2 * unbound-anchor.c - update the root anchor if necessary.
4 * Copyright (c) 2010, NLnet Labs. All rights reserved.
6 * This software is open source.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
25 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
26 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
27 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
28 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
39 * This file checks to see that the current 5011 keys work to prime the
40 * current root anchor. If not a certificate is used to update the anchor.
42 * This is a concept solution for distribution of the DNSSEC root
43 * trust anchor. It is a small tool, called "unbound-anchor", that
44 * runs before the main validator starts. I.e. in the init script:
45 * unbound-anchor; unbound. Thus it is meant to run at system boot time.
47 * Management-Abstract:
48 * * first run: fill root.key file with hardcoded DS record.
49 * * mostly: use RFC5011 tracking, quick . DNSKEY UDP query.
50 * * failover: use builtin certificate, do https and update.
51 * Special considerations:
52 * * 30-days RFC5011 timer saves a lot of https traffic.
53 * * DNSKEY probe must be NOERROR, saves a lot of https traffic.
54 * * fail if clock before sign date of the root, if cert expired.
55 * * if the root goes back to unsigned, deals with it.
57 * It has hardcoded the root DS anchors and the ICANN CA root certificate.
58 * It allows with options to override those. It also takes root-hints (it
59 * has to do a DNS resolve), and also has hardcoded defaults for those.
61 * Once it starts, just before the validator starts, it quickly checks if
62 * the root anchor file needs to be updated. First it tries to use
63 * RFC5011-tracking of the root key. If that fails (and for 30-days since
64 * last successful probe), then it attempts to update using the
65 * certificate. So most of the time, the RFC5011 tracking will work fine,
66 * and within a couple milliseconds, the main daemon can start. It will
67 * have only probed the . DNSKEY, not done expensive https transfers on the
68 * root infrastructure.
70 * If there is no root key in the root.key file, it bootstraps the
71 * RFC5011-tracking with its builtin DS anchors; if that fails it
72 * bootstraps the RFC5011-tracking using the certificate. (again to avoid
73 * https, and it is also faster).
75 * It uses the XML file by converting it to DS records and writing that to the
76 * key file. Unbound can detect that the 'special comments' are gone, and
77 * the file contains a list of normal DNSKEY/DS records, and uses that to
78 * bootstrap 5011 (the KSK is made VALID).
80 * The certificate update is done by fetching root-anchors.xml and
81 * root-anchors.p7s via SSL. The HTTPS certificate can be logged but is
82 * not validated (https for channel security; the security comes from the
83 * certificate). The 'data.iana.org' domain name A and AAAA are resolved
84 * without DNSSEC. It tries a random IP until the transfer succeeds. It
85 * then checks the p7s signature.
87 * On any failure, it leaves the root key file untouched. The main
88 * validator has to cope with it, it cannot fix things (So a failure does
89 * not go 'without DNSSEC', no downgrade). If it used its builtin stuff or
90 * did the https, it exits with an exit code, so that this can trigger the
91 * init script to log the event and potentially alert the operator that can
94 * The date is also checked. Before 2010-07-15 is a failure (root not
95 * signed yet; avoids attacks on system clock). The
96 * last-successful-RFC5011-probe (if available) has to be more than 30 days
97 * in the past (otherwise, RFC5011 should have worked). This keeps
98 * unneccesary https traffic down. If the main certificate is expired, it
101 * The dates on the keys in the xml are checked (uses the libexpat xml
102 * parser), only the valid ones are used to re-enstate RFC5011 tracking.
103 * If 0 keys are valid, the zone has gone to insecure (a special marker is
104 * written in the keyfile that tells the main validator daemon the zone is
107 * Only the root ICANN CA is shipped, not the intermediate ones. The
108 * intermediate CAs are included in the p7s file that was downloaded. (the
109 * root cert is valid to 2028 and the intermediate to 2014, today).
111 * Obviously, the tool also has options so the operator can provide a new
112 * keyfile, a new certificate and new URLs, and fresh root hints. By
113 * default it logs nothing on failure and success; it 'just works'.
118 #include "libunbound/unbound.h"
122 #error "need libexpat to parse root-anchors.xml file."
127 #ifdef HAVE_OPENSSL_SSL_H
128 #include <openssl/ssl.h>
130 #ifdef HAVE_OPENSSL_ERR_H
131 #include <openssl/err.h>
133 #ifdef HAVE_OPENSSL_RAND_H
134 #include <openssl/rand.h>
136 #include <openssl/x509.h>
137 #include <openssl/pem.h>
139 /** name of server in URL to fetch HTTPS from */
140 #define URLNAME "data.iana.org"
141 /** path on HTTPS server to xml file */
142 #define XMLNAME "root-anchors/root-anchors.xml"
143 /** path on HTTPS server to p7s file */
144 #define P7SNAME "root-anchors/root-anchors.p7s"
145 /** port number for https access */
146 #define HTTPS_PORT 443
149 /* sneakily reuse the the wsa_strerror function, on windows */
150 char* wsa_strerror(int err);
153 /** verbosity for this application */
156 /** list of IP addresses */
159 struct ip_list* next;
160 /** length of addr */
162 /** address ready to connect to */
163 struct sockaddr_storage addr;
164 /** has the address been used */
168 /** Give unbound-anchor usage, and exit (1). */
172 printf("Usage: unbound-anchor [opts]\n");
173 printf(" Setup or update root anchor. "
174 "Most options have defaults.\n");
175 printf(" Run this program before you start the validator.\n");
177 printf(" The anchor and cert have default builtin content\n");
178 printf(" if the file does not exist or is empty.\n");
180 printf("-a file root key file, default %s\n", ROOT_ANCHOR_FILE);
181 printf(" The key is input and output for this tool.\n");
182 printf("-c file cert file, default %s\n", ROOT_CERT_FILE);
183 printf("-l list builtin key and cert on stdout\n");
184 printf("-u name server in https url, default %s\n", URLNAME);
185 printf("-x path pathname to xml in url, default %s\n", XMLNAME);
186 printf("-s path pathname to p7s in url, default %s\n", P7SNAME);
187 printf("-4 work using IPv4 only\n");
188 printf("-6 work using IPv6 only\n");
189 printf("-f resolv.conf use given resolv.conf to resolve -u name\n");
190 printf("-r root.hints use given root.hints to resolve -u name\n"
191 " builtin root hints are used by default\n");
192 printf("-v more verbose\n");
193 printf("-C conf debug, read config\n");
194 printf("-P port use port for https connect, default 443\n");
195 printf("-F debug, force update with cert\n");
196 printf("-h show this usage help\n");
197 printf("Version %s\n", PACKAGE_VERSION);
198 printf("BSD licensed, see LICENSE in source package for details.\n");
199 printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
203 /** return the built in root update certificate */
205 get_builtin_cert(void)
208 /* The ICANN CA fetched at 24 Sep 2010. Valid to 2028 */
209 "-----BEGIN CERTIFICATE-----\n"
210 "MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
211 "TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
212 "BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n"
213 "DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n"
214 "IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n"
215 "MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n"
216 "cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n"
217 "G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n"
218 "ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n"
219 "paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n"
220 "MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n"
221 "iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n"
222 "Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n"
223 "DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n"
224 "6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n"
225 "2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n"
226 "15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n"
227 "0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n"
228 "j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
229 "-----END CERTIFICATE-----\n"
233 /** return the built in root DS trust anchor */
238 ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n";
241 /** print hex data */
243 print_data(char* msg, char* data, int len)
247 for(i=0; i<len; i++) {
248 printf(" %2.2x", (unsigned char)data[i]);
253 /** print ub context creation error and exit */
255 ub_ctx_error_exit(struct ub_ctx* ctx, const char* str, const char* str2)
258 if(str && str2 && verb) printf("%s: %s\n", str, str2);
259 if(verb) printf("error: could not create unbound resolver context\n");
264 * Create a new unbound context with the commandline settings applied
266 static struct ub_ctx*
267 create_unbound_context(char* res_conf, char* root_hints, char* debugconf,
268 int ip4only, int ip6only)
271 struct ub_ctx* ctx = ub_ctx_create();
273 if(verb) printf("out of memory\n");
276 /* do not waste time and network traffic to fetch extra nameservers */
277 r = ub_ctx_set_option(ctx, "target-fetch-policy:", "0 0 0 0 0");
278 if(r && verb) printf("ctx targetfetchpolicy: %s\n", ub_strerror(r));
279 /* read config file first, so its settings can be overridden */
281 r = ub_ctx_config(ctx, debugconf);
282 if(r) ub_ctx_error_exit(ctx, debugconf, ub_strerror(r));
285 r = ub_ctx_resolvconf(ctx, res_conf);
286 if(r) ub_ctx_error_exit(ctx, res_conf, ub_strerror(r));
289 r = ub_ctx_set_option(ctx, "root-hints:", root_hints);
290 if(r) ub_ctx_error_exit(ctx, root_hints, ub_strerror(r));
293 r = ub_ctx_set_option(ctx, "do-ip6:", "no");
294 if(r) ub_ctx_error_exit(ctx, "ip4only", ub_strerror(r));
297 r = ub_ctx_set_option(ctx, "do-ip4:", "no");
298 if(r) ub_ctx_error_exit(ctx, "ip6only", ub_strerror(r));
303 /** printout certificate in detail */
305 verb_cert(char* msg, X509* x)
307 if(verb == 0 || verb == 1) return;
309 if(msg) printf("%s\n", msg);
310 X509_print_ex_fp(stdout, x, 0, (unsigned long)-1
311 ^(X509_FLAG_NO_SUBJECT
312 |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY));
315 if(msg) printf("%s\n", msg);
316 X509_print_fp(stdout, x);
319 /** printout certificates in detail */
321 verb_certs(char* msg, STACK_OF(X509)* sk)
323 int i, num = sk_X509_num(sk);
324 if(verb == 0 || verb == 1) return;
325 for(i=0; i<num; i++) {
326 printf("%s (%d/%d)\n", msg, i, num);
327 verb_cert(NULL, sk_X509_value(sk, i));
331 /** read certificates from a PEM bio */
332 static STACK_OF(X509)*
333 read_cert_bio(BIO* bio)
335 STACK_OF(X509) *sk = sk_X509_new_null();
337 if(verb) printf("out of memory\n");
340 while(!BIO_eof(bio)) {
341 X509* x = PEM_read_bio_X509(bio, NULL, 0, NULL);
344 printf("failed to read X509\n");
345 ERR_print_errors_fp(stdout);
349 if(!sk_X509_push(sk, x)) {
350 if(verb) printf("out of memory\n");
357 /* read the certificate file */
358 static STACK_OF(X509)*
359 read_cert_file(char* file)
365 if(file == NULL || strcmp(file, "") == 0) {
368 sk = sk_X509_new_null();
370 if(verb) printf("out of memory\n");
373 in = fopen(file, "r");
375 if(verb) printf("%s: %s\n", file, strerror(errno));
377 sk_X509_pop_free(sk, X509_free);
382 X509* x = PEM_read_X509(in, NULL, 0, NULL);
385 printf("failed to read X509 file\n");
386 ERR_print_errors_fp(stdout);
390 if(!sk_X509_push(sk, x)) {
391 if(verb) printf("out of memory\n");
396 /* read away newline after --END CERT-- */
397 if(!fgets(buf, (int)sizeof(buf), in))
402 if(verb) printf("%s is empty\n", file);
404 sk_X509_pop_free(sk, X509_free);
411 /** read certificates from the builtin certificate */
412 static STACK_OF(X509)*
413 read_builtin_cert(void)
415 const char* builtin_cert = get_builtin_cert();
417 BIO *bio = BIO_new_mem_buf((void*)builtin_cert,
418 (int)strlen(builtin_cert));
420 if(verb) printf("out of memory\n");
423 sk = read_cert_bio(bio);
425 if(verb) printf("internal error, out of memory\n");
432 /** read update cert file or use builtin */
433 static STACK_OF(X509)*
434 read_cert_or_builtin(char* file)
436 STACK_OF(X509) *sk = read_cert_file(file);
438 if(verb) printf("using builtin certificate\n");
439 sk = read_builtin_cert();
441 if(verb) printf("have %d trusted certificates\n", sk_X509_num(sk));
442 verb_certs("trusted certificates", sk);
447 do_list_builtin(void)
449 const char* builtin_cert = get_builtin_cert();
450 const char* builtin_ds = get_builtin_ds();
451 printf("%s\n", builtin_ds);
452 printf("%s\n", builtin_cert);
456 /** printout IP address with message */
458 verb_addr(char* msg, struct ip_list* ip)
462 void* a = &((struct sockaddr_in*)&ip->addr)->sin_addr;
463 if(ip->len != (socklen_t)sizeof(struct sockaddr_in))
464 a = &((struct sockaddr_in6*)&ip->addr)->sin6_addr;
466 if(inet_ntop((int)((struct sockaddr_in*)&ip->addr)->sin_family,
467 a, out, (socklen_t)sizeof(out))==0)
468 printf("%s (inet_ntop error)\n", msg);
469 else printf("%s %s\n", msg, out);
475 ip_list_free(struct ip_list* p)
485 /** create ip_list entry for a RR record */
486 static struct ip_list*
487 RR_to_ip(int tp, char* data, int len, int port)
489 struct ip_list* ip = (struct ip_list*)calloc(1, sizeof(*ip));
490 uint16_t p = (uint16_t)port;
491 if(tp == LDNS_RR_TYPE_A) {
492 struct sockaddr_in* sa = (struct sockaddr_in*)&ip->addr;
493 ip->len = (socklen_t)sizeof(*sa);
494 sa->sin_family = AF_INET;
495 sa->sin_port = (in_port_t)htons(p);
496 if(len != (int)sizeof(sa->sin_addr)) {
497 if(verb) printf("skipped badly formatted A\n");
501 memmove(&sa->sin_addr, data, sizeof(sa->sin_addr));
503 } else if(tp == LDNS_RR_TYPE_AAAA) {
504 struct sockaddr_in6* sa = (struct sockaddr_in6*)&ip->addr;
505 ip->len = (socklen_t)sizeof(*sa);
506 sa->sin6_family = AF_INET6;
507 sa->sin6_port = (in_port_t)htons(p);
508 if(len != (int)sizeof(sa->sin6_addr)) {
509 if(verb) printf("skipped badly formatted AAAA\n");
513 memmove(&sa->sin6_addr, data, sizeof(sa->sin6_addr));
515 if(verb) printf("internal error: bad type in RRtoip\n");
519 verb_addr("resolved server address", ip);
523 /** Resolve name, type, class and add addresses to iplist */
525 resolve_host_ip(struct ub_ctx* ctx, char* host, int port, int tp, int cl,
526 struct ip_list** head)
528 struct ub_result* res = NULL;
532 r = ub_resolve(ctx, host, tp, cl, &res);
534 if(verb) printf("error: resolve %s %s: %s\n", host,
535 (tp==LDNS_RR_TYPE_A)?"A":"AAAA", ub_strerror(r));
539 if(verb) printf("out of memory\n");
543 for(i = 0; res->data[i]; i++) {
544 struct ip_list* ip = RR_to_ip(tp, res->data[i], res->len[i],
550 ub_resolve_free(res);
553 /** parse a text IP address into a sockaddr */
554 static struct ip_list*
555 parse_ip_addr(char* str, int port)
558 struct sockaddr_storage* addr = NULL;
559 struct sockaddr_in6 a6;
560 struct sockaddr_in a;
562 uint16_t p = (uint16_t)port;
563 memset(&a6, 0, sizeof(a6));
564 memset(&a, 0, sizeof(a));
566 if(inet_pton(AF_INET6, str, &a6.sin6_addr) > 0) {
568 a6.sin6_family = AF_INET6;
569 a6.sin6_port = (in_port_t)htons(p);
570 addr = (struct sockaddr_storage*)&a6;
571 len = (socklen_t)sizeof(struct sockaddr_in6);
573 if(inet_pton(AF_INET, str, &a.sin_addr) > 0) {
575 a.sin_family = AF_INET;
576 a.sin_port = (in_port_t)htons(p);
577 addr = (struct sockaddr_storage*)&a;
578 len = (socklen_t)sizeof(struct sockaddr_in);
580 if(!len) return NULL;
581 ip = (struct ip_list*)calloc(1, sizeof(*ip));
583 if(verb) printf("out of memory\n");
587 memmove(&ip->addr, addr, len);
588 if(verb) printf("server address is %s\n", str);
593 * Resolve a domain name (even though the resolver is down and there is
594 * no trust anchor). Without DNSSEC validation.
595 * @param host: the name to resolve.
596 * If this name is an IP4 or IP6 address this address is returned.
597 * @param port: the port number used for the returned IP structs.
598 * @param res_conf: resolv.conf (if any).
599 * @param root_hints: root hints (if any).
600 * @param debugconf: unbound.conf for debugging options.
601 * @param ip4only: use only ip4 for resolve and only lookup A
602 * @param ip6only: use only ip6 for resolve and only lookup AAAA
603 * default is to lookup A and AAAA using ip4 and ip6.
604 * @return list of IP addresses.
606 static struct ip_list*
607 resolve_name(char* host, int port, char* res_conf, char* root_hints,
608 char* debugconf, int ip4only, int ip6only)
611 struct ip_list* list = NULL;
612 /* first see if name is an IP address itself */
613 if( (list=parse_ip_addr(host, port)) ) {
617 /* create resolver context */
618 ctx = create_unbound_context(res_conf, root_hints, debugconf,
621 /* try resolution of A */
623 resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_A,
624 LDNS_RR_CLASS_IN, &list);
627 /* try resolution of AAAA */
629 resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_AAAA,
630 LDNS_RR_CLASS_IN, &list);
635 if(verb) printf("%s has no IP addresses I can use\n", host);
641 /** clear used flags */
643 wipe_ip_usage(struct ip_list* p)
651 /** cound unused IPs */
653 count_unused(struct ip_list* p)
663 /** pick random unused element from IP list */
664 static struct ip_list*
665 pick_random_ip(struct ip_list* list)
667 struct ip_list* p = list;
668 int num = count_unused(list);
670 if(num == 0) return NULL;
671 /* not perfect, but random enough */
672 sel = (int)ldns_get_random() % num;
673 /* skip over unused elements that we did not select */
674 while(sel > 0 && p) {
678 /* find the next unused element */
681 if(!p) return NULL; /* robustness */
696 /** printout socket errno */
698 print_sock_err(const char* msg)
701 if(verb) printf("%s: %s\n", msg, strerror(errno));
703 if(verb) printf("%s: %s\n", msg, wsa_strerror(WSAGetLastError()));
707 /** connect to IP address */
709 connect_to_ip(struct ip_list* ip)
712 verb_addr("connect to", ip);
713 fd = socket(ip->len==(socklen_t)sizeof(struct sockaddr_in)?
714 AF_INET:AF_INET6, SOCK_STREAM, 0);
716 print_sock_err("socket");
719 if(connect(fd, (struct sockaddr*)&ip->addr, ip->len) < 0) {
720 print_sock_err("connect");
727 /** create SSL context */
731 SSL_CTX* sslctx = SSL_CTX_new(SSLv23_client_method());
733 if(verb) printf("SSL_CTX_new error\n");
739 /** initiate TLS on a connection */
741 TLS_initiate(SSL_CTX* sslctx, int fd)
745 SSL* ssl = SSL_new(sslctx);
747 if(verb) printf("SSL_new error\n");
750 SSL_set_connect_state(ssl);
751 (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
752 if(!SSL_set_fd(ssl, fd)) {
753 if(verb) printf("SSL_set_fd error\n");
759 if( (r=SSL_do_handshake(ssl)) == 1)
761 r = SSL_get_error(ssl, r);
762 if(r != SSL_ERROR_WANT_READ && r != SSL_ERROR_WANT_WRITE) {
763 if(verb) printf("SSL handshake failed\n");
767 /* wants to be called again */
769 x = SSL_get_peer_certificate(ssl);
771 if(verb) printf("Server presented no peer certificate\n");
775 verb_cert("server SSL certificate", x);
780 /** perform neat TLS shutdown */
782 TLS_shutdown(int fd, SSL* ssl, SSL_CTX* sslctx)
784 /* shutdown the SSL connection nicely */
785 if(SSL_shutdown(ssl) == 0) {
789 SSL_CTX_free(sslctx);
793 /** write a line over SSL */
795 write_ssl_line(SSL* ssl, char* str, char* sec)
800 snprintf(buf, sizeof(buf), str, sec);
802 snprintf(buf, sizeof(buf), "%s", str);
805 if(l+2 >= sizeof(buf)) {
806 if(verb) printf("line too long\n");
809 if(verb >= 2) printf("SSL_write: %s\n", buf);
814 if(SSL_write(ssl, buf, (int)strlen(buf)) <= 0) {
815 if(verb) printf("could not SSL_write %s", str);
821 /** process header line, check rcode and keeping track of size */
823 process_one_header(char* buf, size_t* clen, int* chunked)
825 if(verb>=2) printf("header: '%s'\n", buf);
826 if(strncasecmp(buf, "HTTP/1.1 ", 9) == 0) {
827 /* check returncode */
829 if(verb) printf("bad status %s\n", buf+9);
832 } else if(strncasecmp(buf, "Content-Length: ", 16) == 0) {
834 *clen = (size_t)atoi(buf+16);
835 } else if(strncasecmp(buf, "Transfer-Encoding: chunked", 19+7) == 0) {
843 * Read one line from SSL
845 * skips "\r\n" (but not copied to buf).
846 * @param ssl: the SSL connection to read from (blocking).
847 * @param buf: buffer to return line in.
848 * @param len: size of the buffer.
849 * @return 0 on error, 1 on success.
852 read_ssl_line(SSL* ssl, char* buf, size_t len)
859 if(verb) printf("line too long\n");
862 if((r = SSL_read(ssl, buf+n, 1)) <= 0) {
863 if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) {
867 if(verb) printf("could not SSL_read\n");
870 if(endnl && buf[n] == '\n') {
874 if(verb) printf("error: stray linefeeds\n");
876 } else if(buf[n] == '\r') {
877 /* skip \r, and also \n on the wire */
880 } else if(buf[n] == '\n') {
881 /* skip the \n, we are done */
889 /** read http headers and process them */
891 read_http_headers(SSL* ssl, size_t* clen)
896 while(read_ssl_line(ssl, buf, sizeof(buf))) {
899 if(!process_one_header(buf, clen, &chunked))
905 /** read a data chunk */
907 read_data_chunk(SSL* ssl, size_t len)
911 char* data = malloc(len+1);
913 if(verb) printf("out of memory\n");
917 if((r = SSL_read(ssl, data+got, (int)(len-got))) <= 0) {
918 if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) {
920 if(verb) printf("could not SSL_read: unexpected EOF\n");
924 if(verb) printf("could not SSL_read\n");
928 if(verb >= 2) printf("at %d/%d\n", (int)got, (int)len);
931 if(verb>=2) printf("read %d data\n", (int)len);
936 /** parse chunk header */
938 parse_chunk_header(char* buf, size_t* result)
941 size_t v = (size_t)strtol(buf, &e, 16);
948 /** read chunked data from connection */
950 do_chunked_read(SSL* ssl)
955 BIO* mem = BIO_new(BIO_s_mem());
956 if(verb>=3) printf("do_chunked_read\n");
958 if(verb) printf("out of memory\n");
961 while(read_ssl_line(ssl, buf, sizeof(buf))) {
962 /* read the chunked start line */
963 if(verb>=2) printf("chunk header: %s\n", buf);
964 if(!parse_chunk_header(buf, &len)) {
966 if(verb>=3) printf("could not parse chunk header\n");
969 if(verb>=2) printf("chunk len: %d\n", (int)len);
973 /* skip end-of-chunk-trailer lines,
974 * until the empty line after that */
976 if(!read_ssl_line(ssl, buf, sizeof(buf))) {
980 } while (strlen(buf) > 0);
981 /* end of chunks, zero terminate it */
982 if(BIO_write(mem, &z, 1) <= 0) {
983 if(verb) printf("out of memory\n");
989 /* read the chunked body */
990 body = read_data_chunk(ssl, len);
995 if(BIO_write(mem, body, (int)len) <= 0) {
996 if(verb) printf("out of memory\n");
1002 /* skip empty line after data chunk */
1003 if(!read_ssl_line(ssl, buf, sizeof(buf))) {
1012 /** start HTTP1.1 transaction on SSL */
1014 write_http_get(SSL* ssl, char* pathname, char* urlname)
1016 if(write_ssl_line(ssl, "GET /%s HTTP/1.1", pathname) &&
1017 write_ssl_line(ssl, "Host: %s", urlname) &&
1018 write_ssl_line(ssl, "User-Agent: unbound-anchor/%s",
1020 /* We do not really do multiple queries per connection,
1021 * but this header setting is also not needed.
1022 * write_ssl_line(ssl, "Connection: close", NULL) &&*/
1023 write_ssl_line(ssl, "", NULL)) {
1029 /** read chunked data and zero terminate; len is without zero */
1031 read_chunked_zero_terminate(SSL* ssl, size_t* len)
1033 /* do the chunked version */
1034 BIO* tmp = do_chunked_read(ssl);
1035 char* data, *d = NULL;
1038 if(verb) printf("could not read from https\n");
1041 l = (size_t)BIO_get_mem_data(tmp, &d);
1042 if(verb>=2) printf("chunked data is %d\n", (int)l);
1043 if(l == 0 || d == NULL) {
1044 if(verb) printf("out of memory\n");
1048 data = (char*)malloc(l);
1050 if(verb) printf("out of memory\n");
1058 /** read HTTP result from SSL */
1060 read_http_result(SSL* ssl)
1065 if(!read_http_headers(ssl, &len)) {
1069 data = read_chunked_zero_terminate(ssl, &len);
1071 data = read_data_chunk(ssl, len);
1073 if(!data) return NULL;
1074 if(verb >= 4) print_data("read data", data, (int)len);
1075 m = BIO_new_mem_buf(data, (int)len);
1077 if(verb) printf("out of memory\n");
1083 /** https to an IP addr, return BIO with pathname or NULL */
1085 https_to_ip(struct ip_list* ip, char* pathname, char* urlname)
1090 SSL_CTX* sslctx = setup_sslctx();
1094 fd = connect_to_ip(ip);
1096 SSL_CTX_free(sslctx);
1099 ssl = TLS_initiate(sslctx, fd);
1101 SSL_CTX_free(sslctx);
1105 if(!write_http_get(ssl, pathname, urlname)) {
1106 if(verb) printf("could not write to server\n");
1108 SSL_CTX_free(sslctx);
1112 bio = read_http_result(ssl);
1113 TLS_shutdown(fd, ssl, sslctx);
1118 * Do a HTTPS, HTTP1.1 over TLS, to fetch a file
1119 * @param ip_list: list of IP addresses to use to fetch from.
1120 * @param pathname: pathname of file on server to GET.
1121 * @param urlname: name to pass as the virtual host for this request.
1122 * @return a memory BIO with the file in it.
1125 https(struct ip_list* ip_list, char* pathname, char* urlname)
1129 /* try random address first, and work through the list */
1130 wipe_ip_usage(ip_list);
1131 while( (ip = pick_random_ip(ip_list)) ) {
1133 bio = https_to_ip(ip, pathname, urlname);
1137 if(verb) printf("could not fetch %s\n", pathname);
1140 if(verb) printf("fetched %s (%d bytes)\n",
1141 pathname, (int)BIO_ctrl_pending(bio));
1146 /** free up a downloaded file BIO */
1148 free_file_bio(BIO* bio)
1151 (void)BIO_reset(bio);
1152 (void)BIO_get_mem_data(bio, &pp);
1157 /** XML parse private data during the parse */
1159 /** the parser, reference */
1161 /** the current tag; malloced; or NULL outside of tags */
1163 /** current date to use during the parse */
1165 /** number of keys usefully read in */
1167 /** the compiled anchors as DS records */
1170 /** do we want to use this anchor? */
1172 /** the current anchor: Zone */
1174 /** the current anchor: KeyTag */
1176 /** the current anchor: Algorithm */
1178 /** the current anchor: DigestType */
1180 /** the current anchor: Digest*/
1184 /** The BIO for the tag */
1186 xml_selectbio(struct xml_data* data, const char* tag)
1189 if(strcasecmp(tag, "KeyTag") == 0)
1191 else if(strcasecmp(tag, "Algorithm") == 0)
1193 else if(strcasecmp(tag, "DigestType") == 0)
1195 else if(strcasecmp(tag, "Digest") == 0)
1201 * XML handle character data, the data inside an element.
1202 * @param userData: xml_data structure
1203 * @param s: the character data. May not all be in one callback.
1204 * NOT zero terminated.
1205 * @param len: length of this part of the data.
1208 xml_charhandle(void *userData, const XML_Char *s, int len)
1210 struct xml_data* data = (struct xml_data*)userData;
1212 /* skip characters outside of elements */
1217 printf("%s%s charhandle: '",
1218 data->use_key?"use ":"",
1219 data->tag?data->tag:"none");
1220 for(i=0; i<len; i++)
1224 if(strcasecmp(data->tag, "Zone") == 0) {
1225 if(BIO_write(data->czone, s, len) <= 0) {
1226 if(verb) printf("out of memory in BIO_write\n");
1231 /* only store if key is used */
1234 b = xml_selectbio(data, data->tag);
1236 if(BIO_write(b, s, len) <= 0) {
1237 if(verb) printf("out of memory in BIO_write\n");
1244 * XML fetch value of particular attribute(by name) or NULL if not present.
1245 * @param atts: attribute array (from xml_startelem).
1246 * @param name: name of attribute to look for.
1247 * @return the value or NULL. (ptr into atts).
1249 static const XML_Char*
1250 find_att(const XML_Char **atts, XML_Char* name)
1253 for(i=0; atts[i]; i+=2) {
1254 if(strcasecmp(atts[i], name) == 0)
1261 * XML convert DateTime element to time_t.
1262 * [-]CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm]
1263 * (with optional .ssssss fractional seconds)
1264 * @param str: the string
1265 * @return a time_t representation or 0 on failure.
1268 xml_convertdate(const char* str)
1273 /* for this application, ignore minus in front;
1274 * only positive dates are expected */
1276 if(s[0] == '-') s++;
1277 memset(&tm, 0, sizeof(tm));
1278 /* parse initial content of the string (lots of whitespace allowed) */
1279 s = strptime(s, "%t%Y%t-%t%m%t-%t%d%tT%t%H%t:%t%M%t:%t%S%t", &tm);
1281 if(verb) printf("xml_convertdate parse failure %s\n", str);
1284 /* parse remainder of date string */
1286 /* optional '.' and fractional seconds */
1287 int frac = 0, n = 0;
1288 if(sscanf(s+1, "%d%n", &frac, &n) < 1) {
1289 if(verb) printf("xml_convertdate f failure %s\n", str);
1292 /* fraction is not used, time_t has second accuracy */
1296 if(*s == 'Z' || *s == 'z') {
1297 /* nothing to do for this */
1299 } else if(*s == '+' || *s == '-') {
1300 /* optional timezone spec: Z or +hh:mm or -hh:mm */
1301 int hr = 0, mn = 0, n = 0;
1302 if(sscanf(s+1, "%d:%d%n", &hr, &mn, &n) < 2) {
1303 if(verb) printf("xml_convertdate tz failure %s\n", str);
1317 /* not ended properly */
1318 /* but ignore, (lenient) */
1322 if(t == (time_t)-1) {
1323 if(verb) printf("xml_convertdate mktime failure\n");
1330 * XML handle the KeyDigest start tag, check validity periods.
1333 handle_keydigest(struct xml_data* data, const XML_Char **atts)
1336 if(find_att(atts, "validFrom")) {
1337 time_t from = xml_convertdate(find_att(atts, "validFrom"));
1339 if(verb) printf("error: xml cannot be parsed\n");
1342 if(data->date < from)
1345 if(find_att(atts, "validUntil")) {
1346 time_t until = xml_convertdate(find_att(atts, "validUntil"));
1348 if(verb) printf("error: xml cannot be parsed\n");
1351 if(data->date > until)
1354 /* yes we want to use this key */
1356 (void)BIO_reset(data->ctag);
1357 (void)BIO_reset(data->calgo);
1358 (void)BIO_reset(data->cdigtype);
1359 (void)BIO_reset(data->cdigest);
1362 /** See if XML element equals the zone name */
1364 xml_is_zone_name(BIO* zone, char* name)
1369 (void)BIO_seek(zone, 0);
1370 zlen = BIO_get_mem_data(zone, &z);
1371 if(!zlen || !z) return 0;
1372 /* zero terminate */
1373 if(zlen >= (long)sizeof(buf)) return 0;
1374 memmove(buf, z, (size_t)zlen);
1377 return (strncasecmp(buf, name, strlen(name)) == 0);
1381 * XML start of element. This callback is called whenever an XML tag starts.
1383 * @param userData: the xml_data structure.
1384 * @param name: the tag that starts.
1385 * @param atts: array of strings, pairs of attr = value, ends with NULL.
1386 * i.e. att[0]="att[1]" att[2]="att[3]" att[4]isNull
1389 xml_startelem(void *userData, const XML_Char *name, const XML_Char **atts)
1391 struct xml_data* data = (struct xml_data*)userData;
1393 if(verb>=4) printf("xml tag start '%s'\n", name);
1395 data->tag = strdup(name);
1397 if(verb) printf("out of memory\n");
1402 for(i=0; atts[i]; i+=2) {
1403 printf(" %s='%s'\n", atts[i], atts[i+1]);
1406 /* handle attributes to particular types */
1407 if(strcasecmp(name, "KeyDigest") == 0) {
1408 handle_keydigest(data, atts);
1410 } else if(strcasecmp(name, "Zone") == 0) {
1411 (void)BIO_reset(data->czone);
1415 /* for other types we prepare to pick up the data */
1418 b = xml_selectbio(data, data->tag);
1425 /** Append str to bio */
1427 xml_append_str(BIO* b, const char* s)
1429 if(BIO_write(b, s, (int)strlen(s)) <= 0) {
1430 if(verb) printf("out of memory in BIO_write\n");
1435 /** Append bio to bio */
1437 xml_append_bio(BIO* b, BIO* a)
1441 (void)BIO_seek(a, 0);
1442 len = BIO_get_mem_data(a, &z);
1444 if(verb) printf("out of memory in BIO_write\n");
1447 /* remove newlines in the data here */
1448 for(i=0; i<len; i++) {
1449 if(z[i] == '\r' || z[i] == '\n')
1453 if(BIO_write(b, z, len) <= 0) {
1454 if(verb) printf("out of memory in BIO_write\n");
1459 /** write the parsed xml-DS to the DS list */
1461 xml_append_ds(struct xml_data* data)
1463 /* write DS to accumulated DS */
1464 xml_append_str(data->ds, ". IN DS ");
1465 xml_append_bio(data->ds, data->ctag);
1466 xml_append_str(data->ds, " ");
1467 xml_append_bio(data->ds, data->calgo);
1468 xml_append_str(data->ds, " ");
1469 xml_append_bio(data->ds, data->cdigtype);
1470 xml_append_str(data->ds, " ");
1471 xml_append_bio(data->ds, data->cdigest);
1472 xml_append_str(data->ds, "\n");
1477 * XML end of element. This callback is called whenever an XML tag ends.
1479 * @param userData: the xml_data structure
1480 * @param name: the tag that ends.
1483 xml_endelem(void *userData, const XML_Char *name)
1485 struct xml_data* data = (struct xml_data*)userData;
1486 if(verb>=4) printf("xml tag end '%s'\n", name);
1489 if(strcasecmp(name, "KeyDigest") == 0) {
1491 xml_append_ds(data);
1493 } else if(strcasecmp(name, "Zone") == 0) {
1494 if(!xml_is_zone_name(data->czone, ".")) {
1495 if(verb) printf("xml not for the right zone\n");
1502 * XML parser setup of the callbacks for the tags
1505 xml_parse_setup(XML_Parser parser, struct xml_data* data, time_t now)
1508 memset(data, 0, sizeof(*data));
1509 XML_SetUserData(parser, data);
1510 data->parser = parser;
1512 data->ds = BIO_new(BIO_s_mem());
1513 data->ctag = BIO_new(BIO_s_mem());
1514 data->czone = BIO_new(BIO_s_mem());
1515 data->calgo = BIO_new(BIO_s_mem());
1516 data->cdigtype = BIO_new(BIO_s_mem());
1517 data->cdigest = BIO_new(BIO_s_mem());
1518 if(!data->ds || !data->ctag || !data->calgo || !data->czone ||
1519 !data->cdigtype || !data->cdigest) {
1520 if(verb) printf("out of memory\n");
1523 snprintf(buf, sizeof(buf), "; created by unbound-anchor on %s",
1525 if(BIO_write(data->ds, buf, (int)strlen(buf)) <= 0) {
1526 if(verb) printf("out of memory\n");
1529 XML_SetElementHandler(parser, xml_startelem, xml_endelem);
1530 XML_SetCharacterDataHandler(parser, xml_charhandle);
1534 * Perform XML parsing of the root-anchors file
1535 * Its format description can be read here
1536 * https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt
1538 * @param xml: BIO with xml data.
1539 * @param now: the current time for checking DS validity periods.
1540 * @return memoryBIO with the DS data in zone format.
1541 * or NULL if the zone is insecure.
1542 * (It exit()s on error)
1545 xml_parse(BIO* xml, time_t now)
1550 struct xml_data data;
1552 parser = XML_ParserCreate(NULL);
1554 if(verb) printf("could not XML_ParserCreate\n");
1558 /* setup callbacks */
1559 xml_parse_setup(parser, &data, now);
1562 (void)BIO_reset(xml);
1563 len = (int)BIO_get_mem_data(xml, &pp);
1565 if(verb) printf("out of memory\n");
1568 if(!XML_Parse(parser, pp, len, 1 /*isfinal*/ )) {
1569 const char *e = XML_ErrorString(XML_GetErrorCode(parser));
1570 if(verb) printf("XML_Parse failure %s\n", e?e:"");
1575 if(verb) printf("XML was parsed successfully, %d keys\n",
1578 XML_ParserFree(parser);
1583 (void)BIO_seek(data.ds, 0);
1584 len = BIO_get_mem_data(data.ds, &pp);
1585 printf("got DS bio %d: '", len);
1586 if(!fwrite(pp, (size_t)len, 1, stdout))
1587 /* compilers do not allow us to ignore fwrite .. */
1588 fprintf(stderr, "error writing to stdout\n");
1591 BIO_free(data.czone);
1592 BIO_free(data.ctag);
1593 BIO_free(data.calgo);
1594 BIO_free(data.cdigtype);
1595 BIO_free(data.cdigest);
1597 if(data.num_keys == 0) {
1598 /* the root zone seems to have gone insecure */
1606 /** verify a PKCS7 signature, false on failure */
1608 verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust)
1611 X509_STORE *store = X509_STORE_new();
1614 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
1615 X509_VERIFY_PARAM* param = X509_VERIFY_PARAM_new();
1617 if(verb) printf("out of memory\n");
1618 X509_STORE_free(store);
1621 /* do the selfcheck on the root certificate; it checks that the
1623 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CHECK_SS_SIGNATURE);
1624 if(store) X509_STORE_set1_param(store, param);
1627 if(verb) printf("out of memory\n");
1628 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
1629 X509_VERIFY_PARAM_free(param);
1634 (void)BIO_reset(p7s);
1635 (void)BIO_reset(data);
1637 /* convert p7s to p7 (the signature) */
1638 p7 = d2i_PKCS7_bio(p7s, NULL);
1640 if(verb) printf("could not parse p7s signature file\n");
1641 X509_STORE_free(store);
1644 if(verb >= 2) printf("parsed the PKCS7 signature\n");
1646 /* convert trust to trusted certificate store */
1647 for(i=0; i<sk_X509_num(trust); i++) {
1648 if(!X509_STORE_add_cert(store, sk_X509_value(trust, i))) {
1649 if(verb) printf("failed X509_STORE_add_cert\n");
1650 X509_STORE_free(store);
1655 if(verb >= 2) printf("setup the X509_STORE\n");
1657 if(PKCS7_verify(p7, NULL, store, data, NULL, 0) == 1) {
1659 if(verb) printf("the PKCS7 signature verified\n");
1662 ERR_print_errors_fp(stdout);
1666 X509_STORE_free(store);
1671 /** write unsigned root anchor file, a 5011 revoked tp */
1673 write_unsigned_root(char* root_anchor_file)
1676 time_t now = time(NULL);
1677 out = fopen(root_anchor_file, "w");
1679 if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno));
1682 if(fprintf(out, "; autotrust trust anchor file\n"
1685 "; This file was written by unbound-anchor on %s"
1686 "; It indicates that the root does not use DNSSEC\n"
1687 "; to restart DNSSEC overwrite this file with a\n"
1688 "; valid trustanchor or (empty-it and run unbound-anchor)\n"
1689 , ctime(&now)) < 0) {
1690 if(verb) printf("failed to write 'unsigned' to %s\n",
1692 if(verb && errno != 0) printf("%s\n", strerror(errno));
1697 /** write root anchor file */
1699 write_root_anchor(char* root_anchor_file, BIO* ds)
1704 (void)BIO_seek(ds, 0);
1705 len = BIO_get_mem_data(ds, &pp);
1707 if(verb) printf("out of memory\n");
1710 out = fopen(root_anchor_file, "w");
1712 if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno));
1715 if(fwrite(pp, (size_t)len, 1, out) != 1) {
1716 if(verb) printf("failed to write all data to %s\n",
1718 if(verb && errno != 0) printf("%s\n", strerror(errno));
1723 /** Perform the verification and update of the trustanchor file */
1725 verify_and_update_anchor(char* root_anchor_file, BIO* xml, BIO* p7s,
1726 STACK_OF(X509)* cert)
1730 /* verify xml file */
1731 if(!verify_p7sig(xml, p7s, cert)) {
1732 printf("the PKCS7 signature failed\n");
1736 /* parse the xml file into DS records */
1737 ds = xml_parse(xml, time(NULL));
1739 /* the root zone is unsigned now */
1740 write_unsigned_root(root_anchor_file);
1742 /* reinstate 5011 tracking */
1743 write_root_anchor(root_anchor_file, ds);
1749 static void do_wsa_cleanup(void) { WSACleanup(); }
1752 /** perform actual certupdate work */
1754 do_certupdate(char* root_anchor_file, char* root_cert_file,
1755 char* urlname, char* xmlname, char* p7sname,
1756 char* res_conf, char* root_hints, char* debugconf,
1757 int ip4only, int ip6only, int port, struct ub_result* dnskey)
1759 STACK_OF(X509)* cert;
1761 struct ip_list* ip_list = NULL;
1763 /* read pem file or provide builtin */
1764 cert = read_cert_or_builtin(root_cert_file);
1766 /* lookup A, AAAA for the urlname (or parse urlname if IP address) */
1767 ip_list = resolve_name(urlname, port, res_conf, root_hints, debugconf,
1771 if(1) { /* libunbound finished, startup WSA for the https connection */
1774 if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0) {
1775 if(verb) printf("WSAStartup failed: %s\n",
1779 atexit(&do_wsa_cleanup);
1783 /* fetch the necessary files over HTTPS */
1784 xml = https(ip_list, xmlname, urlname);
1785 p7s = https(ip_list, p7sname, urlname);
1787 /* verify and update the root anchor */
1788 verify_and_update_anchor(root_anchor_file, xml, p7s, cert);
1789 if(verb) printf("success: the anchor has been updated "
1790 "using the cert\n");
1795 sk_X509_pop_free(cert, X509_free);
1797 ub_resolve_free(dnskey);
1798 ip_list_free(ip_list);
1803 * Try to read the root RFC5011 autotrust anchor file,
1804 * @param file: filename.
1806 * 0 if does not exist or empty
1807 * 1 if trust-point-revoked-5011
1811 try_read_anchor(char* file)
1816 FILE* in = fopen(file, "r");
1818 /* only if the file does not exist, can we fix it */
1819 if(errno != ENOENT) {
1820 if(verb) printf("%s: %s\n", file, strerror(errno));
1821 if(verb) printf("error: cannot access the file\n");
1824 if(verb) printf("%s does not exist\n", file);
1827 while(fgets(line, (int)sizeof(line), in)) {
1828 line[sizeof(line)-1] = 0;
1829 if(strncmp(line, ";;REVOKED", 9) == 0) {
1831 if(verb) printf("%s : the trust point is revoked\n"
1832 "and the zone is considered unsigned.\n"
1833 "if you wish to re-enable, delete the file\n",
1838 while(*p == ' ' || *p == '\t')
1840 if(p[0]==0 || p[0]=='\n' || p[0]==';') continue;
1841 /* this line is a line of content */
1846 if(verb) printf("%s is empty\n", file);
1849 if(verb) printf("%s has content\n", file);
1853 /** Write the builtin root anchor to a file */
1855 write_builtin_anchor(char* file)
1857 const char* builtin_root_anchor = get_builtin_ds();
1858 FILE* out = fopen(file, "w");
1860 if(verb) printf("%s: %s\n", file, strerror(errno));
1861 if(verb) printf(" could not write builtin anchor\n");
1864 if(!fwrite(builtin_root_anchor, strlen(builtin_root_anchor), 1, out)) {
1865 if(verb) printf("%s: %s\n", file, strerror(errno));
1866 if(verb) printf(" could not complete write builtin anchor\n");
1872 * Check the root anchor file.
1873 * If does not exist, provide builtin and write file.
1874 * If empty, provide builtin and write file.
1875 * If trust-point-revoked-5011 file: make the program exit.
1876 * @param root_anchor_file: filename of the root anchor.
1877 * @param used_builtin: set to 1 if the builtin is written.
1878 * @return 0 if trustpoint is insecure, 1 on success. Exit on failure.
1881 provide_builtin(char* root_anchor_file, int* used_builtin)
1883 /* try to read it */
1884 switch(try_read_anchor(root_anchor_file))
1886 case 0: /* no exist or empty */
1887 write_builtin_anchor(root_anchor_file);
1890 case 1: /* revoked tp */
1892 case 2: /* it is fine */
1900 * add an autotrust anchor for the root to the context
1903 add_5011_probe_root(struct ub_ctx* ctx, char* root_anchor_file)
1906 r = ub_ctx_set_option(ctx, "auto-trust-anchor-file:", root_anchor_file);
1908 if(verb) printf("add 5011 probe to ctx: %s\n", ub_strerror(r));
1915 * Prime the root key and return the result. Exit on error.
1916 * @param ctx: the unbound context to perform the priming with.
1917 * @return: the result of the prime, on error it exit()s.
1919 static struct ub_result*
1920 prime_root_key(struct ub_ctx* ctx)
1922 struct ub_result* res = NULL;
1924 r = ub_resolve(ctx, ".", LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, &res);
1926 if(verb) printf("resolve DNSKEY: %s\n", ub_strerror(r));
1931 if(verb) printf("out of memory\n");
1938 /** see if ADDPEND keys exist in autotrust file (if possible) */
1940 read_if_pending_keys(char* file)
1942 FILE* in = fopen(file, "r");
1945 if(verb>=2) printf("%s: %s\n", file, strerror(errno));
1948 while(fgets(line, (int)sizeof(line), in)) {
1949 if(line[0]==';') continue;
1950 if(strstr(line, "[ ADDPEND ]")) {
1952 if(verb) printf("RFC5011-state has ADDPEND keys\n");
1960 /** read last successful probe time from autotrust file (if possible) */
1962 read_last_success_time(char* file)
1964 FILE* in = fopen(file, "r");
1967 if(verb) printf("%s: %s\n", file, strerror(errno));
1970 while(fgets(line, (int)sizeof(line), in)) {
1971 if(strncmp(line, ";;last_success: ", 16) == 0) {
1973 time_t x = (unsigned int)strtol(line+16, &e, 10);
1976 if(verb) printf("failed to parse "
1977 "last_success probe time\n");
1980 if(verb) printf("last successful probe: %s", ctime(&x));
1985 if(verb) printf("no last_success probe time in anchor file\n");
1990 * Read autotrust 5011 probe file and see if the date
1991 * compared to the current date allows a certupdate.
1992 * If the last successful probe was recent then 5011 cannot be behind,
1993 * and the failure cannot be solved with a certupdate.
1994 * The debugconf is to validation-override the date for testing.
1995 * @param root_anchor_file: filename of root key
1996 * @return true if certupdate is ok.
1999 probe_date_allows_certupdate(char* root_anchor_file)
2001 int has_pending_keys = read_if_pending_keys(root_anchor_file);
2002 int32_t last_success = read_last_success_time(root_anchor_file);
2003 int32_t now = (int32_t)time(NULL);
2004 int32_t leeway = 30 * 24 * 3600; /* 30 days leeway */
2005 /* if the date is before 2010-07-15:00.00.00 then the root has not
2006 * been signed yet, and thus we refuse to take action. */
2007 if(time(NULL) < xml_convertdate("2010-07-15T00:00:00")) {
2008 if(verb) printf("the date is before the root was first signed,"
2009 " please correct the clock\n");
2012 if(last_success == 0)
2013 return 1; /* no probe time */
2014 if(has_pending_keys)
2015 return 1; /* key in ADDPEND state, a previous probe has
2016 inserted that, and it was present in all recent probes,
2017 but it has not become active. The 30 day timer may not have
2018 expired, but we know(for sure) there is a rollover going on.
2019 If we only managed to pickup the new key on its last day
2020 of announcement (for example) this can happen. */
2021 if(now - last_success < 0) {
2022 if(verb) printf("the last successful probe is in the future,"
2023 " clock was modified\n");
2026 if(now - last_success >= leeway) {
2027 if(verb) printf("the last successful probe was more than 30 "
2031 if(verb) printf("the last successful probe is recent\n");
2035 /** perform the unbound-anchor work */
2037 do_root_update_work(char* root_anchor_file, char* root_cert_file,
2038 char* urlname, char* xmlname, char* p7sname,
2039 char* res_conf, char* root_hints, char* debugconf,
2040 int ip4only, int ip6only, int force, int port)
2043 struct ub_result* dnskey;
2044 int used_builtin = 0;
2046 /* see if builtin rootanchor needs to be provided, or if
2047 * rootanchor is 'revoked-trust-point' */
2048 if(!provide_builtin(root_anchor_file, &used_builtin))
2051 /* make unbound context with 5011-probe for root anchor,
2052 * and probe . DNSKEY */
2053 ctx = create_unbound_context(res_conf, root_hints, debugconf,
2055 add_5011_probe_root(ctx, root_anchor_file);
2056 dnskey = prime_root_key(ctx);
2059 /* if secure: exit */
2060 if(dnskey->secure && !force) {
2061 if(verb) printf("success: the anchor is ok\n");
2062 ub_resolve_free(dnskey);
2063 return used_builtin;
2065 if(force && verb) printf("debug cert update forced\n");
2067 /* if not (and NOERROR): check date and do certupdate */
2068 if((dnskey->rcode == 0 &&
2069 probe_date_allows_certupdate(root_anchor_file)) || force) {
2070 if(do_certupdate(root_anchor_file, root_cert_file, urlname,
2071 xmlname, p7sname, res_conf, root_hints, debugconf,
2072 ip4only, ip6only, port, dnskey))
2074 return used_builtin;
2076 if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n");
2077 ub_resolve_free(dnskey);
2078 return used_builtin;
2081 /** getopt global, in case header files fail to declare it. */
2083 /** getopt global, in case header files fail to declare it. */
2084 extern char* optarg;
2086 /** Main routine for unbound-anchor */
2087 int main(int argc, char* argv[])
2090 char* root_anchor_file = ROOT_ANCHOR_FILE;
2091 char* root_cert_file = ROOT_CERT_FILE;
2092 char* urlname = URLNAME;
2093 char* xmlname = XMLNAME;
2094 char* p7sname = P7SNAME;
2095 char* res_conf = NULL;
2096 char* root_hints = NULL;
2097 char* debugconf = NULL;
2098 int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
2099 /* parse the options */
2100 while( (c=getopt(argc, argv, "46C:FP:a:c:f:hlr:s:u:vx:")) != -1) {
2112 root_anchor_file = optarg;
2115 root_cert_file = optarg;
2130 root_hints = optarg;
2139 port = atoi(optarg);
2155 ERR_load_crypto_strings();
2156 ERR_load_SSL_strings();
2157 OpenSSL_add_all_algorithms();
2158 (void)SSL_library_init();
2160 if(dolist) do_list_builtin();
2162 return do_root_update_work(root_anchor_file, root_cert_file, urlname,
2163 xmlname, p7sname, res_conf, root_hints, debugconf, ip4only,
2164 ip6only, force, port);