* srcaddr, int ip4only, int ip6only) 633 { 634 struct ub_ctx* ctx; 635 struct ip_list* list = NULL; 636 /* first see if name is an IP address itself */ 637 if( (list=parse_ip_addr(host, port)) ) { 638 return list; 639 } 640 641 /* create resolver context */ 642 ctx = create_unbound_context(res_conf, root_hints, debugconf, 643 srcaddr, ip4only, ip6only); 644 645 /* try resolution of A */ 646 if(!ip6only) { 647 resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_A, 648 LDNS_RR_CLASS_IN, &list); 649 } 650 651 /* try resolution of AAAA */ 652 if(!ip4only) { 653 resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_AAAA, 654 LDNS_RR_CLASS_IN, &list); 655 } 656 657 ub_ctx_delete(ctx); 658 if(!list) { 659 if(verb) printf("%s has no IP addresses I can use\n", host); 660 exit(0); 661 } 662 return list; 663 } 664 665 /** clear used flags */ 666 static void 667 wipe_ip_usage(struct ip_list* p) 668 { 669 while(p) { 670 p->used = 0; 671 p = p->next; 672 } 673 } 674 675 /** count unused IPs */ 676 static int 677 count_unused(struct ip_list* p) 678 { 679 int num = 0; 680 while(p) { 681 if(!p->used) num++; 682 p = p->next; 683 } 684 return num; 685 } 686 687 /** pick random unused element from IP list */ 688 static struct ip_list* 689 pick_random_ip(struct ip_list* list) 690 { 691 struct ip_list* p = list; 692 int num = count_unused(list); 693 int sel; 694 if(num == 0) return NULL; 695 /* not perfect, but random enough */ 696 sel = (int)arc4random_uniform((uint32_t)num); 697 /* skip over unused elements that we did not select */ 698 while(sel > 0 && p) { 699 if(!p->used) sel--; 700 p = p->next; 701 } 702 /* find the next unused element */ 703 while(p && p->used) 704 p = p->next; 705 if(!p) return NULL; /* robustness */ 706 return p; 707 } 708 709 /** close the fd */ 710 static void 711 fd_close(int fd) 712 { 713 #ifndef USE_WINSOCK 714 close(fd); 715 #else 716 closesocket(fd); 717 #endif 718 } 719 720 /** printout socket errno */ 721 static void 722 print_sock_err(const char* msg) 723 { 724 #ifndef USE_WINSOCK 725 if(verb) printf("%s: %s\n", msg, strerror(errno)); 726 #else 727 if(verb) printf("%s: %s\n", msg, wsa_strerror(WSAGetLastError())); 728 #endif 729 } 730 731 /** connect to IP address */ 732 static int 733 connect_to_ip(struct ip_list* ip, struct ip_list* src) 734 { 735 int fd; 736 verb_addr("connect to", ip); 737 fd = socket(ip->len==(socklen_t)sizeof(struct sockaddr_in)? 738 AF_INET:AF_INET6, SOCK_STREAM, 0); 739 if(fd == -1) { 740 print_sock_err("socket"); 741 return -1; 742 } 743 if(src && bind(fd, (struct sockaddr*)&src->addr, src->len) < 0) { 744 print_sock_err("bind"); 745 fd_close(fd); 746 return -1; 747 } 748 if(connect(fd, (struct sockaddr*)&ip->addr, ip->len) < 0) { 749 print_sock_err("connect"); 750 fd_close(fd); 751 return -1; 752 } 753 return fd; 754 } 755 756 /** create SSL context */ 757 static SSL_CTX* 758 setup_sslctx(void) 759 { 760 SSL_CTX* sslctx = SSL_CTX_new(SSLv23_client_method()); 761 if(!sslctx) { 762 if(verb) printf("SSL_CTX_new error\n"); 763 return NULL; 764 } 765 return sslctx; 766 } 767 768 /** initiate TLS on a connection */ 769 static SSL* 770 TLS_initiate(SSL_CTX* sslctx, int fd, const char* urlname, int use_sni) 771 { 772 X509* x; 773 int r; 774 SSL* ssl = SSL_new(sslctx); 775 if(!ssl) { 776 if(verb) printf("SSL_new error\n"); 777 return NULL; 778 } 779 SSL_set_connect_state(ssl); 780 (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY); 781 if(!SSL_set_fd(ssl, fd)) { 782 if(verb) printf("SSL_set_fd error\n"); 783 SSL_free(ssl); 784 return NULL; 785 } 786 if(use_sni) { 787 (void)SSL_set_tlsext_host_name(ssl, urlname); 788 } 789 while(1) { 790 ERR_clear_error(); 791 if( (r=SSL_do_handshake(ssl)) == 1) 792 break; 793 r = SSL_get_error(ssl, r); 794 if(r != SSL_ERROR_WANT_READ && r != SSL_ERROR_WANT_WRITE) { 795 if(verb) printf("SSL handshake failed\n"); 796 SSL_free(ssl); 797 return NULL; 798 } 799 /* wants to be called again */ 800 } 801 x = SSL_get_peer_certificate(ssl); 802 if(!x) { 803 if(verb) printf("Server presented no peer certificate\n"); 804 SSL_free(ssl); 805 return NULL; 806 } 807 verb_cert("server SSL certificate", x); 808 X509_free(x); 809 return ssl; 810 } 811 812 /** perform neat TLS shutdown */ 813 static void 814 TLS_shutdown(int fd, SSL* ssl, SSL_CTX* sslctx) 815 { 816 /* shutdown the SSL connection nicely */ 817 if(SSL_shutdown(ssl) == 0) { 818 SSL_shutdown(ssl); 819 } 820 SSL_free(ssl); 821 SSL_CTX_free(sslctx); 822 fd_close(fd); 823 } 824 825 /** write a line over SSL */ 826 static int 827 write_ssl_line(SSL* ssl, const char* str, const char* sec) 828 { 829 char buf[1024]; 830 size_t l; 831 if(sec) { 832 snprintf(buf, sizeof(buf), str, sec); 833 } else { 834 snprintf(buf, sizeof(buf), "%s", str); 835 } 836 l = strlen(buf); 837 if(l+2 >= sizeof(buf)) { 838 if(verb) printf("line too long\n"); 839 return 0; 840 } 841 if(verb >= 2) printf("SSL_write: %s\n", buf); 842 buf[l] = '\r'; 843 buf[l+1] = '\n'; 844 buf[l+2] = 0; 845 /* add \r\n */ 846 if(SSL_write(ssl, buf, (int)strlen(buf)) <= 0) { 847 if(verb) printf("could not SSL_write %s", str); 848 return 0; 849 } 850 return 1; 851 } 852 853 /** process header line, check rcode and keeping track of size */ 854 static int 855 process_one_header(char* buf, size_t* clen, int* chunked) 856 { 857 if(verb>=2) printf("header: '%s'\n", buf); 858 if(strncasecmp(buf, "HTTP/1.1 ", 9) == 0) { 859 /* check returncode */ 860 if(buf[9] != '2') { 861 if(verb) printf("bad status %s\n", buf+9); 862 return 0; 863 } 864 } else if(strncasecmp(buf, "Content-Length: ", 16) == 0) { 865 if(!*chunked) 866 *clen = (size_t)atoi(buf+16); 867 } else if(strncasecmp(buf, "Transfer-Encoding: chunked", 19+7) == 0) { 868 *clen = 0; 869 *chunked = 1; 870 } 871 return 1; 872 } 873 874 /** 875 * Read one line from SSL 876 * zero terminates. 877 * skips "\r\n" (but not copied to buf). 878 * @param ssl: the SSL connection to read from (blocking). 879 * @param buf: buffer to return line in. 880 * @param len: size of the buffer. 881 * @return 0 on error, 1 on success. 882 */ 883 static int 884 read_ssl_line(SSL* ssl, char* buf, size_t len) 885 { 886 size_t n = 0; 887 int r; 888 int endnl = 0; 889 while(1) { 890 if(n >= len) { 891 if(verb) printf("line too long\n"); 892 return 0; 893 } 894 if((r = SSL_read(ssl, buf+n, 1)) <= 0) { 895 if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) { 896 /* EOF */ 897 break; 898 } 899 if(verb) printf("could not SSL_read\n"); 900 return 0; 901 } 902 if(endnl && buf[n] == '\n') { 903 break; 904 } else if(endnl) { 905 /* bad data */ 906 if(verb) printf("error: stray linefeeds\n"); 907 return 0; 908 } else if(buf[n] == '\r') { 909 /* skip \r, and also \n on the wire */ 910 endnl = 1; 911 continue; 912 } else if(buf[n] == '\n') { 913 /* skip the \n, we are done */ 914 break; 915 } else n++; 916 } 917 buf[n] = 0; 918 return 1; 919 } 920 921 /** read http headers and process them */ 922 static size_t 923 read_http_headers(SSL* ssl, size_t* clen) 924 { 925 char buf[1024]; 926 int chunked = 0; 927 *clen = 0; 928 while(read_ssl_line(ssl, buf, sizeof(buf))) { 929 if(buf[0] == 0) 930 return 1; 931 if(!process_one_header(buf, clen, &chunked)) 932 return 0; 933 } 934 return 0; 935 } 936 937 /** read a data chunk */ 938 static char* 939 read_data_chunk(SSL* ssl, size_t len) 940 { 941 size_t got = 0; 942 int r; 943 char* data; 944 if((unsigned)len >= (unsigned)0xfffffff0) 945 return NULL; /* to protect against integer overflow in malloc*/ 946 data = malloc(len+1); 947 if(!data) { 948 if(verb) printf("out of memory\n"); 949 return NULL; 950 } 951 while(got < len) { 952 if((r = SSL_read(ssl, data+got, (int)(len-got))) <= 0) { 953 if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) { 954 /* EOF */ 955 if(verb) printf("could not SSL_read: unexpected EOF\n"); 956 free(data); 957 return NULL; 958 } 959 if(verb) printf("could not SSL_read\n"); 960 free(data); 961 return NULL; 962 } 963 if(verb >= 2) printf("at %d/%d\n", (int)got, (int)len); 964 got += r; 965 } 966 if(verb>=2) printf("read %d data\n", (int)len); 967 data[len] = 0; 968 return data; 969 } 970 971 /** parse chunk header */ 972 static int 973 parse_chunk_header(char* buf, size_t* result) 974 { 975 char* e = NULL; 976 size_t v = (size_t)strtol(buf, &e, 16); 977 if(e == buf) 978 return 0; 979 *result = v; 980 return 1; 981 } 982 983 /** read chunked data from connection */ 984 static BIO* 985 do_chunked_read(SSL* ssl) 986 { 987 char buf[1024]; 988 size_t len; 989 char* body; 990 BIO* mem = BIO_new(BIO_s_mem()); 991 if(verb>=3) printf("do_chunked_read\n"); 992 if(!mem) { 993 if(verb) printf("out of memory\n"); 994 return NULL; 995 } 996 while(read_ssl_line(ssl, buf, sizeof(buf))) { 997 /* read the chunked start line */ 998 if(verb>=2) printf("chunk header: %s\n", buf); 999 if(!parse_chunk_header(buf, &len)) { 1000 BIO_free(mem); 1001 if(verb>=3) printf("could not parse chunk header\n"); 1002 return NULL; 1003 } 1004 if(verb>=2) printf("chunk len: %d\n", (int)len); 1005 /* are we done? */ 1006 if(len == 0) { 1007 char z = 0; 1008 /* skip end-of-chunk-trailer lines, 1009 * until the empty line after that */ 1010 do { 1011 if(!read_ssl_line(ssl, buf, sizeof(buf))) { 1012 BIO_free(mem); 1013 return NULL; 1014 } 1015 } while (strlen(buf) > 0); 1016 /* end of chunks, zero terminate it */ 1017 if(BIO_write(mem, &z, 1) <= 0) { 1018 if(verb) printf("out of memory\n"); 1019 BIO_free(mem); 1020 return NULL; 1021 } 1022 return mem; 1023 } 1024 /* read the chunked body */ 1025 body = read_data_chunk(ssl, len); 1026 if(!body) { 1027 BIO_free(mem); 1028 return NULL; 1029 } 1030 if(BIO_write(mem, body, (int)len) <= 0) { 1031 if(verb) printf("out of memory\n"); 1032 free(body); 1033 BIO_free(mem); 1034 return NULL; 1035 } 1036 free(body); 1037 /* skip empty line after data chunk */ 1038 if(!read_ssl_line(ssl, buf, sizeof(buf))) { 1039 BIO_free(mem); 1040 return NULL; 1041 } 1042 } 1043 BIO_free(mem); 1044 return NULL; 1045 } 1046 1047 /** start HTTP1.1 transaction on SSL */ 1048 static int 1049 write_http_get(SSL* ssl, const char* pathname, const char* urlname) 1050 { 1051 if(write_ssl_line(ssl, "GET /%s HTTP/1.1", pathname) && 1052 write_ssl_line(ssl, "Host: %s", urlname) && 1053 write_ssl_line(ssl, "User-Agent: unbound-anchor/%s", 1054 PACKAGE_VERSION) && 1055 /* We do not really do multiple queries per connection, 1056 * but this header setting is also not needed. 1057 * write_ssl_line(ssl, "Connection: close", NULL) &&*/ 1058 write_ssl_line(ssl, "", NULL)) { 1059 return 1; 1060 } 1061 return 0; 1062 } 1063 1064 /** read chunked data and zero terminate; len is without zero */ 1065 static char* 1066 read_chunked_zero_terminate(SSL* ssl, size_t* len) 1067 { 1068 /* do the chunked version */ 1069 BIO* tmp = do_chunked_read(ssl); 1070 char* data, *d = NULL; 1071 size_t l; 1072 if(!tmp) { 1073 if(verb) printf("could not read from https\n"); 1074 return NULL; 1075 } 1076 l = (size_t)BIO_get_mem_data(tmp, &d); 1077 if(verb>=2) printf("chunked data is %d\n", (int)l); 1078 if(l == 0 || d == NULL) { 1079 if(verb) printf("out of memory\n"); 1080 return NULL; 1081 } 1082 *len = l-1; 1083 data = (char*)malloc(l); 1084 if(data == NULL) { 1085 if(verb) printf("out of memory\n"); 1086 return NULL; 1087 } 1088 memcpy(data, d, l); 1089 BIO_free(tmp); 1090 return data; 1091 } 1092 1093 /** read HTTP result from SSL */ 1094 static BIO* 1095 read_http_result(SSL* ssl) 1096 { 1097 size_t len = 0; 1098 char* data; 1099 BIO* m; 1100 if(!read_http_headers(ssl, &len)) { 1101 return NULL; 1102 } 1103 if(len == 0) { 1104 data = read_chunked_zero_terminate(ssl, &len); 1105 } else { 1106 data = read_data_chunk(ssl, len); 1107 } 1108 if(!data) return NULL; 1109 if(verb >= 4) print_data("read data", data, len); 1110 m = BIO_new(BIO_s_mem()); 1111 if(!m) { 1112 if(verb) printf("out of memory\n"); 1113 free(data); 1114 exit(0); 1115 } 1116 BIO_write(m, data, (int)len); 1117 free(data); 1118 return m; 1119 } 1120 1121 /** https to an IP addr, return BIO with pathname or NULL */ 1122 static BIO* 1123 https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname, 1124 struct ip_list* src, int use_sni) 1125 { 1126 int fd; 1127 SSL* ssl; 1128 BIO* bio; 1129 SSL_CTX* sslctx = setup_sslctx(); 1130 if(!sslctx) { 1131 return NULL; 1132 } 1133 fd = connect_to_ip(ip, src); 1134 if(fd == -1) { 1135 SSL_CTX_free(sslctx); 1136 return NULL; 1137 } 1138 ssl = TLS_initiate(sslctx, fd, urlname, use_sni); 1139 if(!ssl) { 1140 SSL_CTX_free(sslctx); 1141 fd_close(fd); 1142 return NULL; 1143 } 1144 if(!write_http_get(ssl, pathname, urlname)) { 1145 if(verb) printf("could not write to server\n"); 1146 SSL_free(ssl); 1147 SSL_CTX_free(sslctx); 1148 fd_close(fd); 1149 return NULL; 1150 } 1151 bio = read_http_result(ssl); 1152 TLS_shutdown(fd, ssl, sslctx); 1153 return bio; 1154 } 1155 1156 /** 1157 * Do a HTTPS, HTTP1.1 over TLS, to fetch a file 1158 * @param ip_list: list of IP addresses to use to fetch from. 1159 * @param pathname: pathname of file on server to GET. 1160 * @param urlname: name to pass as the virtual host for this request. 1161 * @param src: if nonNULL, source address to bind to. 1162 * @param use_sni: if SNI will be used. 1163 * @return a memory BIO with the file in it. 1164 */ 1165 static BIO* 1166 https(struct ip_list* ip_list, const char* pathname, const char* urlname, 1167 struct ip_list* src, int use_sni) 1168 { 1169 struct ip_list* ip; 1170 BIO* bio = NULL; 1171 /* try random address first, and work through the list */ 1172 wipe_ip_usage(ip_list); 1173 while( (ip = pick_random_ip(ip_list)) ) { 1174 ip->used = 1; 1175 bio = https_to_ip(ip, pathname, urlname, src, use_sni); 1176 if(bio) break; 1177 } 1178 if(!bio) { 1179 if(verb) printf("could not fetch %s\n", pathname); 1180 exit(0); 1181 } else { 1182 if(verb) printf("fetched %s (%d bytes)\n", 1183 pathname, (int)BIO_ctrl_pending(bio)); 1184 } 1185 return bio; 1186 } 1187 1188 /** XML parse private data during the parse */ 1189 struct xml_data { 1190 /** the parser, reference */ 1191 XML_Parser parser; 1192 /** the current tag; malloced; or NULL outside of tags */ 1193 char* tag; 1194 /** current date to use during the parse */ 1195 time_t date; 1196 /** number of keys usefully read in */ 1197 int num_keys; 1198 /** the compiled anchors as DS records */ 1199 BIO* ds; 1200 1201 /** do we want to use this anchor? */ 1202 int use_key; 1203 /** the current anchor: Zone */ 1204 BIO* czone; 1205 /** the current anchor: KeyTag */ 1206 BIO* ctag; 1207 /** the current anchor: Algorithm */ 1208 BIO* calgo; 1209 /** the current anchor: DigestType */ 1210 BIO* cdigtype; 1211 /** the current anchor: Digest*/ 1212 BIO* cdigest; 1213 }; 1214 1215 /** The BIO for the tag */ 1216 static BIO* 1217 xml_selectbio(struct xml_data* data, const char* tag) 1218 { 1219 BIO* b = NULL; 1220 if(strcasecmp(tag, "KeyTag") == 0) 1221 b = data->ctag; 1222 else if(strcasecmp(tag, "Algorithm") == 0) 1223 b = data->calgo; 1224 else if(strcasecmp(tag, "DigestType") == 0) 1225 b = data->cdigtype; 1226 else if(strcasecmp(tag, "Digest") == 0) 1227 b = data->cdigest; 1228 return b; 1229 } 1230 1231 /** 1232 * XML handle character data, the data inside an element. 1233 * @param userData: xml_data structure 1234 * @param s: the character data. May not all be in one callback. 1235 * NOT zero terminated. 1236 * @param len: length of this part of the data. 1237 */ 1238 static void 1239 xml_charhandle(void *userData, const XML_Char *s, int len) 1240 { 1241 struct xml_data* data = (struct xml_data*)userData; 1242 BIO* b = NULL; 1243 /* skip characters outside of elements */ 1244 if(!data->tag) 1245 return; 1246 if(verb>=4) { 1247 int i; 1248 printf("%s%s charhandle: '", 1249 data->use_key?"use ":"", 1250 data->tag?data->tag:"none"); 1251 for(i=0; i<len; i++) 1252 printf("%c", s[i]); 1253 printf("'\n"); 1254 } 1255 if(strcasecmp(data->tag, "Zone") == 0) { 1256 if(BIO_write(data->czone, s, len) < 0) { 1257 if(verb) printf("out of memory in BIO_write\n"); 1258 exit(0); 1259 } 1260 return; 1261 } 1262 /* only store if key is used */ 1263 if(!data->use_key) 1264 return; 1265 b = xml_selectbio(data, data->tag); 1266 if(b) { 1267 if(BIO_write(b, s, len) < 0) { 1268 if(verb) printf("out of memory in BIO_write\n"); 1269 exit(0); 1270 } 1271 } 1272 } 1273 1274 /** 1275 * XML fetch value of particular attribute(by name) or NULL if not present. 1276 * @param atts: attribute array (from xml_startelem). 1277 * @param name: name of attribute to look for. 1278 * @return the value or NULL. (ptr into atts). 1279 */ 1280 static const XML_Char* 1281 find_att(const XML_Char **atts, const XML_Char* name) 1282 { 1283 int i; 1284 for(i=0; atts[i]; i+=2) { 1285 if(strcasecmp(atts[i], name) == 0) 1286 return atts[i+1]; 1287 } 1288 return NULL; 1289 } 1290 1291 /** 1292 * XML convert DateTime element to time_t. 1293 * [-]CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] 1294 * (with optional .ssssss fractional seconds) 1295 * @param str: the string 1296 * @return a time_t representation or 0 on failure. 1297 */ 1298 static time_t 1299 xml_convertdate(const char* str) 1300 { 1301 time_t t = 0; 1302 struct tm tm; 1303 const char* s; 1304 /* for this application, ignore minus in front; 1305 * only positive dates are expected */ 1306 s = str; 1307 if(s[0] == '-') s++; 1308 memset(&tm, 0, sizeof(tm)); 1309 /* parse initial content of the string (lots of whitespace allowed) */ 1310 s = strptime(s, "%t%Y%t-%t%m%t-%t%d%tT%t%H%t:%t%M%t:%t%S%t", &tm); 1311 if(!s) { 1312 if(verb) printf("xml_convertdate parse failure %s\n", str); 1313 return 0; 1314 } 1315 /* parse remainder of date string */ 1316 if(*s == '.') { 1317 /* optional '.' and fractional seconds */ 1318 int frac = 0, n = 0; 1319 if(sscanf(s+1, "%d%n", &frac, &n) < 1) { 1320 if(verb) printf("xml_convertdate f failure %s\n", str); 1321 return 0; 1322 } 1323 /* fraction is not used, time_t has second accuracy */ 1324 s++; 1325 s+=n; 1326 } 1327 if(*s == 'Z' || *s == 'z') { 1328 /* nothing to do for this */ 1329 s++; 1330 } else if(*s == '+' || *s == '-') { 1331 /* optional timezone spec: Z or +hh:mm or -hh:mm */ 1332 int hr = 0, mn = 0, n = 0; 1333 if(sscanf(s+1, "%d:%d%n", &hr, &mn, &n) < 2) { 1334 if(verb) printf("xml_convertdate tz failure %s\n", str); 1335 return 0; 1336 } 1337 if(*s == '+') { 1338 tm.tm_hour += hr; 1339 tm.tm_min += mn; 1340 } else { 1341 tm.tm_hour -= hr; 1342 tm.tm_min -= mn; 1343 } 1344 s++; 1345 s += n; 1346 } 1347 if(*s != 0) { 1348 /* not ended properly */ 1349 /* but ignore, (lenient) */ 1350 } 1351 1352 t = sldns_mktime_from_utc(&tm); 1353 if(t == (time_t)-1) { 1354 if(verb) printf("xml_convertdate mktime failure\n"); 1355 return 0; 1356 } 1357 return t; 1358 } 1359 1360 /** 1361 * XML handle the KeyDigest start tag, check validity periods. 1362 */ 1363 static void 1364 handle_keydigest(struct xml_data* data, const XML_Char **atts) 1365 { 1366 data->use_key = 0; 1367 if(find_att(atts, "validFrom")) { 1368 time_t from = xml_convertdate(find_att(atts, "validFrom")); 1369 if(from == 0) { 1370 if(verb) printf("error: xml cannot be parsed\n"); 1371 exit(0); 1372 } 1373 if(data->date < from) 1374 return; 1375 } 1376 if(find_att(atts, "validUntil")) { 1377 time_t until = xml_convertdate(find_att(atts, "validUntil")); 1378 if(until == 0) { 1379 if(verb) printf("error: xml cannot be parsed\n"); 1380 exit(0); 1381 } 1382 if(data->date > until) 1383 return; 1384 } 1385 /* yes we want to use this key */ 1386 data->use_key = 1; 1387 (void)BIO_reset(data->ctag); 1388 (void)BIO_reset(data->calgo); 1389 (void)BIO_reset(data->cdigtype); 1390 (void)BIO_reset(data->cdigest); 1391 } 1392 1393 /** See if XML element equals the zone name */ 1394 static int 1395 xml_is_zone_name(BIO* zone, const char* name) 1396 { 1397 char buf[1024]; 1398 char* z = NULL; 1399 long zlen; 1400 (void)BIO_seek(zone, 0); 1401 zlen = BIO_get_mem_data(zone, &z); 1402 if(!zlen || !z) return 0; 1403 /* zero terminate */ 1404 if(zlen >= (long)sizeof(buf)) return 0; 1405 memmove(buf, z, (size_t)zlen); 1406 buf[zlen] = 0; 1407 /* compare */ 1408 return (strncasecmp(buf, name, strlen(name)) == 0); 1409 } 1410 1411 /** 1412 * XML start of element. This callback is called whenever an XML tag starts. 1413 * XML_Char is UTF8. 1414 * @param userData: the xml_data structure. 1415 * @param name: the tag that starts. 1416 * @param atts: array of strings, pairs of attr = value, ends with NULL. 1417 * i.e. att[0]="att[1]" att[2]="att[3]" att[4]isNull 1418 */ 1419 static void 1420 xml_startelem(void *userData, const XML_Char *name, const XML_Char **atts) 1421 { 1422 struct xml_data* data = (struct xml_data*)userData; 1423 BIO* b; 1424 if(verb>=4) printf("xml tag start '%s'\n", name); 1425 free(data->tag); 1426 data->tag = strdup(name); 1427 if(!data->tag) { 1428 if(verb) printf("out of memory\n"); 1429 exit(0); 1430 } 1431 if(verb>=4) { 1432 int i; 1433 for(i=0; atts[i]; i+=2) { 1434 printf(" %s='%s'\n", atts[i], atts[i+1]); 1435 } 1436 } 1437 /* handle attributes to particular types */ 1438 if(strcasecmp(name, "KeyDigest") == 0) { 1439 handle_keydigest(data, atts); 1440 return; 1441 } else if(strcasecmp(name, "Zone") == 0) { 1442 (void)BIO_reset(data->czone); 1443 return; 1444 } 1445 1446 /* for other types we prepare to pick up the data */ 1447 if(!data->use_key) 1448 return; 1449 b = xml_selectbio(data, data->tag); 1450 if(b) { 1451 /* empty it */ 1452 (void)BIO_reset(b); 1453 } 1454 } 1455 1456 /** Append str to bio */ 1457 static void 1458 xml_append_str(BIO* b, const char* s) 1459 { 1460 if(BIO_write(b, s, (int)strlen(s)) < 0) { 1461 if(verb) printf("out of memory in BIO_write\n"); 1462 exit(0); 1463 } 1464 } 1465 1466 /** Append bio to bio */ 1467 static void 1468 xml_append_bio(BIO* b, BIO* a) 1469 { 1470 char* z = NULL; 1471 long i, len; 1472 (void)BIO_seek(a, 0); 1473 len = BIO_get_mem_data(a, &z); 1474 if(!len || !z) { 1475 if(verb) printf("out of memory in BIO_write\n"); 1476 exit(0); 1477 } 1478 /* remove newlines in the data here */ 1479 for(i=0; i<len; i++) { 1480 if(z[i] == '\r' || z[i] == '\n') 1481 z[i] = ' '; 1482 } 1483 /* write to BIO */ 1484 if(BIO_write(b, z, len) < 0) { 1485 if(verb) printf("out of memory in BIO_write\n"); 1486 exit(0); 1487 } 1488 } 1489 1490 /** write the parsed xml-DS to the DS list */ 1491 static void 1492 xml_append_ds(struct xml_data* data) 1493 { 1494 /* write DS to accumulated DS */ 1495 xml_append_str(data->ds, ". IN DS "); 1496 xml_append_bio(data->ds, data->ctag); 1497 xml_append_str(data->ds, " "); 1498 xml_append_bio(data->ds, data->calgo); 1499 xml_append_str(data->ds, " "); 1500 xml_append_bio(data->ds, data->cdigtype); 1501 xml_append_str(data->ds, " "); 1502 xml_append_bio(data->ds, data->cdigest); 1503 xml_append_str(data->ds, "\n"); 1504 data->num_keys++; 1505 } 1506 1507 /** 1508 * XML end of element. This callback is called whenever an XML tag ends. 1509 * XML_Char is UTF8. 1510 * @param userData: the xml_data structure 1511 * @param name: the tag that ends. 1512 */ 1513 static void 1514 xml_endelem(void *userData, const XML_Char *name) 1515 { 1516 struct xml_data* data = (struct xml_data*)userData; 1517 if(verb>=4) printf("xml tag end '%s'\n", name); 1518 free(data->tag); 1519 data->tag = NULL; 1520 if(strcasecmp(name, "KeyDigest") == 0) { 1521 if(data->use_key) 1522 xml_append_ds(data); 1523 data->use_key = 0; 1524 } else if(strcasecmp(name, "Zone") == 0) { 1525 if(!xml_is_zone_name(data->czone, ".")) { 1526 if(verb) printf("xml not for the right zone\n"); 1527 exit(0); 1528 } 1529 } 1530 } 1531 1532 /* Stop the parser when an entity declaration is encountered. For safety. */ 1533 static void 1534 xml_entitydeclhandler(void *userData, 1535 const XML_Char *ATTR_UNUSED(entityName), 1536 int ATTR_UNUSED(is_parameter_entity), 1537 const XML_Char *ATTR_UNUSED(value), int ATTR_UNUSED(value_length), 1538 const XML_Char *ATTR_UNUSED(base), 1539 const XML_Char *ATTR_UNUSED(systemId), 1540 const XML_Char *ATTR_UNUSED(publicId), 1541 const XML_Char *ATTR_UNUSED(notationName)) 1542 { 1543 #if HAVE_DECL_XML_STOPPARSER 1544 (void)XML_StopParser((XML_Parser)userData, XML_FALSE); 1545 #else 1546 (void)userData; 1547 #endif 1548 } 1549 1550 /** 1551 * XML parser setup of the callbacks for the tags 1552 */ 1553 static void 1554 xml_parse_setup(XML_Parser parser, struct xml_data* data, time_t now) 1555 { 1556 char buf[1024]; 1557 memset(data, 0, sizeof(*data)); 1558 XML_SetUserData(parser, data); 1559 data->parser = parser; 1560 data->date = now; 1561 data->ds = BIO_new(BIO_s_mem()); 1562 data->ctag = BIO_new(BIO_s_mem()); 1563 data->czone = BIO_new(BIO_s_mem()); 1564 data->calgo = BIO_new(BIO_s_mem()); 1565 data->cdigtype = BIO_new(BIO_s_mem()); 1566 data->cdigest = BIO_new(BIO_s_mem()); 1567 if(!data->ds || !data->ctag || !data->calgo || !data->czone || 1568 !data->cdigtype || !data->cdigest) { 1569 if(verb) printf("out of memory\n"); 1570 exit(0); 1571 } 1572 snprintf(buf, sizeof(buf), "; created by unbound-anchor on %s", 1573 ctime(&now)); 1574 if(BIO_write(data->ds, buf, (int)strlen(buf)) < 0) { 1575 if(verb) printf("out of memory\n"); 1576 exit(0); 1577 } 1578 XML_SetEntityDeclHandler(parser, xml_entitydeclhandler); 1579 XML_SetElementHandler(parser, xml_startelem, xml_endelem); 1580 XML_SetCharacterDataHandler(parser, xml_charhandle); 1581 } 1582 1583 /** 1584 * Perform XML parsing of the root-anchors file 1585 * Its format description can be found in RFC 7958. 1586 * It uses libexpat. 1587 * @param xml: BIO with xml data. 1588 * @param now: the current time for checking DS validity periods. 1589 * @return memoryBIO with the DS data in zone format. 1590 * or NULL if the zone is insecure. 1591 * (It exit()s on error) 1592 */ 1593 static BIO* 1594 xml_parse(BIO* xml, time_t now) 1595 { 1596 char* pp; 1597 int len; 1598 XML_Parser parser; 1599 struct xml_data data; 1600 1601 parser = XML_ParserCreate(NULL); 1602 if(!parser) { 1603 if(verb) printf("could not XML_ParserCreate\n"); 1604 exit(0); 1605 } 1606 1607 /* setup callbacks */ 1608 xml_parse_setup(parser, &data, now); 1609 1610 /* parse it */ 1611 (void)BIO_seek(xml, 0); 1612 len = (int)BIO_get_mem_data(xml, &pp); 1613 if(!len || !pp) { 1614 if(verb) printf("out of memory\n"); 1615 exit(0); 1616 } 1617 if(!XML_Parse(parser, pp, len, 1 /*isfinal*/ )) { 1618 const char *e = XML_ErrorString(XML_GetErrorCode(parser)); 1619 if(verb) printf("XML_Parse failure %s\n", e?e:""); 1620 exit(0); 1621 } 1622 1623 /* parsed */ 1624 if(verb) printf("XML was parsed successfully, %d keys\n", 1625 data.num_keys); 1626 free(data.tag); 1627 XML_ParserFree(parser); 1628 1629 if(verb >= 4) { 1630 (void)BIO_seek(data.ds, 0); 1631 len = BIO_get_mem_data(data.ds, &pp); 1632 printf("got DS bio %d: '", len); 1633 if(!fwrite(pp, (size_t)len, 1, stdout)) 1634 /* compilers do not allow us to ignore fwrite .. */ 1635 fprintf(stderr, "error writing to stdout\n"); 1636 printf("'\n"); 1637 } 1638 BIO_free(data.czone); 1639 BIO_free(data.ctag); 1640 BIO_free(data.calgo); 1641 BIO_free(data.cdigtype); 1642 BIO_free(data.cdigest); 1643 1644 if(data.num_keys == 0) { 1645 /* the root zone seems to have gone insecure */ 1646 BIO_free(data.ds); 1647 return NULL; 1648 } else { 1649 return data.ds; 1650 } 1651 } 1652 1653 /* get key usage out of its extension, returns 0 if no key_usage extension */ 1654 static unsigned long 1655 get_usage_of_ex(X509* cert) 1656 { 1657 unsigned long val = 0; 1658 ASN1_BIT_STRING* s; 1659 if((s=X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL))) { 1660 if(s->length > 0) { 1661 val = s->data[0]; 1662 if(s->length > 1) 1663 val |= s->data[1] << 8; 1664 } 1665 ASN1_BIT_STRING_free(s); 1666 } 1667 return val; 1668 } 1669 1670 /** get valid signers from the list of signers in the signature */ 1671 static STACK_OF(X509)* 1672 get_valid_signers(PKCS7* p7, const char* p7signer) 1673 { 1674 int i; 1675 STACK_OF(X509)* validsigners = sk_X509_new_null(); 1676 STACK_OF(X509)* signers = PKCS7_get0_signers(p7, NULL, 0); 1677 unsigned long usage = 0; 1678 if(!validsigners) { 1679 if(verb) printf("out of memory\n"); 1680 sk_X509_free(signers); 1681 return NULL; 1682 } 1683 if(!signers) { 1684 if(verb) printf("no signers in pkcs7 signature\n"); 1685 sk_X509_free(validsigners); 1686 return NULL; 1687 } 1688 for(i=0; i<sk_X509_num(signers); i++) { 1689 X509_NAME* nm = X509_get_subject_name( 1690 sk_X509_value(signers, i)); 1691 char buf[1024]; 1692 if(!nm) { 1693 if(verb) printf("signer %d: cert has no subject name\n", i); 1694 continue; 1695 } 1696 if(verb && nm) { 1697 char* nmline = X509_NAME_oneline(nm, buf, 1698 (int)sizeof(buf)); 1699 printf("signer %d: Subject: %s\n", i, 1700 nmline?nmline:"no subject"); 1701 if(verb >= 3 && X509_NAME_get_text_by_NID(nm, 1702 NID_commonName, buf, (int)sizeof(buf))) 1703 printf("commonName: %s\n", buf); 1704 if(verb >= 3 && X509_NAME_get_text_by_NID(nm, 1705 NID_pkcs9_emailAddress, buf, (int)sizeof(buf))) 1706 printf("emailAddress: %s\n", buf); 1707 } 1708 if(verb) { 1709 int ku_loc = X509_get_ext_by_NID( 1710 sk_X509_value(signers, i), NID_key_usage, -1); 1711 if(verb >= 3 && ku_loc >= 0) { 1712 X509_EXTENSION *ex = X509_get_ext( 1713 sk_X509_value(signers, i), ku_loc); 1714 if(ex) { 1715 printf("keyUsage: "); 1716 X509V3_EXT_print_fp(stdout, ex, 0, 0); 1717 printf("\n"); 1718 } 1719 } 1720 } 1721 if(!p7signer || strcmp(p7signer, "")==0) { 1722 /* there is no name to check, return all records */ 1723 if(verb) printf("did not check commonName of signer\n"); 1724 } else { 1725 if(!X509_NAME_get_text_by_NID(nm, 1726 NID_pkcs9_emailAddress, 1727 buf, (int)sizeof(buf))) { 1728 if(verb) printf("removed cert with no name\n"); 1729 continue; /* no name, no use */ 1730 } 1731 if(strcmp(buf, p7signer) != 0) { 1732 if(verb) printf("removed cert with wrong name\n"); 1733 continue; /* wrong name, skip it */ 1734 } 1735 } 1736 1737 /* check that the key usage allows digital signatures 1738 * (the p7s) */ 1739 usage = get_usage_of_ex(sk_X509_value(signers, i)); 1740 if(!(usage & KU_DIGITAL_SIGNATURE)) { 1741 if(verb) printf("removed cert with no key usage Digital Signature allowed\n"); 1742 continue; 1743 } 1744 1745 /* we like this cert, add it to our list of valid 1746 * signers certificates */ 1747 sk_X509_push(validsigners, sk_X509_value(signers, i)); 1748 } 1749 sk_X509_free(signers); 1750 return validsigners; 1751 } 1752 1753 /** verify a PKCS7 signature, false on failure */ 1754 static int 1755 verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, const char* p7signer) 1756 { 1757 PKCS7* p7; 1758 X509_STORE *store = X509_STORE_new(); 1759 STACK_OF(X509)* validsigners; 1760 int secure = 0; 1761 int i; 1762 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE 1763 X509_VERIFY_PARAM* param = X509_VERIFY_PARAM_new(); 1764 if(!param) { 1765 if(verb) printf("out of memory\n"); 1766 X509_STORE_free(store); 1767 return 0; 1768 } 1769 /* do the selfcheck on the root certificate; it checks that the 1770 * input is valid */ 1771 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CHECK_SS_SIGNATURE); 1772 if(store) X509_STORE_set1_param(store, param); 1773 #endif 1774 if(!store) { 1775 if(verb) printf("out of memory\n"); 1776 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE 1777 X509_VERIFY_PARAM_free(param); 1778 #endif 1779 return 0; 1780 } 1781 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE 1782 X509_VERIFY_PARAM_free(param); 1783 #endif 1784 1785 (void)BIO_seek(p7s, 0); 1786 (void)BIO_seek(data, 0); 1787 1788 /* convert p7s to p7 (the signature) */ 1789 p7 = d2i_PKCS7_bio(p7s, NULL); 1790 if(!p7) { 1791 if(verb) printf("could not parse p7s signature file\n"); 1792 X509_STORE_free(store); 1793 return 0; 1794 } 1795 if(verb >= 2) printf("parsed the PKCS7 signature\n"); 1796 1797 /* convert trust to trusted certificate store */ 1798 for(i=0; i<sk_X509_num(trust); i++) { 1799 if(!X509_STORE_add_cert(store, sk_X509_value(trust, i))) { 1800 if(verb) printf("failed X509_STORE_add_cert\n"); 1801 X509_STORE_free(store); 1802 PKCS7_free(p7); 1803 return 0; 1804 } 1805 } 1806 if(verb >= 2) printf("setup the X509_STORE\n"); 1807 1808 /* check what is in the Subject name of the certificates, 1809 * and build a stack that contains only the right certificates */ 1810 validsigners = get_valid_signers(p7, p7signer); 1811 if(!validsigners) { 1812 X509_STORE_free(store); 1813 PKCS7_free(p7); 1814 return 0; 1815 } 1816 if(PKCS7_verify(p7, validsigners, store, data, NULL, PKCS7_NOINTERN) == 1) { 1817 secure = 1; 1818 if(verb) printf("the PKCS7 signature verified\n"); 1819 } else { 1820 if(verb) { 1821 ERR_print_errors_fp(stdout); 1822 } 1823 } 1824 1825 sk_X509_free(validsigners); 1826 X509_STORE_free(store); 1827 PKCS7_free(p7); 1828 return secure; 1829 } 1830 1831 /** write unsigned root anchor file, a 5011 revoked tp */ 1832 static void 1833 write_unsigned_root(const char* root_anchor_file) 1834 { 1835 FILE* out; 1836 time_t now = time(NULL); 1837 out = fopen(root_anchor_file, "w"); 1838 if(!out) { 1839 if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno)); 1840 return; 1841 } 1842 if(fprintf(out, "; autotrust trust anchor file\n" 1843 ";;REVOKED\n" 1844 ";;id: . 1\n" 1845 "; This file was written by unbound-anchor on %s" 1846 "; It indicates that the root does not use DNSSEC\n" 1847 "; to restart DNSSEC overwrite this file with a\n" 1848 "; valid trustanchor or (empty-it and run unbound-anchor)\n" 1849 , ctime(&now)) < 0) { 1850 if(verb) printf("failed to write 'unsigned' to %s\n", 1851 root_anchor_file); 1852 if(verb && errno != 0) printf("%s\n", strerror(errno)); 1853 } 1854 fflush(out); 1855 #ifdef HAVE_FSYNC 1856 fsync(fileno(out)); 1857 #else 1858 FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(out))); 1859 #endif 1860 fclose(out); 1861 } 1862 1863 /** write root anchor file */ 1864 static void 1865 write_root_anchor(const char* root_anchor_file, BIO* ds) 1866 { 1867 char* pp = NULL; 1868 int len; 1869 FILE* out; 1870 (void)BIO_seek(ds, 0); 1871 len = BIO_get_mem_data(ds, &pp); 1872 if(!len || !pp) { 1873 if(verb) printf("out of memory\n"); 1874 return; 1875 } 1876 out = fopen(root_anchor_file, "w"); 1877 if(!out) { 1878 if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno)); 1879 return; 1880 } 1881 if(fwrite(pp, (size_t)len, 1, out) != 1) { 1882 if(verb) printf("failed to write all data to %s\n", 1883 root_anchor_file); 1884 if(verb && errno != 0) printf("%s\n", strerror(errno)); 1885 } 1886 fflush(out); 1887 #ifdef HAVE_FSYNC 1888 fsync(fileno(out)); 1889 #else 1890 FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(out))); 1891 #endif 1892 fclose(out); 1893 } 1894 1895 /** Perform the verification and update of the trustanchor file */ 1896 static void 1897 verify_and_update_anchor(const char* root_anchor_file, BIO* xml, BIO* p7s, 1898 STACK_OF(X509)* cert, const char* p7signer) 1899 { 1900 BIO* ds; 1901 1902 /* verify xml file */ 1903 if(!verify_p7sig(xml, p7s, cert, p7signer)) { 1904 printf("the PKCS7 signature failed\n"); 1905 exit(0); 1906 } 1907 1908 /* parse the xml file into DS records */ 1909 ds = xml_parse(xml, time(NULL)); 1910 if(!ds) { 1911 /* the root zone is unsigned now */ 1912 write_unsigned_root(root_anchor_file); 1913 } else { 1914 /* reinstate 5011 tracking */ 1915 write_root_anchor(root_anchor_file, ds); 1916 } 1917 BIO_free(ds); 1918 } 1919 1920 #ifdef USE_WINSOCK 1921 static void do_wsa_cleanup(void) { WSACleanup(); } 1922 #endif 1923 1924 /** perform actual certupdate work */ 1925 static int 1926 do_certupdate(const char* root_anchor_file, const char* root_cert_file, 1927 const char* urlname, const char* xmlname, const char* p7sname, 1928 const char* p7signer, const char* res_conf, const char* root_hints, 1929 const char* debugconf, const char* srcaddr, int ip4only, int ip6only, 1930 int port, int use_sni) 1931 1932 { 1933 STACK_OF(X509)* cert; 1934 BIO *xml, *p7s; 1935 struct ip_list* ip_list = NULL; 1936 struct ip_list* src = NULL; 1937 1938 /* read pem file or provide builtin */ 1939 cert = read_cert_or_builtin(root_cert_file); 1940 1941 /* lookup A, AAAA for the urlname (or parse urlname if IP address) */ 1942 ip_list = resolve_name(urlname, port, res_conf, root_hints, debugconf, 1943 srcaddr, ip4only, ip6only); 1944 1945 if(srcaddr && !(src = parse_ip_addr(srcaddr, 0))) { 1946 if(verb) printf("cannot parse source address: %s\n", srcaddr); 1947 exit(0); 1948 } 1949 1950 #ifdef USE_WINSOCK 1951 if(1) { /* libunbound finished, startup WSA for the https connection */ 1952 WSADATA wsa_data; 1953 int r; 1954 if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0) { 1955 if(verb) printf("WSAStartup failed: %s\n", 1956 wsa_strerror(r)); 1957 exit(0); 1958 } 1959 atexit(&do_wsa_cleanup); 1960 } 1961 #endif 1962 1963 /* fetch the necessary files over HTTPS */ 1964 xml = https(ip_list, xmlname, urlname, src, use_sni); 1965 p7s = https(ip_list, p7sname, urlname, src, use_sni); 1966 1967 /* verify and update the root anchor */ 1968 verify_and_update_anchor(root_anchor_file, xml, p7s, cert, p7signer); 1969 if(verb) printf("success: the anchor has been updated " 1970 "using the cert\n"); 1971 1972 BIO_free(xml); 1973 BIO_free(p7s); 1974 #ifndef S_SPLINT_S 1975 sk_X509_pop_free(cert, X509_free); 1976 #endif 1977 ip_list_free(ip_list); 1978 return 1; 1979 } 1980 1981 /** 1982 * Try to read the root RFC5011 autotrust anchor file, 1983 * @param file: filename. 1984 * @return: 1985 * 0 if does not exist or empty 1986 * 1 if trust-point-revoked-5011 1987 * 2 if it is OK. 1988 */ 1989 static int 1990 try_read_anchor(const char* file) 1991 { 1992 int empty = 1; 1993 char line[10240]; 1994 char* p; 1995 FILE* in = fopen(file, "r"); 1996 if(!in) { 1997 /* only if the file does not exist, can we fix it */ 1998 if(errno != ENOENT) { 1999 if(verb) printf("%s: %s\n", file, strerror(errno)); 2000 if(verb) printf("error: cannot access the file\n"); 2001 exit(0); 2002 } 2003 if(verb) printf("%s does not exist\n", file); 2004 return 0; 2005 } 2006 while(fgets(line, (int)sizeof(line), in)) { 2007 line[sizeof(line)-1] = 0; 2008 if(strncmp(line, ";;REVOKED", 9) == 0) { 2009 fclose(in); 2010 if(verb) printf("%s : the trust point is revoked\n" 2011 "and the zone is considered unsigned.\n" 2012 "if you wish to re-enable, delete the file\n", 2013 file); 2014 return 1; 2015 } 2016 p=line; 2017 while(*p == ' ' || *p == '\t') 2018 p++; 2019 if(p[0]==0 || p[0]=='\n' || p[0]==';') continue; 2020 /* this line is a line of content */ 2021 empty = 0; 2022 } 2023 fclose(in); 2024 if(empty) { 2025 if(verb) printf("%s is empty\n", file); 2026 return 0; 2027 } 2028 if(verb) printf("%s has content\n", file); 2029 return 2; 2030 } 2031 2032 /** Write the builtin root anchor to a file */ 2033 static void 2034 write_builtin_anchor(const char* file) 2035 { 2036 const char* builtin_root_anchor = get_builtin_ds(); 2037 FILE* out = fopen(file, "w"); 2038 if(!out) { 2039 printf("could not write builtin anchor, to file %s: %s\n", 2040 file, strerror(errno)); 2041 return; 2042 } 2043 if(!fwrite(builtin_root_anchor, strlen(builtin_root_anchor), 1, out)) { 2044 printf("could not complete write builtin anchor, to file %s: %s\n", 2045 file, strerror(errno)); 2046 } 2047 fclose(out); 2048 } 2049 2050 /** 2051 * Check the root anchor file. 2052 * If does not exist, provide builtin and write file. 2053 * If empty, provide builtin and write file. 2054 * If trust-point-revoked-5011 file: make the program exit. 2055 * @param root_anchor_file: filename of the root anchor. 2056 * @param used_builtin: set to 1 if the builtin is written. 2057 * @return 0 if trustpoint is insecure, 1 on success. Exit on failure. 2058 */ 2059 static int 2060 provide_builtin(const char* root_anchor_file, int* used_builtin) 2061 { 2062 /* try to read it */ 2063 switch(try_read_anchor(root_anchor_file)) 2064 { 2065 case 0: /* no exist or empty */ 2066 write_builtin_anchor(root_anchor_file); 2067 *used_builtin = 1; 2068 break; 2069 case 1: /* revoked tp */ 2070 return 0; 2071 case 2: /* it is fine */ 2072 default: 2073 break; 2074 } 2075 return 1; 2076 } 2077 2078 /** 2079 * add an autotrust anchor for the root to the context 2080 */ 2081 static void 2082 add_5011_probe_root(struct ub_ctx* ctx, const char* root_anchor_file) 2083 { 2084 int r; 2085 r = ub_ctx_set_option(ctx, "auto-trust-anchor-file:", root_anchor_file); 2086 if(r) { 2087 if(verb) printf("add 5011 probe to ctx: %s\n", ub_strerror(r)); 2088 ub_ctx_delete(ctx); 2089 exit(0); 2090 } 2091 } 2092 2093 /** 2094 * Prime the root key and return the result. Exit on error. 2095 * @param ctx: the unbound context to perform the priming with. 2096 * @return: the result of the prime, on error it exit()s. 2097 */ 2098 static struct ub_result* 2099 prime_root_key(struct ub_ctx* ctx) 2100 { 2101 struct ub_result* res = NULL; 2102 int r; 2103 r = ub_resolve(ctx, ".", LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, &res); 2104 if(r) { 2105 if(verb) printf("resolve DNSKEY: %s\n", ub_strerror(r)); 2106 ub_ctx_delete(ctx); 2107 exit(0); 2108 } 2109 if(!res) { 2110 if(verb) printf("out of memory\n"); 2111 ub_ctx_delete(ctx); 2112 exit(0); 2113 } 2114 return res; 2115 } 2116 2117 /** see if ADDPEND keys exist in autotrust file (if possible) */ 2118 static int 2119 read_if_pending_keys(const char* file) 2120 { 2121 FILE* in = fopen(file, "r"); 2122 char line[8192]; 2123 if(!in) { 2124 if(verb>=2) printf("%s: %s\n", file, strerror(errno)); 2125 return 0; 2126 } 2127 while(fgets(line, (int)sizeof(line), in)) { 2128 if(line[0]==';') continue; 2129 if(strstr(line, "[ ADDPEND ]")) { 2130 fclose(in); 2131 if(verb) printf("RFC5011-state has ADDPEND keys\n"); 2132 return 1; 2133 } 2134 } 2135 fclose(in); 2136 return 0; 2137 } 2138 2139 /** read last successful probe time from autotrust file (if possible) */ 2140 static int32_t 2141 read_last_success_time(const char* file) 2142 { 2143 FILE* in = fopen(file, "r"); 2144 char line[1024]; 2145 if(!in) { 2146 if(verb) printf("%s: %s\n", file, strerror(errno)); 2147 return 0; 2148 } 2149 while(fgets(line, (int)sizeof(line), in)) { 2150 if(strncmp(line, ";;last_success: ", 16) == 0) { 2151 char* e; 2152 time_t x = (unsigned int)strtol(line+16, &e, 10); 2153 fclose(in); 2154 if(line+16 == e) { 2155 if(verb) printf("failed to parse " 2156 "last_success probe time\n"); 2157 return 0; 2158 } 2159 if(verb) printf("last successful probe: %s", ctime(&x)); 2160 return (int32_t)x; 2161 } 2162 } 2163 fclose(in); 2164 if(verb) printf("no last_success probe time in anchor file\n"); 2165 return 0; 2166 } 2167 2168 /** 2169 * Read autotrust 5011 probe file and see if the date 2170 * compared to the current date allows a certupdate. 2171 * If the last successful probe was recent then 5011 cannot be behind, 2172 * and the failure cannot be solved with a certupdate. 2173 * The debugconf is to validation-override the date for testing. 2174 * @param root_anchor_file: filename of root key 2175 * @return true if certupdate is ok. 2176 */ 2177 static int 2178 probe_date_allows_certupdate(const char* root_anchor_file) 2179 { 2180 int has_pending_keys = read_if_pending_keys(root_anchor_file); 2181 int32_t last_success = read_last_success_time(root_anchor_file); 2182 int32_t now = (int32_t)time(NULL); 2183 int32_t leeway = 30 * 24 * 3600; /* 30 days leeway */ 2184 /* if the date is before 2010-07-15:00.00.00 then the root has not 2185 * been signed yet, and thus we refuse to take action. */ 2186 if(time(NULL) < xml_convertdate("2010-07-15T00:00:00")) { 2187 if(verb) printf("the date is before the root was first signed," 2188 " please correct the clock\n"); 2189 return 0; 2190 } 2191 if(last_success == 0) 2192 return 1; /* no probe time */ 2193 if(has_pending_keys) 2194 return 1; /* key in ADDPEND state, a previous probe has 2195 inserted that, and it was present in all recent probes, 2196 but it has not become active. The 30 day timer may not have 2197 expired, but we know(for sure) there is a rollover going on. 2198 If we only managed to pickup the new key on its last day 2199 of announcement (for example) this can happen. */ 2200 if(now - last_success < 0) { 2201 if(verb) printf("the last successful probe is in the future," 2202 " clock was modified\n"); 2203 return 0; 2204 } 2205 if(now - last_success >= leeway) { 2206 if(verb) printf("the last successful probe was more than 30 " 2207 "days ago\n"); 2208 return 1; 2209 } 2210 if(verb) printf("the last successful probe is recent\n"); 2211 return 0; 2212 } 2213 2214 static struct ub_result * 2215 fetch_root_key(const char* root_anchor_file, const char* res_conf, 2216 const char* root_hints, const char* debugconf, const char* srcaddr, 2217 int ip4only, int ip6only) 2218 { 2219 struct ub_ctx* ctx; 2220 struct ub_result* dnskey; 2221 2222 ctx = create_unbound_context(res_conf, root_hints, debugconf, 2223 srcaddr, ip4only, ip6only); 2224 add_5011_probe_root(ctx, root_anchor_file); 2225 dnskey = prime_root_key(ctx); 2226 ub_ctx_delete(ctx); 2227 return dnskey; 2228 } 2229 2230 /** perform the unbound-anchor work */ 2231 static int 2232 do_root_update_work(const char* root_anchor_file, const char* root_cert_file, 2233 const char* urlname, const char* xmlname, const char* p7sname, 2234 const char* p7signer, const char* res_conf, const char* root_hints, 2235 const char* debugconf, const char* srcaddr, int ip4only, int ip6only, 2236 int force, int res_conf_fallback, int port, int use_sni) 2237 { 2238 struct ub_result* dnskey; 2239 int used_builtin = 0; 2240 int rcode; 2241 2242 /* see if builtin rootanchor needs to be provided, or if 2243 * rootanchor is 'revoked-trust-point' */ 2244 if(!provide_builtin(root_anchor_file, &used_builtin)) 2245 return 0; 2246 2247 /* make unbound context with 5011-probe for root anchor, 2248 * and probe . DNSKEY */ 2249 dnskey = fetch_root_key(root_anchor_file, res_conf, 2250 root_hints, debugconf, srcaddr, ip4only, ip6only); 2251 rcode = dnskey->rcode; 2252 2253 if (res_conf_fallback && res_conf && !dnskey->secure) { 2254 if (verb) printf("%s failed, retrying direct\n", res_conf); 2255 ub_resolve_free(dnskey); 2256 /* try direct query without res_conf */ 2257 dnskey = fetch_root_key(root_anchor_file, NULL, 2258 root_hints, debugconf, srcaddr, ip4only, ip6only); 2259 if (rcode != 0 && dnskey->rcode == 0) { 2260 res_conf = NULL; 2261 rcode = 0; 2262 } 2263 } 2264 2265 /* if secure: exit */ 2266 if(dnskey->secure && !force) { 2267 if(verb) printf("success: the anchor is ok\n"); 2268 ub_resolve_free(dnskey); 2269 return used_builtin; 2270 } 2271 if(force && verb) printf("debug cert update forced\n"); 2272 ub_resolve_free(dnskey); 2273 2274 /* if not (and NOERROR): check date and do certupdate */ 2275 if((rcode == 0 && 2276 probe_date_allows_certupdate(root_anchor_file)) || force) { 2277 if(do_certupdate(root_anchor_file, root_cert_file, urlname, 2278 xmlname, p7sname, p7signer, res_conf, root_hints, 2279 debugconf, srcaddr, ip4only, ip6only, port, use_sni)) 2280 return 1; 2281 return used_builtin; 2282 } 2283 if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n"); 2284 return used_builtin; 2285 } 2286 2287 /** getopt global, in case header files fail to declare it. */ 2288 extern int optind; 2289 /** getopt global, in case header files fail to declare it. */ 2290 extern char* optarg; 2291 2292 /** Main routine for unbound-anchor */ 2293 int main(int argc, char* argv[]) 2294 { 2295 int c; 2296 const char* root_anchor_file = ROOT_ANCHOR_FILE; 2297 const char* root_cert_file = ROOT_CERT_FILE; 2298 const char* urlname = URLNAME; 2299 const char* xmlname = XMLNAME; 2300 const char* p7sname = P7SNAME; 2301 const char* p7signer = P7SIGNER; 2302 const char* res_conf = NULL; 2303 const char* root_hints = NULL; 2304 const char* debugconf = NULL; 2305 const char* srcaddr = NULL; 2306 int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT; 2307 int res_conf_fallback = 0; 2308 int use_sni = 1; 2309 /* parse the options */ 2310 while( (c=getopt(argc, argv, "46C:FRSP:a:b:c:f:hln:r:s:u:vx:")) != -1) { 2311 switch(c) { 2312 case 'l': 2313 dolist = 1; 2314 break; 2315 case '4': 2316 ip4only = 1; 2317 break; 2318 case '6': 2319 ip6only = 1; 2320 break; 2321 case 'a': 2322 root_anchor_file = optarg; 2323 break; 2324 case 'b': 2325 srcaddr = optarg; 2326 break; 2327 case 'c': 2328 root_cert_file = optarg; 2329 break; 2330 case 'u': 2331 urlname = optarg; 2332 break; 2333 case 'S': 2334 use_sni = 0; 2335 break; 2336 case 'x': 2337 xmlname = optarg; 2338 break; 2339 case 's': 2340 p7sname = optarg; 2341 break; 2342 case 'n': 2343 p7signer = optarg; 2344 break; 2345 case 'f': 2346 res_conf = optarg; 2347 break; 2348 case 'r': 2349 root_hints = optarg; 2350 break; 2351 case 'R': 2352 res_conf_fallback = 1; 2353 break; 2354 case 'C': 2355 debugconf = optarg; 2356 break; 2357 case 'F': 2358 force = 1; 2359 break; 2360 case 'P': 2361 port = atoi(optarg); 2362 break; 2363 case 'v': 2364 verb++; 2365 break; 2366 case '?': 2367 case 'h': 2368 default: 2369 usage(); 2370 } 2371 } 2372 argc -= optind; 2373 /* argv += optind; not using further arguments */ 2374 if(argc != 0) 2375 usage(); 2376 2377 #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS 2378 ERR_load_crypto_strings(); 2379 #endif 2380 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL) 2381 ERR_load_SSL_strings(); 2382 #endif 2383 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO) 2384 # ifndef S_SPLINT_S 2385 OpenSSL_add_all_algorithms(); 2386 # endif 2387 #else 2388 OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS 2389 | OPENSSL_INIT_ADD_ALL_DIGESTS 2390 | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); 2391 #endif 2392 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL) 2393 (void)SSL_library_init(); 2394 #else 2395 (void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); 2396 #endif 2397 2398 if(dolist) do_list_builtin(); 2399 2400 return do_root_update_work(root_anchor_file, root_cert_file, urlname, 2401 xmlname, p7sname, p7signer, res_conf, root_hints, debugconf, 2402 srcaddr, ip4only, ip6only, force, res_conf_fallback, port, use_sni); 2403 } 2404