Lines Matching +full:no +full:- +full:read +full:- +full:rollover
2 * unbound-anchor.c - update the root anchor if necessary.
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
44 * trust anchor. It is a small tool, called "unbound-anchor", that
46 * unbound-anchor; unbound. Thus it is meant to run at system boot time.
48 * Management-Abstract:
53 * * 30-days RFC5011 timer saves a lot of https traffic.
59 * It allows with options to override those. It also takes root-hints (it
64 * RFC5011-tracking of the root key. If that fails (and for 30-days since
71 * If there is no root key in the root.key file, it bootstraps the
72 * RFC5011-tracking with its builtin DS anchors; if that fails it
73 * bootstraps the RFC5011-tracking using the certificate. (again to avoid
81 * The certificate RFC7958 update is done by fetching root-anchors.xml and
82 * root-anchors.p7s via SSL. The HTTPS certificate can be logged but is
90 * not go 'without DNSSEC', no downgrade). If it used its builtin stuff or
95 * The date is also checked. Before 2010-07-15 is a failure (root not
97 * last-successful-RFC5011-probe (if available) has to be more than 30 days
103 * parser), only the valid ones are used to re-enstate RFC5011 tracking.
124 #error "need libexpat to parse root-anchors.xml file."
145 #define XMLNAME "root-anchors/root-anchors.xml"
147 #define P7SNAME "root-anchors/root-anchors.p7s"
160 "-----BEGIN CERTIFICATE-----\n"
180 "-----END CERTIFICATE-----\n";
205 /** Give unbound-anchor usage, and exit (1). */
209 printf("Usage: local-unbound-anchor [opts]\n");
217 printf("-a file root key file, default %s\n", ROOT_ANCHOR_FILE);
219 printf("-c file cert file, default %s\n", ROOT_CERT_FILE);
220 printf("-l list builtin key and cert on stdout\n");
221 printf("-u name server in https url, default %s\n", URLNAME);
222 printf("-S do not use SNI for the https connection\n");
223 printf("-x path pathname to xml in url, default %s\n", XMLNAME);
224 printf("-s path pathname to p7s in url, default %s\n", P7SNAME);
225 printf("-n name signer's subject emailAddress, default %s\n", P7SIGNER);
226 printf("-b address source address to bind to\n");
227 printf("-4 work using IPv4 only\n");
228 printf("-6 work using IPv6 only\n");
229 printf("-f resolv.conf use given resolv.conf\n");
230 printf("-r root.hints use given root.hints\n"
232 printf("-R fallback from -f to root query on error\n");
233 printf("-v more verbose\n");
234 printf("-C conf debug, read config\n");
235 printf("-P port use port for https connect, default 443\n");
236 printf("-F debug, force update with cert\n");
237 printf("-h show this usage help\n");
294 r = ub_ctx_set_option(ctx, "target-fetch-policy:", "0 0 0 0 0");
296 /* read config file first, so its settings can be overridden */
306 r = ub_ctx_set_option(ctx, "root-hints:", root_hints);
310 r = ub_ctx_set_option(ctx, "outgoing-interface:", srcaddr);
314 r = ub_ctx_set_option(ctx, "do-ip6:", "no");
318 r = ub_ctx_set_option(ctx, "do-ip4:", "no");
331 X509_print_ex_fp(stdout, x, 0, (unsigned long)-1
352 /** read certificates from a PEM bio */
365 printf("failed to read X509\n");
378 /* read the certificate file */
406 printf("failed to read X509 file\n");
417 /* read away newline after --END CERT-- */
432 /** read certificates from the builtin certificate */
453 /** read update cert file or use builtin */
483 void* a = &((struct sockaddr_in*)&ip->addr)->sin_addr;
484 if(ip->len != (socklen_t)sizeof(struct sockaddr_in))
485 a = &((struct sockaddr_in6*)&ip->addr)->sin6_addr;
487 if(inet_ntop((int)((struct sockaddr_in*)&ip->addr)->sin_family,
500 np = p->next;
513 struct sockaddr_in* sa = (struct sockaddr_in*)&ip->addr;
514 ip->len = (socklen_t)sizeof(*sa);
515 sa->sin_family = AF_INET;
516 sa->sin_port = (in_port_t)htons(p);
517 if(len != (int)sizeof(sa->sin_addr)) {
522 memmove(&sa->sin_addr, data, sizeof(sa->sin_addr));
525 struct sockaddr_in6* sa = (struct sockaddr_in6*)&ip->addr;
526 ip->len = (socklen_t)sizeof(*sa);
527 sa->sin6_family = AF_INET6;
528 sa->sin6_port = (in_port_t)htons(p);
529 if(len != (int)sizeof(sa->sin6_addr)) {
534 memmove(&sa->sin6_addr, data, sizeof(sa->sin6_addr));
564 if(!res->havedata || res->rcode || !res->data) {
565 if(verb) printf("resolve %s %s: no result\n", host,
569 for(i = 0; res->data[i]; i++) {
570 struct ip_list* ip = RR_to_ip(tp, res->data[i], res->len[i],
573 ip->next = *head;
610 ip->len = len;
611 memmove(&ip->addr, &addr, len);
618 * no trust anchor). Without DNSSEC validation.
661 if(verb) printf("%s has no IP addresses I can use\n", host);
672 p->used = 0;
673 p = p->next;
683 if(!p->used) num++;
684 p = p->next;
701 if(!p->used) sel--;
702 p = p->next;
705 while(p && p->used)
706 p = p->next;
739 fd = socket(ip->len==(socklen_t)sizeof(struct sockaddr_in)?
741 if(fd == -1) {
743 return -1;
745 if(src && bind(fd, (struct sockaddr*)&src->addr, src->len) < 0) {
748 return -1;
750 if(connect(fd, (struct sockaddr*)&ip->addr, ip->len) < 0) {
753 return -1;
809 if(verb) printf("Server presented no peer certificate\n");
870 } else if(strncasecmp(buf, "Content-Length: ", 16) == 0) {
873 } else if(strncasecmp(buf, "Transfer-Encoding: chunked", 19+7) == 0) {
881 * Read one line from SSL
884 * @param ssl: the SSL connection to read from (blocking).
927 /** read http headers and process them */
943 /** read a data chunk */
958 if((r = SSL_read(ssl, data+got, (int)(len-got))) <= 0) {
972 if(verb>=2) printf("read %d data\n", (int)len);
989 /** read chunked data from connection */
1003 /* read the chunked start line */
1014 /* skip end-of-chunk-trailer lines,
1030 /* read the chunked body */
1059 write_ssl_line(ssl, "User-Agent: unbound-anchor/%s",
1070 /** read chunked data and zero terminate; len is without zero */
1079 if(verb) printf("could not read from https\n");
1088 *len = l-1;
1099 /** read HTTP result from SSL */
1115 if(verb >= 4) print_data("read data", data, len);
1140 if(fd == -1) {
1180 ip->used = 1;
1202 /** number of keys usefully read in */
1227 b = data->ctag;
1229 b = data->calgo;
1231 b = data->cdigtype;
1233 b = data->cdigest;
1250 if(!data->tag)
1255 data->use_key?"use ":"",
1256 data->tag?data->tag:"none");
1261 if(strcasecmp(data->tag, "Zone") == 0) {
1262 if(BIO_write(data->czone, s, len) < 0) {
1269 if(!data->use_key)
1271 b = xml_selectbio(data, data->tag);
1299 * [-]CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm]
1313 if(s[0] == '-') s++;
1316 s = strptime(s, "%t%Y%t-%t%m%t-%t%d%tT%t%H%t:%t%M%t:%t%S%t", &tm);
1336 } else if(*s == '+' || *s == '-') {
1337 /* optional timezone spec: Z or +hh:mm or -hh:mm */
1347 tm.tm_hour -= hr;
1348 tm.tm_min -= mn;
1359 if(t == (time_t)-1) {
1372 data->use_key = 0;
1379 if(data->date < from)
1388 if(data->date > until)
1392 data->use_key = 1;
1393 (void)BIO_reset(data->ctag);
1394 (void)BIO_reset(data->calgo);
1395 (void)BIO_reset(data->cdigtype);
1396 (void)BIO_reset(data->cdigest);
1431 free(data->tag);
1432 data->tag = strdup(name);
1433 if(!data->tag) {
1448 (void)BIO_reset(data->czone);
1453 if(!data->use_key)
1455 b = xml_selectbio(data, data->tag);
1496 /** write the parsed xml-DS to the DS list */
1501 xml_append_str(data->ds, ". IN DS ");
1502 xml_append_bio(data->ds, data->ctag);
1503 xml_append_str(data->ds, " ");
1504 xml_append_bio(data->ds, data->calgo);
1505 xml_append_str(data->ds, " ");
1506 xml_append_bio(data->ds, data->cdigtype);
1507 xml_append_str(data->ds, " ");
1508 xml_append_bio(data->ds, data->cdigest);
1509 xml_append_str(data->ds, "\n");
1510 data->num_keys++;
1524 free(data->tag);
1525 data->tag = NULL;
1527 if(data->use_key)
1529 data->use_key = 0;
1531 if(!xml_is_zone_name(data->czone, ".")) {
1565 data->parser = parser;
1566 data->date = now;
1567 data->ds = BIO_new(BIO_s_mem());
1568 data->ctag = BIO_new(BIO_s_mem());
1569 data->czone = BIO_new(BIO_s_mem());
1570 data->calgo = BIO_new(BIO_s_mem());
1571 data->cdigtype = BIO_new(BIO_s_mem());
1572 data->cdigest = BIO_new(BIO_s_mem());
1573 if(!data->ds || !data->ctag || !data->calgo || !data->czone ||
1574 !data->cdigtype || !data->cdigest) {
1578 snprintf(buf, sizeof(buf), "; created by unbound-anchor on %s",
1580 if(BIO_write(data->ds, buf, (int)strlen(buf)) < 0) {
1590 * Perform XML parsing of the root-anchors file
1659 /* get key usage out of its extension, returns 0 if no key_usage extension */
1666 if(s->length > 0) {
1667 val = s->data[0];
1668 if(s->length > 1)
1669 val |= s->data[1] << 8;
1690 if(verb) printf("no signers in pkcs7 signature\n");
1699 if(verb) printf("signer %d: cert has no subject name\n", i);
1706 nmline?nmline:"no subject");
1716 sk_X509_value(signers, i), NID_key_usage, -1);
1728 /* there is no name to check, return all records */
1734 if(verb) printf("removed cert with no name\n");
1735 continue; /* no name, no use */
1747 if(verb) printf("removed cert with no key usage Digital Signature allowed\n");
1885 "; This file was written by unbound-anchor on %s"
1888 "; valid trustanchor or (empty-it and run unbound-anchor)\n"
1967 /* read pem file or provide builtin */
2011 * Try to read the root RFC5011 autotrust anchor file,
2015 * 1 if trust-point-revoked-5011
2036 line[sizeof(line)-1] = 0;
2041 "if you wish to re-enable, delete the file\n",
2084 * If trust-point-revoked-5011 file: make the program exit.
2092 /* try to read it */
2095 case 0: /* no exist or empty */
2115 r = ub_ctx_set_option(ctx, "auto-trust-anchor-file:", root_anchor_file);
2161 if(verb) printf("RFC5011-state has ADDPEND keys\n");
2169 /** read last successful probe time from autotrust file (if possible) */
2194 if(verb) printf("no last_success probe time in anchor file\n");
2199 * Read autotrust 5011 probe file and see if the date
2203 * The debugconf is to validation-override the date for testing.
2214 /* if the date is before 2010-07-15:00.00.00 then the root has not
2216 if(time(NULL) < xml_convertdate("2010-07-15T00:00:00")) {
2222 return 1; /* no probe time */
2227 expired, but we know(for sure) there is a rollover going on.
2230 if(now - last_success < 0) {
2235 if(now - last_success >= leeway) {
2260 /** perform the unbound-anchor work */
2273 * rootanchor is 'revoked-trust-point' */
2277 /* make unbound context with 5011-probe for root anchor,
2281 rcode = dnskey->rcode;
2283 if (res_conf_fallback && res_conf && !dnskey->secure) {
2289 if (rcode != 0 && dnskey->rcode == 0) {
2296 if(dnskey->secure && !force) {
2322 /** Main routine for unbound-anchor */
2340 while( (c=getopt(argc, argv, "46C:FRSP:a:b:c:f:hln:r:s:u:vx:")) != -1) {
2402 argc -= optind;