aboutsummaryrefslogtreecommitdiff
path: root/external/unbound/smallapp
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--external/unbound/smallapp/unbound-anchor.c2346
-rw-r--r--external/unbound/smallapp/unbound-checkconf.c619
-rw-r--r--external/unbound/smallapp/unbound-control-setup.sh.in160
-rw-r--r--external/unbound/smallapp/unbound-control.c791
-rw-r--r--external/unbound/smallapp/unbound-host.c497
-rw-r--r--external/unbound/smallapp/worker_cb.c250
6 files changed, 0 insertions, 4663 deletions
diff --git a/external/unbound/smallapp/unbound-anchor.c b/external/unbound/smallapp/unbound-anchor.c
deleted file mode 100644
index 2828088d9..000000000
--- a/external/unbound/smallapp/unbound-anchor.c
+++ /dev/null
@@ -1,2346 +0,0 @@
-/*
- * unbound-anchor.c - update the root anchor if necessary.
- *
- * Copyright (c) 2010, NLnet Labs. All rights reserved.
- *
- * This software is open source.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * Redistributions of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- *
- * Neither the name of the NLNET LABS nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
- * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/**
- * \file
- *
- * This file checks to see that the current 5011 keys work to prime the
- * current root anchor. If not a certificate is used to update the anchor,
- * with RFC7958 https xml fetch.
- *
- * This is a concept solution for distribution of the DNSSEC root
- * trust anchor. It is a small tool, called "unbound-anchor", that
- * runs before the main validator starts. I.e. in the init script:
- * unbound-anchor; unbound. Thus it is meant to run at system boot time.
- *
- * Management-Abstract:
- * * first run: fill root.key file with hardcoded DS record.
- * * mostly: use RFC5011 tracking, quick . DNSKEY UDP query.
- * * failover: use RFC7958 builtin certificate, do https and update.
- * Special considerations:
- * * 30-days RFC5011 timer saves a lot of https traffic.
- * * DNSKEY probe must be NOERROR, saves a lot of https traffic.
- * * fail if clock before sign date of the root, if cert expired.
- * * if the root goes back to unsigned, deals with it.
- *
- * It has hardcoded the root DS anchors and the ICANN CA root certificate.
- * It allows with options to override those. It also takes root-hints (it
- * has to do a DNS resolve), and also has hardcoded defaults for those.
- *
- * Once it starts, just before the validator starts, it quickly checks if
- * the root anchor file needs to be updated. First it tries to use
- * RFC5011-tracking of the root key. If that fails (and for 30-days since
- * last successful probe), then it attempts to update using the
- * certificate. So most of the time, the RFC5011 tracking will work fine,
- * and within a couple milliseconds, the main daemon can start. It will
- * have only probed the . DNSKEY, not done expensive https transfers on the
- * root infrastructure.
- *
- * If there is no root key in the root.key file, it bootstraps the
- * RFC5011-tracking with its builtin DS anchors; if that fails it
- * bootstraps the RFC5011-tracking using the certificate. (again to avoid
- * https, and it is also faster).
- *
- * It uses the XML file by converting it to DS records and writing that to the
- * key file. Unbound can detect that the 'special comments' are gone, and
- * the file contains a list of normal DNSKEY/DS records, and uses that to
- * bootstrap 5011 (the KSK is made VALID).
- *
- * The certificate RFC7958 update is done by fetching root-anchors.xml and
- * root-anchors.p7s via SSL. The HTTPS certificate can be logged but is
- * not validated (https for channel security; the security comes from the
- * certificate). The 'data.iana.org' domain name A and AAAA are resolved
- * without DNSSEC. It tries a random IP until the transfer succeeds. It
- * then checks the p7s signature.
- *
- * On any failure, it leaves the root key file untouched. The main
- * validator has to cope with it, it cannot fix things (So a failure does
- * not go 'without DNSSEC', no downgrade). If it used its builtin stuff or
- * did the https, it exits with an exit code, so that this can trigger the
- * init script to log the event and potentially alert the operator that can
- * do a manual check.
- *
- * The date is also checked. Before 2010-07-15 is a failure (root not
- * signed yet; avoids attacks on system clock). The
- * last-successful-RFC5011-probe (if available) has to be more than 30 days
- * in the past (otherwise, RFC5011 should have worked). This keeps
- * unnecessary https traffic down. If the main certificate is expired, it
- * fails.
- *
- * The dates on the keys in the xml are checked (uses the libexpat xml
- * parser), only the valid ones are used to re-enstate RFC5011 tracking.
- * If 0 keys are valid, the zone has gone to insecure (a special marker is
- * written in the keyfile that tells the main validator daemon the zone is
- * insecure).
- *
- * Only the root ICANN CA is shipped, not the intermediate ones. The
- * intermediate CAs are included in the p7s file that was downloaded. (the
- * root cert is valid to 2028 and the intermediate to 2014, today).
- *
- * Obviously, the tool also has options so the operator can provide a new
- * keyfile, a new certificate and new URLs, and fresh root hints. By
- * default it logs nothing on failure and success; it 'just works'.
- *
- */
-
-#include "config.h"
-#include "libunbound/unbound.h"
-#include "sldns/rrdef.h"
-#include "sldns/parseutil.h"
-#include <expat.h>
-#ifndef HAVE_EXPAT_H
-#error "need libexpat to parse root-anchors.xml file."
-#endif
-#ifdef HAVE_GETOPT_H
-#include <getopt.h>
-#endif
-#ifdef HAVE_OPENSSL_SSL_H
-#include <openssl/ssl.h>
-#endif
-#ifdef HAVE_OPENSSL_ERR_H
-#include <openssl/err.h>
-#endif
-#ifdef HAVE_OPENSSL_RAND_H
-#include <openssl/rand.h>
-#endif
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-#include <openssl/pem.h>
-
-/** name of server in URL to fetch HTTPS from */
-#define URLNAME "data.iana.org"
-/** path on HTTPS server to xml file */
-#define XMLNAME "root-anchors/root-anchors.xml"
-/** path on HTTPS server to p7s file */
-#define P7SNAME "root-anchors/root-anchors.p7s"
-/** name of the signer of the certificate */
-#define P7SIGNER "dnssec@iana.org"
-/** port number for https access */
-#define HTTPS_PORT 443
-
-#ifdef USE_WINSOCK
-/* sneakily reuse the the wsa_strerror function, on windows */
-char* wsa_strerror(int err);
-#endif
-
-/** verbosity for this application */
-static int verb = 0;
-
-/** list of IP addresses */
-struct ip_list {
- /** next in list */
- struct ip_list* next;
- /** length of addr */
- socklen_t len;
- /** address ready to connect to */
- struct sockaddr_storage addr;
- /** has the address been used */
- int used;
-};
-
-/** Give unbound-anchor usage, and exit (1). */
-static void
-usage(void)
-{
- printf("Usage: unbound-anchor [opts]\n");
- printf(" Setup or update root anchor. "
- "Most options have defaults.\n");
- printf(" Run this program before you start the validator.\n");
- printf("\n");
- printf(" The anchor and cert have default builtin content\n");
- printf(" if the file does not exist or is empty.\n");
- printf("\n");
- printf("-a file root key file, default %s\n", ROOT_ANCHOR_FILE);
- printf(" The key is input and output for this tool.\n");
- printf("-c file cert file, default %s\n", ROOT_CERT_FILE);
- printf("-l list builtin key and cert on stdout\n");
- printf("-u name server in https url, default %s\n", URLNAME);
- printf("-x path pathname to xml in url, default %s\n", XMLNAME);
- printf("-s path pathname to p7s in url, default %s\n", P7SNAME);
- printf("-n name signer's subject emailAddress, default %s\n", P7SIGNER);
- printf("-4 work using IPv4 only\n");
- printf("-6 work using IPv6 only\n");
- printf("-f resolv.conf use given resolv.conf to resolve -u name\n");
- printf("-r root.hints use given root.hints to resolve -u name\n"
- " builtin root hints are used by default\n");
- printf("-v more verbose\n");
- printf("-C conf debug, read config\n");
- printf("-P port use port for https connect, default 443\n");
- printf("-F debug, force update with cert\n");
- printf("-h show this usage help\n");
- printf("Version %s\n", PACKAGE_VERSION);
- printf("BSD licensed, see LICENSE in source package for details.\n");
- printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
- exit(1);
-}
-
-/** return the built in root update certificate */
-static const char*
-get_builtin_cert(void)
-{
- return
-/* The ICANN CA fetched at 24 Sep 2010. Valid to 2028 */
-"-----BEGIN CERTIFICATE-----\n"
-"MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
-"TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
-"BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n"
-"DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n"
-"IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n"
-"MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n"
-"cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n"
-"G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n"
-"ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n"
-"paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n"
-"MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n"
-"iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n"
-"Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n"
-"DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n"
-"6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n"
-"2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n"
-"15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n"
-"0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n"
-"j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
-"-----END CERTIFICATE-----\n"
- ;
-}
-
-/** return the built in root DS trust anchor */
-static const char*
-get_builtin_ds(void)
-{
- return
-/* anchor 19036 is from 2010 */
-/* anchor 20326 is from 2017 */
-". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"
-". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
-}
-
-/** print hex data */
-static void
-print_data(const char* msg, const char* data, int len)
-{
- int i;
- printf("%s: ", msg);
- for(i=0; i<len; i++) {
- printf(" %2.2x", (unsigned char)data[i]);
- }
- printf("\n");
-}
-
-/** print ub context creation error and exit */
-static void
-ub_ctx_error_exit(struct ub_ctx* ctx, const char* str, const char* str2)
-{
- ub_ctx_delete(ctx);
- if(str && str2 && verb) printf("%s: %s\n", str, str2);
- if(verb) printf("error: could not create unbound resolver context\n");
- exit(0);
-}
-
-/**
- * Create a new unbound context with the commandline settings applied
- */
-static struct ub_ctx*
-create_unbound_context(const char* res_conf, const char* root_hints,
- const char* debugconf, int ip4only, int ip6only)
-{
- int r;
- struct ub_ctx* ctx = ub_ctx_create();
- if(!ctx) {
- if(verb) printf("out of memory\n");
- exit(0);
- }
- /* do not waste time and network traffic to fetch extra nameservers */
- r = ub_ctx_set_option(ctx, "target-fetch-policy:", "0 0 0 0 0");
- if(r && verb) printf("ctx targetfetchpolicy: %s\n", ub_strerror(r));
- /* read config file first, so its settings can be overridden */
- if(debugconf) {
- r = ub_ctx_config(ctx, debugconf);
- if(r) ub_ctx_error_exit(ctx, debugconf, ub_strerror(r));
- }
- if(res_conf) {
- r = ub_ctx_resolvconf(ctx, res_conf);
- if(r) ub_ctx_error_exit(ctx, res_conf, ub_strerror(r));
- }
- if(root_hints) {
- r = ub_ctx_set_option(ctx, "root-hints:", root_hints);
- if(r) ub_ctx_error_exit(ctx, root_hints, ub_strerror(r));
- }
- if(ip4only) {
- r = ub_ctx_set_option(ctx, "do-ip6:", "no");
- if(r) ub_ctx_error_exit(ctx, "ip4only", ub_strerror(r));
- }
- if(ip6only) {
- r = ub_ctx_set_option(ctx, "do-ip4:", "no");
- if(r) ub_ctx_error_exit(ctx, "ip6only", ub_strerror(r));
- }
- return ctx;
-}
-
-/** printout certificate in detail */
-static void
-verb_cert(const char* msg, X509* x)
-{
- if(verb == 0 || verb == 1) return;
- if(verb == 2) {
- if(msg) printf("%s\n", msg);
- X509_print_ex_fp(stdout, x, 0, (unsigned long)-1
- ^(X509_FLAG_NO_SUBJECT
- |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY));
- return;
- }
- if(msg) printf("%s\n", msg);
- X509_print_fp(stdout, x);
-}
-
-/** printout certificates in detail */
-static void
-verb_certs(const char* msg, STACK_OF(X509)* sk)
-{
- int i, num = sk_X509_num(sk);
- if(verb == 0 || verb == 1) return;
- for(i=0; i<num; i++) {
- printf("%s (%d/%d)\n", msg, i, num);
- verb_cert(NULL, sk_X509_value(sk, i));
- }
-}
-
-/** read certificates from a PEM bio */
-static STACK_OF(X509)*
-read_cert_bio(BIO* bio)
-{
- STACK_OF(X509) *sk = sk_X509_new_null();
- if(!sk) {
- if(verb) printf("out of memory\n");
- exit(0);
- }
- while(!BIO_eof(bio)) {
- X509* x = PEM_read_bio_X509(bio, NULL, 0, NULL);
- if(x == NULL) {
- if(verb) {
- printf("failed to read X509\n");
- ERR_print_errors_fp(stdout);
- }
- continue;
- }
- if(!sk_X509_push(sk, x)) {
- if(verb) printf("out of memory\n");
- exit(0);
- }
- }
- return sk;
-}
-
-/* read the certificate file */
-static STACK_OF(X509)*
-read_cert_file(const char* file)
-{
- STACK_OF(X509)* sk;
- FILE* in;
- int content = 0;
- char buf[128];
- if(file == NULL || strcmp(file, "") == 0) {
- return NULL;
- }
- sk = sk_X509_new_null();
- if(!sk) {
- if(verb) printf("out of memory\n");
- exit(0);
- }
- in = fopen(file, "r");
- if(!in) {
- if(verb) printf("%s: %s\n", file, strerror(errno));
-#ifndef S_SPLINT_S
- sk_X509_pop_free(sk, X509_free);
-#endif
- return NULL;
- }
- while(!feof(in)) {
- X509* x = PEM_read_X509(in, NULL, 0, NULL);
- if(x == NULL) {
- if(verb) {
- printf("failed to read X509 file\n");
- ERR_print_errors_fp(stdout);
- }
- continue;
- }
- if(!sk_X509_push(sk, x)) {
- if(verb) printf("out of memory\n");
- fclose(in);
- exit(0);
- }
- content = 1;
- /* read away newline after --END CERT-- */
- if(!fgets(buf, (int)sizeof(buf), in))
- break;
- }
- fclose(in);
- if(!content) {
- if(verb) printf("%s is empty\n", file);
-#ifndef S_SPLINT_S
- sk_X509_pop_free(sk, X509_free);
-#endif
- return NULL;
- }
- return sk;
-}
-
-/** read certificates from the builtin certificate */
-static STACK_OF(X509)*
-read_builtin_cert(void)
-{
- const char* builtin_cert = get_builtin_cert();
- STACK_OF(X509)* sk;
- BIO *bio;
- char* d = strdup(builtin_cert); /* to avoid const warnings in the
- changed prototype of BIO_new_mem_buf */
- if(!d) {
- if(verb) printf("out of memory\n");
- exit(0);
- }
- bio = BIO_new_mem_buf(d, (int)strlen(d));
- if(!bio) {
- if(verb) printf("out of memory\n");
- exit(0);
- }
- sk = read_cert_bio(bio);
- if(!sk) {
- if(verb) printf("internal error, out of memory\n");
- exit(0);
- }
- BIO_free(bio);
- free(d);
- return sk;
-}
-
-/** read update cert file or use builtin */
-static STACK_OF(X509)*
-read_cert_or_builtin(const char* file)
-{
- STACK_OF(X509) *sk = read_cert_file(file);
- if(!sk) {
- if(verb) printf("using builtin certificate\n");
- sk = read_builtin_cert();
- }
- if(verb) printf("have %d trusted certificates\n", sk_X509_num(sk));
- verb_certs("trusted certificates", sk);
- return sk;
-}
-
-static void
-do_list_builtin(void)
-{
- const char* builtin_cert = get_builtin_cert();
- const char* builtin_ds = get_builtin_ds();
- printf("%s\n", builtin_ds);
- printf("%s\n", builtin_cert);
- exit(0);
-}
-
-/** printout IP address with message */
-static void
-verb_addr(const char* msg, struct ip_list* ip)
-{
- if(verb) {
- char out[100];
- void* a = &((struct sockaddr_in*)&ip->addr)->sin_addr;
- if(ip->len != (socklen_t)sizeof(struct sockaddr_in))
- a = &((struct sockaddr_in6*)&ip->addr)->sin6_addr;
-
- if(inet_ntop((int)((struct sockaddr_in*)&ip->addr)->sin_family,
- a, out, (socklen_t)sizeof(out))==0)
- printf("%s (inet_ntop error)\n", msg);
- else printf("%s %s\n", msg, out);
- }
-}
-
-/** free ip_list */
-static void
-ip_list_free(struct ip_list* p)
-{
- struct ip_list* np;
- while(p) {
- np = p->next;
- free(p);
- p = np;
- }
-}
-
-/** create ip_list entry for a RR record */
-static struct ip_list*
-RR_to_ip(int tp, char* data, int len, int port)
-{
- struct ip_list* ip = (struct ip_list*)calloc(1, sizeof(*ip));
- uint16_t p = (uint16_t)port;
- if(tp == LDNS_RR_TYPE_A) {
- struct sockaddr_in* sa = (struct sockaddr_in*)&ip->addr;
- ip->len = (socklen_t)sizeof(*sa);
- sa->sin_family = AF_INET;
- sa->sin_port = (in_port_t)htons(p);
- if(len != (int)sizeof(sa->sin_addr)) {
- if(verb) printf("skipped badly formatted A\n");
- free(ip);
- return NULL;
- }
- memmove(&sa->sin_addr, data, sizeof(sa->sin_addr));
-
- } else if(tp == LDNS_RR_TYPE_AAAA) {
- struct sockaddr_in6* sa = (struct sockaddr_in6*)&ip->addr;
- ip->len = (socklen_t)sizeof(*sa);
- sa->sin6_family = AF_INET6;
- sa->sin6_port = (in_port_t)htons(p);
- if(len != (int)sizeof(sa->sin6_addr)) {
- if(verb) printf("skipped badly formatted AAAA\n");
- free(ip);
- return NULL;
- }
- memmove(&sa->sin6_addr, data, sizeof(sa->sin6_addr));
- } else {
- if(verb) printf("internal error: bad type in RRtoip\n");
- free(ip);
- return NULL;
- }
- verb_addr("resolved server address", ip);
- return ip;
-}
-
-/** Resolve name, type, class and add addresses to iplist */
-static void
-resolve_host_ip(struct ub_ctx* ctx, const char* host, int port, int tp, int cl,
- struct ip_list** head)
-{
- struct ub_result* res = NULL;
- int r;
- int i;
-
- r = ub_resolve(ctx, host, tp, cl, &res);
- if(r) {
- if(verb) printf("error: resolve %s %s: %s\n", host,
- (tp==LDNS_RR_TYPE_A)?"A":"AAAA", ub_strerror(r));
- return;
- }
- if(!res) {
- if(verb) printf("out of memory\n");
- ub_ctx_delete(ctx);
- exit(0);
- }
- if(!res->havedata || res->rcode || !res->data) {
- if(verb) printf("resolve %s %s: no result\n", host,
- (tp==LDNS_RR_TYPE_A)?"A":"AAAA");
- return;
- }
- for(i = 0; res->data[i]; i++) {
- struct ip_list* ip = RR_to_ip(tp, res->data[i], res->len[i],
- port);
- if(!ip) continue;
- ip->next = *head;
- *head = ip;
- }
- ub_resolve_free(res);
-}
-
-/** parse a text IP address into a sockaddr */
-static struct ip_list*
-parse_ip_addr(const char* str, int port)
-{
- socklen_t len = 0;
- union {
- struct sockaddr_in6 a6;
- struct sockaddr_in a;
- } addr;
- struct ip_list* ip;
- uint16_t p = (uint16_t)port;
- memset(&addr, 0, sizeof(addr));
-
- if(inet_pton(AF_INET6, str, &addr.a6.sin6_addr) > 0) {
- /* it is an IPv6 */
- addr.a6.sin6_family = AF_INET6;
- addr.a6.sin6_port = (in_port_t)htons(p);
- len = (socklen_t)sizeof(addr.a6);
- }
- if(inet_pton(AF_INET, str, &addr.a.sin_addr) > 0) {
- /* it is an IPv4 */
- addr.a.sin_family = AF_INET;
- addr.a.sin_port = (in_port_t)htons(p);
- len = (socklen_t)sizeof(struct sockaddr_in);
- }
- if(!len) return NULL;
- ip = (struct ip_list*)calloc(1, sizeof(*ip));
- if(!ip) {
- if(verb) printf("out of memory\n");
- exit(0);
- }
- ip->len = len;
- memmove(&ip->addr, &addr, len);
- if(verb) printf("server address is %s\n", str);
- return ip;
-}
-
-/**
- * Resolve a domain name (even though the resolver is down and there is
- * no trust anchor). Without DNSSEC validation.
- * @param host: the name to resolve.
- * If this name is an IP4 or IP6 address this address is returned.
- * @param port: the port number used for the returned IP structs.
- * @param res_conf: resolv.conf (if any).
- * @param root_hints: root hints (if any).
- * @param debugconf: unbound.conf for debugging options.
- * @param ip4only: use only ip4 for resolve and only lookup A
- * @param ip6only: use only ip6 for resolve and only lookup AAAA
- * default is to lookup A and AAAA using ip4 and ip6.
- * @return list of IP addresses.
- */
-static struct ip_list*
-resolve_name(const char* host, int port, const char* res_conf,
- const char* root_hints, const char* debugconf, int ip4only, int ip6only)
-{
- struct ub_ctx* ctx;
- struct ip_list* list = NULL;
- /* first see if name is an IP address itself */
- if( (list=parse_ip_addr(host, port)) ) {
- return list;
- }
-
- /* create resolver context */
- ctx = create_unbound_context(res_conf, root_hints, debugconf,
- ip4only, ip6only);
-
- /* try resolution of A */
- if(!ip6only) {
- resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_A,
- LDNS_RR_CLASS_IN, &list);
- }
-
- /* try resolution of AAAA */
- if(!ip4only) {
- resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_AAAA,
- LDNS_RR_CLASS_IN, &list);
- }
-
- ub_ctx_delete(ctx);
- if(!list) {
- if(verb) printf("%s has no IP addresses I can use\n", host);
- exit(0);
- }
- return list;
-}
-
-/** clear used flags */
-static void
-wipe_ip_usage(struct ip_list* p)
-{
- while(p) {
- p->used = 0;
- p = p->next;
- }
-}
-
-/** cound unused IPs */
-static int
-count_unused(struct ip_list* p)
-{
- int num = 0;
- while(p) {
- if(!p->used) num++;
- p = p->next;
- }
- return num;
-}
-
-/** pick random unused element from IP list */
-static struct ip_list*
-pick_random_ip(struct ip_list* list)
-{
- struct ip_list* p = list;
- int num = count_unused(list);
- int sel;
- if(num == 0) return NULL;
- /* not perfect, but random enough */
- sel = (int)arc4random_uniform((uint32_t)num);
- /* skip over unused elements that we did not select */
- while(sel > 0 && p) {
- if(!p->used) sel--;
- p = p->next;
- }
- /* find the next unused element */
- while(p && p->used)
- p = p->next;
- if(!p) return NULL; /* robustness */
- return p;
-}
-
-/** close the fd */
-static void
-fd_close(int fd)
-{
-#ifndef USE_WINSOCK
- close(fd);
-#else
- closesocket(fd);
-#endif
-}
-
-/** printout socket errno */
-static void
-print_sock_err(const char* msg)
-{
-#ifndef USE_WINSOCK
- if(verb) printf("%s: %s\n", msg, strerror(errno));
-#else
- if(verb) printf("%s: %s\n", msg, wsa_strerror(WSAGetLastError()));
-#endif
-}
-
-/** connect to IP address */
-static int
-connect_to_ip(struct ip_list* ip)
-{
- int fd;
- verb_addr("connect to", ip);
- fd = socket(ip->len==(socklen_t)sizeof(struct sockaddr_in)?
- AF_INET:AF_INET6, SOCK_STREAM, 0);
- if(fd == -1) {
- print_sock_err("socket");
- return -1;
- }
- if(connect(fd, (struct sockaddr*)&ip->addr, ip->len) < 0) {
- print_sock_err("connect");
- fd_close(fd);
- return -1;
- }
- return fd;
-}
-
-/** create SSL context */
-static SSL_CTX*
-setup_sslctx(void)
-{
- SSL_CTX* sslctx = SSL_CTX_new(SSLv23_client_method());
- if(!sslctx) {
- if(verb) printf("SSL_CTX_new error\n");
- return NULL;
- }
- return sslctx;
-}
-
-/** initiate TLS on a connection */
-static SSL*
-TLS_initiate(SSL_CTX* sslctx, int fd)
-{
- X509* x;
- int r;
- SSL* ssl = SSL_new(sslctx);
- if(!ssl) {
- if(verb) printf("SSL_new error\n");
- return NULL;
- }
- SSL_set_connect_state(ssl);
- (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
- if(!SSL_set_fd(ssl, fd)) {
- if(verb) printf("SSL_set_fd error\n");
- SSL_free(ssl);
- return NULL;
- }
- while(1) {
- ERR_clear_error();
- if( (r=SSL_do_handshake(ssl)) == 1)
- break;
- r = SSL_get_error(ssl, r);
- if(r != SSL_ERROR_WANT_READ && r != SSL_ERROR_WANT_WRITE) {
- if(verb) printf("SSL handshake failed\n");
- SSL_free(ssl);
- return NULL;
- }
- /* wants to be called again */
- }
- x = SSL_get_peer_certificate(ssl);
- if(!x) {
- if(verb) printf("Server presented no peer certificate\n");
- SSL_free(ssl);
- return NULL;
- }
- verb_cert("server SSL certificate", x);
- X509_free(x);
- return ssl;
-}
-
-/** perform neat TLS shutdown */
-static void
-TLS_shutdown(int fd, SSL* ssl, SSL_CTX* sslctx)
-{
- /* shutdown the SSL connection nicely */
- if(SSL_shutdown(ssl) == 0) {
- SSL_shutdown(ssl);
- }
- SSL_free(ssl);
- SSL_CTX_free(sslctx);
- fd_close(fd);
-}
-
-/** write a line over SSL */
-static int
-write_ssl_line(SSL* ssl, const char* str, const char* sec)
-{
- char buf[1024];
- size_t l;
- if(sec) {
- snprintf(buf, sizeof(buf), str, sec);
- } else {
- snprintf(buf, sizeof(buf), "%s", str);
- }
- l = strlen(buf);
- if(l+2 >= sizeof(buf)) {
- if(verb) printf("line too long\n");
- return 0;
- }
- if(verb >= 2) printf("SSL_write: %s\n", buf);
- buf[l] = '\r';
- buf[l+1] = '\n';
- buf[l+2] = 0;
- /* add \r\n */
- if(SSL_write(ssl, buf, (int)strlen(buf)) <= 0) {
- if(verb) printf("could not SSL_write %s", str);
- return 0;
- }
- return 1;
-}
-
-/** process header line, check rcode and keeping track of size */
-static int
-process_one_header(char* buf, size_t* clen, int* chunked)
-{
- if(verb>=2) printf("header: '%s'\n", buf);
- if(strncasecmp(buf, "HTTP/1.1 ", 9) == 0) {
- /* check returncode */
- if(buf[9] != '2') {
- if(verb) printf("bad status %s\n", buf+9);
- return 0;
- }
- } else if(strncasecmp(buf, "Content-Length: ", 16) == 0) {
- if(!*chunked)
- *clen = (size_t)atoi(buf+16);
- } else if(strncasecmp(buf, "Transfer-Encoding: chunked", 19+7) == 0) {
- *clen = 0;
- *chunked = 1;
- }
- return 1;
-}
-
-/**
- * Read one line from SSL
- * zero terminates.
- * skips "\r\n" (but not copied to buf).
- * @param ssl: the SSL connection to read from (blocking).
- * @param buf: buffer to return line in.
- * @param len: size of the buffer.
- * @return 0 on error, 1 on success.
- */
-static int
-read_ssl_line(SSL* ssl, char* buf, size_t len)
-{
- size_t n = 0;
- int r;
- int endnl = 0;
- while(1) {
- if(n >= len) {
- if(verb) printf("line too long\n");
- return 0;
- }
- if((r = SSL_read(ssl, buf+n, 1)) <= 0) {
- if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) {
- /* EOF */
- break;
- }
- if(verb) printf("could not SSL_read\n");
- return 0;
- }
- if(endnl && buf[n] == '\n') {
- break;
- } else if(endnl) {
- /* bad data */
- if(verb) printf("error: stray linefeeds\n");
- return 0;
- } else if(buf[n] == '\r') {
- /* skip \r, and also \n on the wire */
- endnl = 1;
- continue;
- } else if(buf[n] == '\n') {
- /* skip the \n, we are done */
- break;
- } else n++;
- }
- buf[n] = 0;
- return 1;
-}
-
-/** read http headers and process them */
-static size_t
-read_http_headers(SSL* ssl, size_t* clen)
-{
- char buf[1024];
- int chunked = 0;
- *clen = 0;
- while(read_ssl_line(ssl, buf, sizeof(buf))) {
- if(buf[0] == 0)
- return 1;
- if(!process_one_header(buf, clen, &chunked))
- return 0;
- }
- return 0;
-}
-
-/** read a data chunk */
-static char*
-read_data_chunk(SSL* ssl, size_t len)
-{
- size_t got = 0;
- int r;
- char* data;
- if(len >= 0xfffffff0)
- return NULL; /* to protect against integer overflow in malloc*/
- data = malloc(len+1);
- if(!data) {
- if(verb) printf("out of memory\n");
- return NULL;
- }
- while(got < len) {
- if((r = SSL_read(ssl, data+got, (int)(len-got))) <= 0) {
- if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) {
- /* EOF */
- if(verb) printf("could not SSL_read: unexpected EOF\n");
- free(data);
- return NULL;
- }
- if(verb) printf("could not SSL_read\n");
- free(data);
- return NULL;
- }
- if(verb >= 2) printf("at %d/%d\n", (int)got, (int)len);
- got += r;
- }
- if(verb>=2) printf("read %d data\n", (int)len);
- data[len] = 0;
- return data;
-}
-
-/** parse chunk header */
-static int
-parse_chunk_header(char* buf, size_t* result)
-{
- char* e = NULL;
- size_t v = (size_t)strtol(buf, &e, 16);
- if(e == buf)
- return 0;
- *result = v;
- return 1;
-}
-
-/** read chunked data from connection */
-static BIO*
-do_chunked_read(SSL* ssl)
-{
- char buf[1024];
- size_t len;
- char* body;
- BIO* mem = BIO_new(BIO_s_mem());
- if(verb>=3) printf("do_chunked_read\n");
- if(!mem) {
- if(verb) printf("out of memory\n");
- return NULL;
- }
- while(read_ssl_line(ssl, buf, sizeof(buf))) {
- /* read the chunked start line */
- if(verb>=2) printf("chunk header: %s\n", buf);
- if(!parse_chunk_header(buf, &len)) {
- BIO_free(mem);
- if(verb>=3) printf("could not parse chunk header\n");
- return NULL;
- }
- if(verb>=2) printf("chunk len: %d\n", (int)len);
- /* are we done? */
- if(len == 0) {
- char z = 0;
- /* skip end-of-chunk-trailer lines,
- * until the empty line after that */
- do {
- if(!read_ssl_line(ssl, buf, sizeof(buf))) {
- BIO_free(mem);
- return NULL;
- }
- } while (strlen(buf) > 0);
- /* end of chunks, zero terminate it */
- if(BIO_write(mem, &z, 1) <= 0) {
- if(verb) printf("out of memory\n");
- BIO_free(mem);
- return NULL;
- }
- return mem;
- }
- /* read the chunked body */
- body = read_data_chunk(ssl, len);
- if(!body) {
- BIO_free(mem);
- return NULL;
- }
- if(BIO_write(mem, body, (int)len) <= 0) {
- if(verb) printf("out of memory\n");
- free(body);
- BIO_free(mem);
- return NULL;
- }
- free(body);
- /* skip empty line after data chunk */
- if(!read_ssl_line(ssl, buf, sizeof(buf))) {
- BIO_free(mem);
- return NULL;
- }
- }
- BIO_free(mem);
- return NULL;
-}
-
-/** start HTTP1.1 transaction on SSL */
-static int
-write_http_get(SSL* ssl, const char* pathname, const char* urlname)
-{
- if(write_ssl_line(ssl, "GET /%s HTTP/1.1", pathname) &&
- write_ssl_line(ssl, "Host: %s", urlname) &&
- write_ssl_line(ssl, "User-Agent: unbound-anchor/%s",
- PACKAGE_VERSION) &&
- /* We do not really do multiple queries per connection,
- * but this header setting is also not needed.
- * write_ssl_line(ssl, "Connection: close", NULL) &&*/
- write_ssl_line(ssl, "", NULL)) {
- return 1;
- }
- return 0;
-}
-
-/** read chunked data and zero terminate; len is without zero */
-static char*
-read_chunked_zero_terminate(SSL* ssl, size_t* len)
-{
- /* do the chunked version */
- BIO* tmp = do_chunked_read(ssl);
- char* data, *d = NULL;
- size_t l;
- if(!tmp) {
- if(verb) printf("could not read from https\n");
- return NULL;
- }
- l = (size_t)BIO_get_mem_data(tmp, &d);
- if(verb>=2) printf("chunked data is %d\n", (int)l);
- if(l == 0 || d == NULL) {
- if(verb) printf("out of memory\n");
- return NULL;
- }
- *len = l-1;
- data = (char*)malloc(l);
- if(data == NULL) {
- if(verb) printf("out of memory\n");
- return NULL;
- }
- memcpy(data, d, l);
- BIO_free(tmp);
- return data;
-}
-
-/** read HTTP result from SSL */
-static BIO*
-read_http_result(SSL* ssl)
-{
- size_t len = 0;
- char* data;
- BIO* m;
- if(!read_http_headers(ssl, &len)) {
- return NULL;
- }
- if(len == 0) {
- data = read_chunked_zero_terminate(ssl, &len);
- } else {
- data = read_data_chunk(ssl, len);
- }
- if(!data) return NULL;
- if(verb >= 4) print_data("read data", data, (int)len);
- m = BIO_new_mem_buf(data, (int)len);
- if(!m) {
- if(verb) printf("out of memory\n");
- exit(0);
- }
- return m;
-}
-
-/** https to an IP addr, return BIO with pathname or NULL */
-static BIO*
-https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname)
-{
- int fd;
- SSL* ssl;
- BIO* bio;
- SSL_CTX* sslctx = setup_sslctx();
- if(!sslctx) {
- return NULL;
- }
- fd = connect_to_ip(ip);
- if(fd == -1) {
- SSL_CTX_free(sslctx);
- return NULL;
- }
- ssl = TLS_initiate(sslctx, fd);
- if(!ssl) {
- SSL_CTX_free(sslctx);
- fd_close(fd);
- return NULL;
- }
- if(!write_http_get(ssl, pathname, urlname)) {
- if(verb) printf("could not write to server\n");
- SSL_free(ssl);
- SSL_CTX_free(sslctx);
- fd_close(fd);
- return NULL;
- }
- bio = read_http_result(ssl);
- TLS_shutdown(fd, ssl, sslctx);
- return bio;
-}
-
-/**
- * Do a HTTPS, HTTP1.1 over TLS, to fetch a file
- * @param ip_list: list of IP addresses to use to fetch from.
- * @param pathname: pathname of file on server to GET.
- * @param urlname: name to pass as the virtual host for this request.
- * @return a memory BIO with the file in it.
- */
-static BIO*
-https(struct ip_list* ip_list, const char* pathname, const char* urlname)
-{
- struct ip_list* ip;
- BIO* bio = NULL;
- /* try random address first, and work through the list */
- wipe_ip_usage(ip_list);
- while( (ip = pick_random_ip(ip_list)) ) {
- ip->used = 1;
- bio = https_to_ip(ip, pathname, urlname);
- if(bio) break;
- }
- if(!bio) {
- if(verb) printf("could not fetch %s\n", pathname);
- exit(0);
- } else {
- if(verb) printf("fetched %s (%d bytes)\n",
- pathname, (int)BIO_ctrl_pending(bio));
- }
- return bio;
-}
-
-/** free up a downloaded file BIO */
-static void
-free_file_bio(BIO* bio)
-{
- char* pp = NULL;
- (void)BIO_reset(bio);
- (void)BIO_get_mem_data(bio, &pp);
- free(pp);
- BIO_free(bio);
-}
-
-/** XML parse private data during the parse */
-struct xml_data {
- /** the parser, reference */
- XML_Parser parser;
- /** the current tag; malloced; or NULL outside of tags */
- char* tag;
- /** current date to use during the parse */
- time_t date;
- /** number of keys usefully read in */
- int num_keys;
- /** the compiled anchors as DS records */
- BIO* ds;
-
- /** do we want to use this anchor? */
- int use_key;
- /** the current anchor: Zone */
- BIO* czone;
- /** the current anchor: KeyTag */
- BIO* ctag;
- /** the current anchor: Algorithm */
- BIO* calgo;
- /** the current anchor: DigestType */
- BIO* cdigtype;
- /** the current anchor: Digest*/
- BIO* cdigest;
-};
-
-/** The BIO for the tag */
-static BIO*
-xml_selectbio(struct xml_data* data, const char* tag)
-{
- BIO* b = NULL;
- if(strcasecmp(tag, "KeyTag") == 0)
- b = data->ctag;
- else if(strcasecmp(tag, "Algorithm") == 0)
- b = data->calgo;
- else if(strcasecmp(tag, "DigestType") == 0)
- b = data->cdigtype;
- else if(strcasecmp(tag, "Digest") == 0)
- b = data->cdigest;
- return b;
-}
-
-/**
- * XML handle character data, the data inside an element.
- * @param userData: xml_data structure
- * @param s: the character data. May not all be in one callback.
- * NOT zero terminated.
- * @param len: length of this part of the data.
- */
-static void
-xml_charhandle(void *userData, const XML_Char *s, int len)
-{
- struct xml_data* data = (struct xml_data*)userData;
- BIO* b = NULL;
- /* skip characters outside of elements */
- if(!data->tag)
- return;
- if(verb>=4) {
- int i;
- printf("%s%s charhandle: '",
- data->use_key?"use ":"",
- data->tag?data->tag:"none");
- for(i=0; i<len; i++)
- printf("%c", s[i]);
- printf("'\n");
- }
- if(strcasecmp(data->tag, "Zone") == 0) {
- if(BIO_write(data->czone, s, len) < 0) {
- if(verb) printf("out of memory in BIO_write\n");
- exit(0);
- }
- return;
- }
- /* only store if key is used */
- if(!data->use_key)
- return;
- b = xml_selectbio(data, data->tag);
- if(b) {
- if(BIO_write(b, s, len) < 0) {
- if(verb) printf("out of memory in BIO_write\n");
- exit(0);
- }
- }
-}
-
-/**
- * XML fetch value of particular attribute(by name) or NULL if not present.
- * @param atts: attribute array (from xml_startelem).
- * @param name: name of attribute to look for.
- * @return the value or NULL. (ptr into atts).
- */
-static const XML_Char*
-find_att(const XML_Char **atts, const XML_Char* name)
-{
- int i;
- for(i=0; atts[i]; i+=2) {
- if(strcasecmp(atts[i], name) == 0)
- return atts[i+1];
- }
- return NULL;
-}
-
-/**
- * XML convert DateTime element to time_t.
- * [-]CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm]
- * (with optional .ssssss fractional seconds)
- * @param str: the string
- * @return a time_t representation or 0 on failure.
- */
-static time_t
-xml_convertdate(const char* str)
-{
- time_t t = 0;
- struct tm tm;
- const char* s;
- /* for this application, ignore minus in front;
- * only positive dates are expected */
- s = str;
- if(s[0] == '-') s++;
- memset(&tm, 0, sizeof(tm));
- /* parse initial content of the string (lots of whitespace allowed) */
- s = strptime(s, "%t%Y%t-%t%m%t-%t%d%tT%t%H%t:%t%M%t:%t%S%t", &tm);
- if(!s) {
- if(verb) printf("xml_convertdate parse failure %s\n", str);
- return 0;
- }
- /* parse remainder of date string */
- if(*s == '.') {
- /* optional '.' and fractional seconds */
- int frac = 0, n = 0;
- if(sscanf(s+1, "%d%n", &frac, &n) < 1) {
- if(verb) printf("xml_convertdate f failure %s\n", str);
- return 0;
- }
- /* fraction is not used, time_t has second accuracy */
- s++;
- s+=n;
- }
- if(*s == 'Z' || *s == 'z') {
- /* nothing to do for this */
- s++;
- } else if(*s == '+' || *s == '-') {
- /* optional timezone spec: Z or +hh:mm or -hh:mm */
- int hr = 0, mn = 0, n = 0;
- if(sscanf(s+1, "%d:%d%n", &hr, &mn, &n) < 2) {
- if(verb) printf("xml_convertdate tz failure %s\n", str);
- return 0;
- }
- if(*s == '+') {
- tm.tm_hour += hr;
- tm.tm_min += mn;
- } else {
- tm.tm_hour -= hr;
- tm.tm_min -= mn;
- }
- s++;
- s += n;
- }
- if(*s != 0) {
- /* not ended properly */
- /* but ignore, (lenient) */
- }
-
- t = sldns_mktime_from_utc(&tm);
- if(t == (time_t)-1) {
- if(verb) printf("xml_convertdate mktime failure\n");
- return 0;
- }
- return t;
-}
-
-/**
- * XML handle the KeyDigest start tag, check validity periods.
- */
-static void
-handle_keydigest(struct xml_data* data, const XML_Char **atts)
-{
- data->use_key = 0;
- if(find_att(atts, "validFrom")) {
- time_t from = xml_convertdate(find_att(atts, "validFrom"));
- if(from == 0) {
- if(verb) printf("error: xml cannot be parsed\n");
- exit(0);
- }
- if(data->date < from)
- return;
- }
- if(find_att(atts, "validUntil")) {
- time_t until = xml_convertdate(find_att(atts, "validUntil"));
- if(until == 0) {
- if(verb) printf("error: xml cannot be parsed\n");
- exit(0);
- }
- if(data->date > until)
- return;
- }
- /* yes we want to use this key */
- data->use_key = 1;
- (void)BIO_reset(data->ctag);
- (void)BIO_reset(data->calgo);
- (void)BIO_reset(data->cdigtype);
- (void)BIO_reset(data->cdigest);
-}
-
-/** See if XML element equals the zone name */
-static int
-xml_is_zone_name(BIO* zone, const char* name)
-{
- char buf[1024];
- char* z = NULL;
- long zlen;
- (void)BIO_seek(zone, 0);
- zlen = BIO_get_mem_data(zone, &z);
- if(!zlen || !z) return 0;
- /* zero terminate */
- if(zlen >= (long)sizeof(buf)) return 0;
- memmove(buf, z, (size_t)zlen);
- buf[zlen] = 0;
- /* compare */
- return (strncasecmp(buf, name, strlen(name)) == 0);
-}
-
-/**
- * XML start of element. This callback is called whenever an XML tag starts.
- * XML_Char is UTF8.
- * @param userData: the xml_data structure.
- * @param name: the tag that starts.
- * @param atts: array of strings, pairs of attr = value, ends with NULL.
- * i.e. att[0]="att[1]" att[2]="att[3]" att[4]isNull
- */
-static void
-xml_startelem(void *userData, const XML_Char *name, const XML_Char **atts)
-{
- struct xml_data* data = (struct xml_data*)userData;
- BIO* b;
- if(verb>=4) printf("xml tag start '%s'\n", name);
- free(data->tag);
- data->tag = strdup(name);
- if(!data->tag) {
- if(verb) printf("out of memory\n");
- exit(0);
- }
- if(verb>=4) {
- int i;
- for(i=0; atts[i]; i+=2) {
- printf(" %s='%s'\n", atts[i], atts[i+1]);
- }
- }
- /* handle attributes to particular types */
- if(strcasecmp(name, "KeyDigest") == 0) {
- handle_keydigest(data, atts);
- return;
- } else if(strcasecmp(name, "Zone") == 0) {
- (void)BIO_reset(data->czone);
- return;
- }
-
- /* for other types we prepare to pick up the data */
- if(!data->use_key)
- return;
- b = xml_selectbio(data, data->tag);
- if(b) {
- /* empty it */
- (void)BIO_reset(b);
- }
-}
-
-/** Append str to bio */
-static void
-xml_append_str(BIO* b, const char* s)
-{
- if(BIO_write(b, s, (int)strlen(s)) < 0) {
- if(verb) printf("out of memory in BIO_write\n");
- exit(0);
- }
-}
-
-/** Append bio to bio */
-static void
-xml_append_bio(BIO* b, BIO* a)
-{
- char* z = NULL;
- long i, len;
- (void)BIO_seek(a, 0);
- len = BIO_get_mem_data(a, &z);
- if(!len || !z) {
- if(verb) printf("out of memory in BIO_write\n");
- exit(0);
- }
- /* remove newlines in the data here */
- for(i=0; i<len; i++) {
- if(z[i] == '\r' || z[i] == '\n')
- z[i] = ' ';
- }
- /* write to BIO */
- if(BIO_write(b, z, len) < 0) {
- if(verb) printf("out of memory in BIO_write\n");
- exit(0);
- }
-}
-
-/** write the parsed xml-DS to the DS list */
-static void
-xml_append_ds(struct xml_data* data)
-{
- /* write DS to accumulated DS */
- xml_append_str(data->ds, ". IN DS ");
- xml_append_bio(data->ds, data->ctag);
- xml_append_str(data->ds, " ");
- xml_append_bio(data->ds, data->calgo);
- xml_append_str(data->ds, " ");
- xml_append_bio(data->ds, data->cdigtype);
- xml_append_str(data->ds, " ");
- xml_append_bio(data->ds, data->cdigest);
- xml_append_str(data->ds, "\n");
- data->num_keys++;
-}
-
-/**
- * XML end of element. This callback is called whenever an XML tag ends.
- * XML_Char is UTF8.
- * @param userData: the xml_data structure
- * @param name: the tag that ends.
- */
-static void
-xml_endelem(void *userData, const XML_Char *name)
-{
- struct xml_data* data = (struct xml_data*)userData;
- if(verb>=4) printf("xml tag end '%s'\n", name);
- free(data->tag);
- data->tag = NULL;
- if(strcasecmp(name, "KeyDigest") == 0) {
- if(data->use_key)
- xml_append_ds(data);
- data->use_key = 0;
- } else if(strcasecmp(name, "Zone") == 0) {
- if(!xml_is_zone_name(data->czone, ".")) {
- if(verb) printf("xml not for the right zone\n");
- exit(0);
- }
- }
-}
-
-/* Stop the parser when an entity declaration is encountered. For safety. */
-static void
-xml_entitydeclhandler(void *userData,
- const XML_Char *ATTR_UNUSED(entityName),
- int ATTR_UNUSED(is_parameter_entity),
- const XML_Char *ATTR_UNUSED(value), int ATTR_UNUSED(value_length),
- const XML_Char *ATTR_UNUSED(base),
- const XML_Char *ATTR_UNUSED(systemId),
- const XML_Char *ATTR_UNUSED(publicId),
- const XML_Char *ATTR_UNUSED(notationName))
-{
-#if HAVE_DECL_XML_STOPPARSER
- (void)XML_StopParser((XML_Parser)userData, XML_FALSE);
-#else
- (void)userData;
-#endif
-}
-
-/**
- * XML parser setup of the callbacks for the tags
- */
-static void
-xml_parse_setup(XML_Parser parser, struct xml_data* data, time_t now)
-{
- char buf[1024];
- memset(data, 0, sizeof(*data));
- XML_SetUserData(parser, data);
- data->parser = parser;
- data->date = now;
- data->ds = BIO_new(BIO_s_mem());
- data->ctag = BIO_new(BIO_s_mem());
- data->czone = BIO_new(BIO_s_mem());
- data->calgo = BIO_new(BIO_s_mem());
- data->cdigtype = BIO_new(BIO_s_mem());
- data->cdigest = BIO_new(BIO_s_mem());
- if(!data->ds || !data->ctag || !data->calgo || !data->czone ||
- !data->cdigtype || !data->cdigest) {
- if(verb) printf("out of memory\n");
- exit(0);
- }
- snprintf(buf, sizeof(buf), "; created by unbound-anchor on %s",
- ctime(&now));
- if(BIO_write(data->ds, buf, (int)strlen(buf)) < 0) {
- if(verb) printf("out of memory\n");
- exit(0);
- }
- XML_SetEntityDeclHandler(parser, xml_entitydeclhandler);
- XML_SetElementHandler(parser, xml_startelem, xml_endelem);
- XML_SetCharacterDataHandler(parser, xml_charhandle);
-}
-
-/**
- * Perform XML parsing of the root-anchors file
- * Its format description can be read here
- * https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt
- * It uses libexpat.
- * @param xml: BIO with xml data.
- * @param now: the current time for checking DS validity periods.
- * @return memoryBIO with the DS data in zone format.
- * or NULL if the zone is insecure.
- * (It exit()s on error)
- */
-static BIO*
-xml_parse(BIO* xml, time_t now)
-{
- char* pp;
- int len;
- XML_Parser parser;
- struct xml_data data;
-
- parser = XML_ParserCreate(NULL);
- if(!parser) {
- if(verb) printf("could not XML_ParserCreate\n");
- exit(0);
- }
-
- /* setup callbacks */
- xml_parse_setup(parser, &data, now);
-
- /* parse it */
- (void)BIO_reset(xml);
- len = (int)BIO_get_mem_data(xml, &pp);
- if(!len || !pp) {
- if(verb) printf("out of memory\n");
- exit(0);
- }
- if(!XML_Parse(parser, pp, len, 1 /*isfinal*/ )) {
- const char *e = XML_ErrorString(XML_GetErrorCode(parser));
- if(verb) printf("XML_Parse failure %s\n", e?e:"");
- exit(0);
- }
-
- /* parsed */
- if(verb) printf("XML was parsed successfully, %d keys\n",
- data.num_keys);
- free(data.tag);
- XML_ParserFree(parser);
-
- if(verb >= 4) {
- (void)BIO_seek(data.ds, 0);
- len = BIO_get_mem_data(data.ds, &pp);
- printf("got DS bio %d: '", len);
- if(!fwrite(pp, (size_t)len, 1, stdout))
- /* compilers do not allow us to ignore fwrite .. */
- fprintf(stderr, "error writing to stdout\n");
- printf("'\n");
- }
- BIO_free(data.czone);
- BIO_free(data.ctag);
- BIO_free(data.calgo);
- BIO_free(data.cdigtype);
- BIO_free(data.cdigest);
-
- if(data.num_keys == 0) {
- /* the root zone seems to have gone insecure */
- BIO_free(data.ds);
- return NULL;
- } else {
- return data.ds;
- }
-}
-
-/* get key usage out of its extension, returns 0 if no key_usage extension */
-static unsigned long
-get_usage_of_ex(X509* cert)
-{
- unsigned long val = 0;
- ASN1_BIT_STRING* s;
- if((s=X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL))) {
- if(s->length > 0) {
- val = s->data[0];
- if(s->length > 1)
- val |= s->data[1] << 8;
- }
- ASN1_BIT_STRING_free(s);
- }
- return val;
-}
-
-/** get valid signers from the list of signers in the signature */
-static STACK_OF(X509)*
-get_valid_signers(PKCS7* p7, const char* p7signer)
-{
- int i;
- STACK_OF(X509)* validsigners = sk_X509_new_null();
- STACK_OF(X509)* signers = PKCS7_get0_signers(p7, NULL, 0);
- unsigned long usage = 0;
- if(!validsigners) {
- if(verb) printf("out of memory\n");
- sk_X509_free(signers);
- return NULL;
- }
- if(!signers) {
- if(verb) printf("no signers in pkcs7 signature\n");
- sk_X509_free(validsigners);
- return NULL;
- }
- for(i=0; i<sk_X509_num(signers); i++) {
- X509_NAME* nm = X509_get_subject_name(
- sk_X509_value(signers, i));
- char buf[1024];
- if(!nm) {
- if(verb) printf("signer %d: cert has no subject name\n", i);
- continue;
- }
- if(verb && nm) {
- char* nmline = X509_NAME_oneline(nm, buf,
- (int)sizeof(buf));
- printf("signer %d: Subject: %s\n", i,
- nmline?nmline:"no subject");
- if(verb >= 3 && X509_NAME_get_text_by_NID(nm,
- NID_commonName, buf, (int)sizeof(buf)))
- printf("commonName: %s\n", buf);
- if(verb >= 3 && X509_NAME_get_text_by_NID(nm,
- NID_pkcs9_emailAddress, buf, (int)sizeof(buf)))
- printf("emailAddress: %s\n", buf);
- }
- if(verb) {
- int ku_loc = X509_get_ext_by_NID(
- sk_X509_value(signers, i), NID_key_usage, -1);
- if(verb >= 3 && ku_loc >= 0) {
- X509_EXTENSION *ex = X509_get_ext(
- sk_X509_value(signers, i), ku_loc);
- if(ex) {
- printf("keyUsage: ");
- X509V3_EXT_print_fp(stdout, ex, 0, 0);
- printf("\n");
- }
- }
- }
- if(!p7signer || strcmp(p7signer, "")==0) {
- /* there is no name to check, return all records */
- if(verb) printf("did not check commonName of signer\n");
- } else {
- if(!X509_NAME_get_text_by_NID(nm,
- NID_pkcs9_emailAddress,
- buf, (int)sizeof(buf))) {
- if(verb) printf("removed cert with no name\n");
- continue; /* no name, no use */
- }
- if(strcmp(buf, p7signer) != 0) {
- if(verb) printf("removed cert with wrong name\n");
- continue; /* wrong name, skip it */
- }
- }
-
- /* check that the key usage allows digital signatures
- * (the p7s) */
- usage = get_usage_of_ex(sk_X509_value(signers, i));
- if(!(usage & KU_DIGITAL_SIGNATURE)) {
- if(verb) printf("removed cert with no key usage Digital Signature allowed\n");
- continue;
- }
-
- /* we like this cert, add it to our list of valid
- * signers certificates */
- sk_X509_push(validsigners, sk_X509_value(signers, i));
- }
- sk_X509_free(signers);
- return validsigners;
-}
-
-/** verify a PKCS7 signature, false on failure */
-static int
-verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, const char* p7signer)
-{
- PKCS7* p7;
- X509_STORE *store = X509_STORE_new();
- STACK_OF(X509)* validsigners;
- int secure = 0;
- int i;
-#ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
- X509_VERIFY_PARAM* param = X509_VERIFY_PARAM_new();
- if(!param) {
- if(verb) printf("out of memory\n");
- X509_STORE_free(store);
- return 0;
- }
- /* do the selfcheck on the root certificate; it checks that the
- * input is valid */
- X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CHECK_SS_SIGNATURE);
- if(store) X509_STORE_set1_param(store, param);
-#endif
- if(!store) {
- if(verb) printf("out of memory\n");
-#ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
- X509_VERIFY_PARAM_free(param);
-#endif
- return 0;
- }
-#ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
- X509_VERIFY_PARAM_free(param);
-#endif
-
- (void)BIO_reset(p7s);
- (void)BIO_reset(data);
-
- /* convert p7s to p7 (the signature) */
- p7 = d2i_PKCS7_bio(p7s, NULL);
- if(!p7) {
- if(verb) printf("could not parse p7s signature file\n");
- X509_STORE_free(store);
- return 0;
- }
- if(verb >= 2) printf("parsed the PKCS7 signature\n");
-
- /* convert trust to trusted certificate store */
- for(i=0; i<sk_X509_num(trust); i++) {
- if(!X509_STORE_add_cert(store, sk_X509_value(trust, i))) {
- if(verb) printf("failed X509_STORE_add_cert\n");
- X509_STORE_free(store);
- PKCS7_free(p7);
- return 0;
- }
- }
- if(verb >= 2) printf("setup the X509_STORE\n");
-
- /* check what is in the Subject name of the certificates,
- * and build a stack that contains only the right certificates */
- validsigners = get_valid_signers(p7, p7signer);
- if(!validsigners) {
- X509_STORE_free(store);
- PKCS7_free(p7);
- return 0;
- }
- if(PKCS7_verify(p7, validsigners, store, data, NULL, PKCS7_NOINTERN) == 1) {
- secure = 1;
- if(verb) printf("the PKCS7 signature verified\n");
- } else {
- if(verb) {
- ERR_print_errors_fp(stdout);
- }
- }
-
- sk_X509_free(validsigners);
- X509_STORE_free(store);
- PKCS7_free(p7);
- return secure;
-}
-
-/** write unsigned root anchor file, a 5011 revoked tp */
-static void
-write_unsigned_root(const char* root_anchor_file)
-{
- FILE* out;
- time_t now = time(NULL);
- out = fopen(root_anchor_file, "w");
- if(!out) {
- if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno));
- return;
- }
- if(fprintf(out, "; autotrust trust anchor file\n"
- ";;REVOKED\n"
- ";;id: . 1\n"
- "; This file was written by unbound-anchor on %s"
- "; It indicates that the root does not use DNSSEC\n"
- "; to restart DNSSEC overwrite this file with a\n"
- "; valid trustanchor or (empty-it and run unbound-anchor)\n"
- , ctime(&now)) < 0) {
- if(verb) printf("failed to write 'unsigned' to %s\n",
- root_anchor_file);
- if(verb && errno != 0) printf("%s\n", strerror(errno));
- }
- fflush(out);
-#ifdef HAVE_FSYNC
- fsync(fileno(out));
-#else
- FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(out)));
-#endif
- fclose(out);
-}
-
-/** write root anchor file */
-static void
-write_root_anchor(const char* root_anchor_file, BIO* ds)
-{
- char* pp = NULL;
- int len;
- FILE* out;
- (void)BIO_seek(ds, 0);
- len = BIO_get_mem_data(ds, &pp);
- if(!len || !pp) {
- if(verb) printf("out of memory\n");
- return;
- }
- out = fopen(root_anchor_file, "w");
- if(!out) {
- if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno));
- return;
- }
- if(fwrite(pp, (size_t)len, 1, out) != 1) {
- if(verb) printf("failed to write all data to %s\n",
- root_anchor_file);
- if(verb && errno != 0) printf("%s\n", strerror(errno));
- }
- fflush(out);
-#ifdef HAVE_FSYNC
- fsync(fileno(out));
-#else
- FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(out)));
-#endif
- fclose(out);
-}
-
-/** Perform the verification and update of the trustanchor file */
-static void
-verify_and_update_anchor(const char* root_anchor_file, BIO* xml, BIO* p7s,
- STACK_OF(X509)* cert, const char* p7signer)
-{
- BIO* ds;
-
- /* verify xml file */
- if(!verify_p7sig(xml, p7s, cert, p7signer)) {
- printf("the PKCS7 signature failed\n");
- exit(0);
- }
-
- /* parse the xml file into DS records */
- ds = xml_parse(xml, time(NULL));
- if(!ds) {
- /* the root zone is unsigned now */
- write_unsigned_root(root_anchor_file);
- } else {
- /* reinstate 5011 tracking */
- write_root_anchor(root_anchor_file, ds);
- }
- BIO_free(ds);
-}
-
-#ifdef USE_WINSOCK
-static void do_wsa_cleanup(void) { WSACleanup(); }
-#endif
-
-/** perform actual certupdate work */
-static int
-do_certupdate(const char* root_anchor_file, const char* root_cert_file,
- const char* urlname, const char* xmlname, const char* p7sname,
- const char* p7signer, const char* res_conf, const char* root_hints,
- const char* debugconf, int ip4only, int ip6only, int port,
- struct ub_result* dnskey)
-{
- STACK_OF(X509)* cert;
- BIO *xml, *p7s;
- struct ip_list* ip_list = NULL;
-
- /* read pem file or provide builtin */
- cert = read_cert_or_builtin(root_cert_file);
-
- /* lookup A, AAAA for the urlname (or parse urlname if IP address) */
- ip_list = resolve_name(urlname, port, res_conf, root_hints, debugconf,
- ip4only, ip6only);
-
-#ifdef USE_WINSOCK
- if(1) { /* libunbound finished, startup WSA for the https connection */
- WSADATA wsa_data;
- int r;
- if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0) {
- if(verb) printf("WSAStartup failed: %s\n",
- wsa_strerror(r));
- exit(0);
- }
- atexit(&do_wsa_cleanup);
- }
-#endif
-
- /* fetch the necessary files over HTTPS */
- xml = https(ip_list, xmlname, urlname);
- p7s = https(ip_list, p7sname, urlname);
-
- /* verify and update the root anchor */
- verify_and_update_anchor(root_anchor_file, xml, p7s, cert, p7signer);
- if(verb) printf("success: the anchor has been updated "
- "using the cert\n");
-
- free_file_bio(xml);
- free_file_bio(p7s);
-#ifndef S_SPLINT_S
- sk_X509_pop_free(cert, X509_free);
-#endif
- ub_resolve_free(dnskey);
- ip_list_free(ip_list);
- return 1;
-}
-
-/**
- * Try to read the root RFC5011 autotrust anchor file,
- * @param file: filename.
- * @return:
- * 0 if does not exist or empty
- * 1 if trust-point-revoked-5011
- * 2 if it is OK.
- */
-static int
-try_read_anchor(const char* file)
-{
- int empty = 1;
- char line[10240];
- char* p;
- FILE* in = fopen(file, "r");
- if(!in) {
- /* only if the file does not exist, can we fix it */
- if(errno != ENOENT) {
- if(verb) printf("%s: %s\n", file, strerror(errno));
- if(verb) printf("error: cannot access the file\n");
- exit(0);
- }
- if(verb) printf("%s does not exist\n", file);
- return 0;
- }
- while(fgets(line, (int)sizeof(line), in)) {
- line[sizeof(line)-1] = 0;
- if(strncmp(line, ";;REVOKED", 9) == 0) {
- fclose(in);
- if(verb) printf("%s : the trust point is revoked\n"
- "and the zone is considered unsigned.\n"
- "if you wish to re-enable, delete the file\n",
- file);
- return 1;
- }
- p=line;
- while(*p == ' ' || *p == '\t')
- p++;
- if(p[0]==0 || p[0]=='\n' || p[0]==';') continue;
- /* this line is a line of content */
- empty = 0;
- }
- fclose(in);
- if(empty) {
- if(verb) printf("%s is empty\n", file);
- return 0;
- }
- if(verb) printf("%s has content\n", file);
- return 2;
-}
-
-/** Write the builtin root anchor to a file */
-static void
-write_builtin_anchor(const char* file)
-{
- const char* builtin_root_anchor = get_builtin_ds();
- FILE* out = fopen(file, "w");
- if(!out) {
- if(verb) printf("%s: %s\n", file, strerror(errno));
- if(verb) printf(" could not write builtin anchor\n");
- return;
- }
- if(!fwrite(builtin_root_anchor, strlen(builtin_root_anchor), 1, out)) {
- if(verb) printf("%s: %s\n", file, strerror(errno));
- if(verb) printf(" could not complete write builtin anchor\n");
- }
- fclose(out);
-}
-
-/**
- * Check the root anchor file.
- * If does not exist, provide builtin and write file.
- * If empty, provide builtin and write file.
- * If trust-point-revoked-5011 file: make the program exit.
- * @param root_anchor_file: filename of the root anchor.
- * @param used_builtin: set to 1 if the builtin is written.
- * @return 0 if trustpoint is insecure, 1 on success. Exit on failure.
- */
-static int
-provide_builtin(const char* root_anchor_file, int* used_builtin)
-{
- /* try to read it */
- switch(try_read_anchor(root_anchor_file))
- {
- case 0: /* no exist or empty */
- write_builtin_anchor(root_anchor_file);
- *used_builtin = 1;
- break;
- case 1: /* revoked tp */
- return 0;
- case 2: /* it is fine */
- default:
- break;
- }
- return 1;
-}
-
-/**
- * add an autotrust anchor for the root to the context
- */
-static void
-add_5011_probe_root(struct ub_ctx* ctx, const char* root_anchor_file)
-{
- int r;
- r = ub_ctx_set_option(ctx, "auto-trust-anchor-file:", root_anchor_file);
- if(r) {
- if(verb) printf("add 5011 probe to ctx: %s\n", ub_strerror(r));
- ub_ctx_delete(ctx);
- exit(0);
- }
-}
-
-/**
- * Prime the root key and return the result. Exit on error.
- * @param ctx: the unbound context to perform the priming with.
- * @return: the result of the prime, on error it exit()s.
- */
-static struct ub_result*
-prime_root_key(struct ub_ctx* ctx)
-{
- struct ub_result* res = NULL;
- int r;
- r = ub_resolve(ctx, ".", LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, &res);
- if(r) {
- if(verb) printf("resolve DNSKEY: %s\n", ub_strerror(r));
- ub_ctx_delete(ctx);
- exit(0);
- }
- if(!res) {
- if(verb) printf("out of memory\n");
- ub_ctx_delete(ctx);
- exit(0);
- }
- return res;
-}
-
-/** see if ADDPEND keys exist in autotrust file (if possible) */
-static int
-read_if_pending_keys(const char* file)
-{
- FILE* in = fopen(file, "r");
- char line[8192];
- if(!in) {
- if(verb>=2) printf("%s: %s\n", file, strerror(errno));
- return 0;
- }
- while(fgets(line, (int)sizeof(line), in)) {
- if(line[0]==';') continue;
- if(strstr(line, "[ ADDPEND ]")) {
- fclose(in);
- if(verb) printf("RFC5011-state has ADDPEND keys\n");
- return 1;
- }
- }
- fclose(in);
- return 0;
-}
-
-/** read last successful probe time from autotrust file (if possible) */
-static int32_t
-read_last_success_time(const char* file)
-{
- FILE* in = fopen(file, "r");
- char line[1024];
- if(!in) {
- if(verb) printf("%s: %s\n", file, strerror(errno));
- return 0;
- }
- while(fgets(line, (int)sizeof(line), in)) {
- if(strncmp(line, ";;last_success: ", 16) == 0) {
- char* e;
- time_t x = (unsigned int)strtol(line+16, &e, 10);
- fclose(in);
- if(line+16 == e) {
- if(verb) printf("failed to parse "
- "last_success probe time\n");
- return 0;
- }
- if(verb) printf("last successful probe: %s", ctime(&x));
- return (int32_t)x;
- }
- }
- fclose(in);
- if(verb) printf("no last_success probe time in anchor file\n");
- return 0;
-}
-
-/**
- * Read autotrust 5011 probe file and see if the date
- * compared to the current date allows a certupdate.
- * If the last successful probe was recent then 5011 cannot be behind,
- * and the failure cannot be solved with a certupdate.
- * The debugconf is to validation-override the date for testing.
- * @param root_anchor_file: filename of root key
- * @return true if certupdate is ok.
- */
-static int
-probe_date_allows_certupdate(const char* root_anchor_file)
-{
- int has_pending_keys = read_if_pending_keys(root_anchor_file);
- int32_t last_success = read_last_success_time(root_anchor_file);
- int32_t now = (int32_t)time(NULL);
- int32_t leeway = 30 * 24 * 3600; /* 30 days leeway */
- /* if the date is before 2010-07-15:00.00.00 then the root has not
- * been signed yet, and thus we refuse to take action. */
- if(time(NULL) < xml_convertdate("2010-07-15T00:00:00")) {
- if(verb) printf("the date is before the root was first signed,"
- " please correct the clock\n");
- return 0;
- }
- if(last_success == 0)
- return 1; /* no probe time */
- if(has_pending_keys)
- return 1; /* key in ADDPEND state, a previous probe has
- inserted that, and it was present in all recent probes,
- but it has not become active. The 30 day timer may not have
- expired, but we know(for sure) there is a rollover going on.
- If we only managed to pickup the new key on its last day
- of announcement (for example) this can happen. */
- if(now - last_success < 0) {
- if(verb) printf("the last successful probe is in the future,"
- " clock was modified\n");
- return 0;
- }
- if(now - last_success >= leeway) {
- if(verb) printf("the last successful probe was more than 30 "
- "days ago\n");
- return 1;
- }
- if(verb) printf("the last successful probe is recent\n");
- return 0;
-}
-
-/** perform the unbound-anchor work */
-static int
-do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
- const char* urlname, const char* xmlname, const char* p7sname,
- const char* p7signer, const char* res_conf, const char* root_hints,
- const char* debugconf, int ip4only, int ip6only, int force, int port)
-{
- struct ub_ctx* ctx;
- struct ub_result* dnskey;
- int used_builtin = 0;
-
- /* see if builtin rootanchor needs to be provided, or if
- * rootanchor is 'revoked-trust-point' */
- if(!provide_builtin(root_anchor_file, &used_builtin))
- return 0;
-
- /* make unbound context with 5011-probe for root anchor,
- * and probe . DNSKEY */
- ctx = create_unbound_context(res_conf, root_hints, debugconf,
- ip4only, ip6only);
- add_5011_probe_root(ctx, root_anchor_file);
- dnskey = prime_root_key(ctx);
- ub_ctx_delete(ctx);
-
- /* if secure: exit */
- if(dnskey->secure && !force) {
- if(verb) printf("success: the anchor is ok\n");
- ub_resolve_free(dnskey);
- return used_builtin;
- }
- if(force && verb) printf("debug cert update forced\n");
-
- /* if not (and NOERROR): check date and do certupdate */
- if((dnskey->rcode == 0 &&
- probe_date_allows_certupdate(root_anchor_file)) || force) {
- if(do_certupdate(root_anchor_file, root_cert_file, urlname,
- xmlname, p7sname, p7signer, res_conf, root_hints,
- debugconf, ip4only, ip6only, port, dnskey))
- return 1;
- return used_builtin;
- }
- if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n");
- ub_resolve_free(dnskey);
- return used_builtin;
-}
-
-/** getopt global, in case header files fail to declare it. */
-extern int optind;
-/** getopt global, in case header files fail to declare it. */
-extern char* optarg;
-
-/** Main routine for unbound-anchor */
-int main(int argc, char* argv[])
-{
- int c;
- const char* root_anchor_file = ROOT_ANCHOR_FILE;
- const char* root_cert_file = ROOT_CERT_FILE;
- const char* urlname = URLNAME;
- const char* xmlname = XMLNAME;
- const char* p7sname = P7SNAME;
- const char* p7signer = P7SIGNER;
- const char* res_conf = NULL;
- const char* root_hints = NULL;
- const char* debugconf = NULL;
- int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
- /* parse the options */
- while( (c=getopt(argc, argv, "46C:FP:a:c:f:hln:r:s:u:vx:")) != -1) {
- switch(c) {
- case 'l':
- dolist = 1;
- break;
- case '4':
- ip4only = 1;
- break;
- case '6':
- ip6only = 1;
- break;
- case 'a':
- root_anchor_file = optarg;
- break;
- case 'c':
- root_cert_file = optarg;
- break;
- case 'u':
- urlname = optarg;
- break;
- case 'x':
- xmlname = optarg;
- break;
- case 's':
- p7sname = optarg;
- break;
- case 'n':
- p7signer = optarg;
- break;
- case 'f':
- res_conf = optarg;
- break;
- case 'r':
- root_hints = optarg;
- break;
- case 'C':
- debugconf = optarg;
- break;
- case 'F':
- force = 1;
- break;
- case 'P':
- port = atoi(optarg);
- break;
- case 'v':
- verb++;
- break;
- case '?':
- case 'h':
- default:
- usage();
- }
- }
- argc -= optind;
- argv += optind;
- if(argc != 0)
- usage();
-
-#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
- ERR_load_crypto_strings();
-#endif
- ERR_load_SSL_strings();
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
- OpenSSL_add_all_algorithms();
-#else
- OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
- | OPENSSL_INIT_ADD_ALL_DIGESTS
- | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
-#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
- (void)SSL_library_init();
-#else
- (void)OPENSSL_init_ssl(0, NULL);
-#endif
-
- if(dolist) do_list_builtin();
-
- return do_root_update_work(root_anchor_file, root_cert_file, urlname,
- xmlname, p7sname, p7signer, res_conf, root_hints, debugconf,
- ip4only, ip6only, force, port);
-}
diff --git a/external/unbound/smallapp/unbound-checkconf.c b/external/unbound/smallapp/unbound-checkconf.c
deleted file mode 100644
index ddf8b3a75..000000000
--- a/external/unbound/smallapp/unbound-checkconf.c
+++ /dev/null
@@ -1,619 +0,0 @@
-/*
- * checkconf/unbound-checkconf.c - config file checker for unbound.conf file.
- *
- * Copyright (c) 2007, NLnet Labs. All rights reserved.
- *
- * This software is open source.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * Redistributions of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- *
- * Neither the name of the NLNET LABS nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
- * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/**
- * \file
- *
- * The config checker checks for syntax and other errors in the unbound.conf
- * file, and can be used to check for errors before the server is started
- * or sigHUPped.
- * Exit status 1 means an error.
- */
-
-#include "config.h"
-#include "util/log.h"
-#include "util/config_file.h"
-#include "util/module.h"
-#include "util/net_help.h"
-#include "util/regional.h"
-#include "iterator/iterator.h"
-#include "iterator/iter_fwd.h"
-#include "iterator/iter_hints.h"
-#include "validator/validator.h"
-#include "services/localzone.h"
-#include "services/view.h"
-#include "respip/respip.h"
-#include "sldns/sbuffer.h"
-#ifdef HAVE_GETOPT_H
-#include <getopt.h>
-#endif
-#ifdef HAVE_PWD_H
-#include <pwd.h>
-#endif
-#ifdef HAVE_SYS_STAT_H
-#include <sys/stat.h>
-#endif
-#ifdef HAVE_GLOB_H
-#include <glob.h>
-#endif
-#ifdef WITH_PYTHONMODULE
-#include "pythonmod/pythonmod.h"
-#endif
-
-/** Give checkconf usage, and exit (1). */
-static void
-usage(void)
-{
- printf("Usage: unbound-checkconf [file]\n");
- printf(" Checks unbound configuration file for errors.\n");
- printf("file if omitted %s is used.\n", CONFIGFILE);
- printf("-o option print value of option to stdout.\n");
- printf("-f output full pathname with chroot applied, eg. with -o pidfile.\n");
- printf("-h show this usage help.\n");
- printf("Version %s\n", PACKAGE_VERSION);
- printf("BSD licensed, see LICENSE in source package for details.\n");
- printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
- exit(1);
-}
-
-/**
- * Print given option to stdout
- * @param cfg: config
- * @param opt: option name without trailing :.
- * This is different from config_set_option.
- * @param final: if final pathname with chroot applied has to be printed.
- */
-static void
-print_option(struct config_file* cfg, const char* opt, int final)
-{
- if(strcmp(opt, "pidfile") == 0 && final) {
- char *p = fname_after_chroot(cfg->pidfile, cfg, 1);
- if(!p) fatal_exit("out of memory");
- printf("%s\n", p);
- free(p);
- return;
- }
- if(!config_get_option(cfg, opt, config_print_func, stdout))
- fatal_exit("cannot print option '%s'", opt);
-}
-
-/** check if module works with config */
-static void
-check_mod(struct config_file* cfg, struct module_func_block* fb)
-{
- struct module_env env;
- memset(&env, 0, sizeof(env));
- env.cfg = cfg;
- env.scratch = regional_create();
- env.scratch_buffer = sldns_buffer_new(BUFSIZ);
- if(!env.scratch || !env.scratch_buffer)
- fatal_exit("out of memory");
- if(!edns_known_options_init(&env))
- fatal_exit("out of memory");
- if(!(*fb->init)(&env, 0)) {
- fatal_exit("bad config for %s module", fb->name);
- }
- (*fb->deinit)(&env, 0);
- sldns_buffer_free(env.scratch_buffer);
- regional_destroy(env.scratch);
- edns_known_options_delete(&env);
-}
-
-/** check localzones */
-static void
-localzonechecks(struct config_file* cfg)
-{
- struct local_zones* zs;
- if(!(zs = local_zones_create()))
- fatal_exit("out of memory");
- if(!local_zones_apply_cfg(zs, cfg))
- fatal_exit("failed local-zone, local-data configuration");
- local_zones_delete(zs);
-}
-
-/** check view and response-ip configuration */
-static void
-view_and_respipchecks(struct config_file* cfg)
-{
- struct views* views = NULL;
- struct respip_set* respip = NULL;
- int ignored = 0;
- if(!(views = views_create()))
- fatal_exit("Could not create views: out of memory");
- if(!(respip = respip_set_create()))
- fatal_exit("Could not create respip set: out of memory");
- if(!views_apply_cfg(views, cfg))
- fatal_exit("Could not set up views");
- if(!respip_global_apply_cfg(respip, cfg))
- fatal_exit("Could not setup respip set");
- if(!respip_views_apply_cfg(views, cfg, &ignored))
- fatal_exit("Could not setup per-view respip sets");
- views_delete(views);
- respip_set_delete(respip);
-}
-
-/** emit warnings for IP in hosts */
-static void
-warn_hosts(const char* typ, struct config_stub* list)
-{
- struct sockaddr_storage a;
- socklen_t alen;
- struct config_stub* s;
- struct config_strlist* h;
- for(s=list; s; s=s->next) {
- for(h=s->hosts; h; h=h->next) {
- if(extstrtoaddr(h->str, &a, &alen)) {
- fprintf(stderr, "unbound-checkconf: warning:"
- " %s %s: \"%s\" is an IP%s address, "
- "and when looked up as a host name "
- "during use may not resolve.\n",
- s->name, typ, h->str,
- addr_is_ip6(&a, alen)?"6":"4");
- }
- }
- }
-}
-
-/** check interface strings */
-static void
-interfacechecks(struct config_file* cfg)
-{
- int d;
- struct sockaddr_storage a;
- socklen_t alen;
- int i, j;
- for(i=0; i<cfg->num_ifs; i++) {
- if(!extstrtoaddr(cfg->ifs[i], &a, &alen)) {
- fatal_exit("cannot parse interface specified as '%s'",
- cfg->ifs[i]);
- }
- for(j=0; j<cfg->num_ifs; j++) {
- if(i!=j && strcmp(cfg->ifs[i], cfg->ifs[j])==0)
- fatal_exit("interface: %s present twice, "
- "cannot bind same ports twice.",
- cfg->ifs[i]);
- }
- }
- for(i=0; i<cfg->num_out_ifs; i++) {
- if(!ipstrtoaddr(cfg->out_ifs[i], UNBOUND_DNS_PORT, &a, &alen) &&
- !netblockstrtoaddr(cfg->out_ifs[i], UNBOUND_DNS_PORT, &a, &alen, &d)) {
- fatal_exit("cannot parse outgoing-interface "
- "specified as '%s'", cfg->out_ifs[i]);
- }
- for(j=0; j<cfg->num_out_ifs; j++) {
- if(i!=j && strcmp(cfg->out_ifs[i], cfg->out_ifs[j])==0)
- fatal_exit("outgoing-interface: %s present "
- "twice, cannot bind same ports twice.",
- cfg->out_ifs[i]);
- }
- }
-}
-
-/** check acl ips */
-static void
-aclchecks(struct config_file* cfg)
-{
- int d;
- struct sockaddr_storage a;
- socklen_t alen;
- struct config_str2list* acl;
- for(acl=cfg->acls; acl; acl = acl->next) {
- if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen,
- &d)) {
- fatal_exit("cannot parse access control address %s %s",
- acl->str, acl->str2);
- }
- }
-}
-
-/** true if fname is a file */
-static int
-is_file(const char* fname)
-{
- struct stat buf;
- if(stat(fname, &buf) < 0) {
- if(errno==EACCES) {
- printf("warning: no search permission for one of the directories in path: %s\n", fname);
- return 1;
- }
- perror(fname);
- return 0;
- }
- if(S_ISDIR(buf.st_mode)) {
- printf("%s is not a file\n", fname);
- return 0;
- }
- return 1;
-}
-
-/** true if fname is a directory */
-static int
-is_dir(const char* fname)
-{
- struct stat buf;
- if(stat(fname, &buf) < 0) {
- if(errno==EACCES) {
- printf("warning: no search permission for one of the directories in path: %s\n", fname);
- return 1;
- }
- perror(fname);
- return 0;
- }
- if(!(S_ISDIR(buf.st_mode))) {
- printf("%s is not a directory\n", fname);
- return 0;
- }
- return 1;
-}
-
-/** get base dir of a fname */
-static char*
-basedir(char* fname)
-{
- char* rev;
- if(!fname) fatal_exit("out of memory");
- rev = strrchr(fname, '/');
- if(!rev) return NULL;
- if(fname == rev) return NULL;
- rev[0] = 0;
- return fname;
-}
-
-/** check chroot for a file string */
-static void
-check_chroot_string(const char* desc, char** ss,
- const char* chrootdir, struct config_file* cfg)
-{
- char* str = *ss;
- if(str && str[0]) {
- *ss = fname_after_chroot(str, cfg, 1);
- if(!*ss) fatal_exit("out of memory");
- if(!is_file(*ss)) {
- if(chrootdir && chrootdir[0])
- fatal_exit("%s: \"%s\" does not exist in "
- "chrootdir %s", desc, str, chrootdir);
- else
- fatal_exit("%s: \"%s\" does not exist",
- desc, str);
- }
- /* put in a new full path for continued checking */
- free(str);
- }
-}
-
-/** check file list, every file must be inside the chroot location */
-static void
-check_chroot_filelist(const char* desc, struct config_strlist* list,
- const char* chrootdir, struct config_file* cfg)
-{
- struct config_strlist* p;
- for(p=list; p; p=p->next) {
- check_chroot_string(desc, &p->str, chrootdir, cfg);
- }
-}
-
-/** check file list, with wildcard processing */
-static void
-check_chroot_filelist_wild(const char* desc, struct config_strlist* list,
- const char* chrootdir, struct config_file* cfg)
-{
- struct config_strlist* p;
- for(p=list; p; p=p->next) {
-#ifdef HAVE_GLOB
- if(strchr(p->str, '*') || strchr(p->str, '[') ||
- strchr(p->str, '?') || strchr(p->str, '{') ||
- strchr(p->str, '~')) {
- char* s = p->str;
- /* adjust whole pattern for chroot and check later */
- p->str = fname_after_chroot(p->str, cfg, 1);
- free(s);
- } else
-#endif /* HAVE_GLOB */
- check_chroot_string(desc, &p->str, chrootdir, cfg);
- }
-}
-
-/** check configuration for errors */
-static void
-morechecks(struct config_file* cfg, const char* fname)
-{
- warn_hosts("stub-host", cfg->stubs);
- warn_hosts("forward-host", cfg->forwards);
- interfacechecks(cfg);
- aclchecks(cfg);
-
- if(cfg->verbosity < 0)
- fatal_exit("verbosity value < 0");
- if(cfg->num_threads <= 0 || cfg->num_threads > 10000)
- fatal_exit("num_threads value weird");
- if(!cfg->do_ip4 && !cfg->do_ip6)
- fatal_exit("ip4 and ip6 are both disabled, pointless");
- if(!cfg->do_ip6 && cfg->prefer_ip6)
- fatal_exit("cannot prefer and disable ip6, pointless");
- if(!cfg->do_udp && !cfg->do_tcp)
- fatal_exit("udp and tcp are both disabled, pointless");
- if(cfg->edns_buffer_size > cfg->msg_buffer_size)
- fatal_exit("edns-buffer-size larger than msg-buffer-size, "
- "answers will not fit in processing buffer");
-#ifdef UB_ON_WINDOWS
- w_config_adjust_directory(cfg);
-#endif
- if(cfg->chrootdir && cfg->chrootdir[0] &&
- cfg->chrootdir[strlen(cfg->chrootdir)-1] == '/')
- fatal_exit("chootdir %s has trailing slash '/' please remove.",
- cfg->chrootdir);
- if(cfg->chrootdir && cfg->chrootdir[0] &&
- !is_dir(cfg->chrootdir)) {
- fatal_exit("bad chroot directory");
- }
- if(cfg->chrootdir && cfg->chrootdir[0]) {
- char buf[10240];
- buf[0] = 0;
- if(fname[0] != '/') {
- if(getcwd(buf, sizeof(buf)) == NULL)
- fatal_exit("getcwd: %s", strerror(errno));
- (void)strlcat(buf, "/", sizeof(buf));
- }
- (void)strlcat(buf, fname, sizeof(buf));
- if(strncmp(buf, cfg->chrootdir, strlen(cfg->chrootdir)) != 0)
- fatal_exit("config file %s is not inside chroot %s",
- buf, cfg->chrootdir);
- }
- if(cfg->directory && cfg->directory[0]) {
- char* ad = fname_after_chroot(cfg->directory, cfg, 0);
- if(!ad) fatal_exit("out of memory");
- if(!is_dir(ad)) fatal_exit("bad chdir directory");
- free(ad);
- }
- if( (cfg->chrootdir && cfg->chrootdir[0]) ||
- (cfg->directory && cfg->directory[0])) {
- if(cfg->pidfile && cfg->pidfile[0]) {
- char* ad = (cfg->pidfile[0]=='/')?strdup(cfg->pidfile):
- fname_after_chroot(cfg->pidfile, cfg, 1);
- char* bd = basedir(ad);
- if(bd && !is_dir(bd))
- fatal_exit("pidfile directory does not exist");
- free(ad);
- }
- if(cfg->logfile && cfg->logfile[0]) {
- char* ad = fname_after_chroot(cfg->logfile, cfg, 1);
- char* bd = basedir(ad);
- if(bd && !is_dir(bd))
- fatal_exit("logfile directory does not exist");
- free(ad);
- }
- }
-
- check_chroot_filelist("file with root-hints",
- cfg->root_hints, cfg->chrootdir, cfg);
- check_chroot_filelist("trust-anchor-file",
- cfg->trust_anchor_file_list, cfg->chrootdir, cfg);
- check_chroot_filelist("auto-trust-anchor-file",
- cfg->auto_trust_anchor_file_list, cfg->chrootdir, cfg);
- check_chroot_filelist_wild("trusted-keys-file",
- cfg->trusted_keys_file_list, cfg->chrootdir, cfg);
- check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file,
- cfg->chrootdir, cfg);
- /* remove chroot setting so that modules are not stripping pathnames*/
- free(cfg->chrootdir);
- cfg->chrootdir = NULL;
-
- /* There should be no reason for 'respip' module not to work with
- * dns64, but it's not explicitly confirmed, so the combination is
- * excluded below. It's simply unknown yet for the combination of
- * respip and other modules. */
- if(strcmp(cfg->module_conf, "iterator") != 0
- && strcmp(cfg->module_conf, "validator iterator") != 0
- && strcmp(cfg->module_conf, "dns64 validator iterator") != 0
- && strcmp(cfg->module_conf, "dns64 iterator") != 0
- && strcmp(cfg->module_conf, "respip iterator") != 0
- && strcmp(cfg->module_conf, "respip validator iterator") != 0
-#ifdef WITH_PYTHONMODULE
- && strcmp(cfg->module_conf, "python iterator") != 0
- && strcmp(cfg->module_conf, "python validator iterator") != 0
- && strcmp(cfg->module_conf, "validator python iterator") != 0
- && strcmp(cfg->module_conf, "dns64 python iterator") != 0
- && strcmp(cfg->module_conf, "dns64 python validator iterator") != 0
- && strcmp(cfg->module_conf, "dns64 validator python iterator") != 0
- && strcmp(cfg->module_conf, "python dns64 iterator") != 0
- && strcmp(cfg->module_conf, "python dns64 validator iterator") != 0
-#endif
-#ifdef USE_CACHEDB
- && strcmp(cfg->module_conf, "validator cachedb iterator") != 0
- && strcmp(cfg->module_conf, "cachedb iterator") != 0
- && strcmp(cfg->module_conf, "dns64 validator cachedb iterator") != 0
- && strcmp(cfg->module_conf, "dns64 cachedb iterator") != 0
-#endif
-#if defined(WITH_PYTHONMODULE) && defined(USE_CACHEDB)
- && strcmp(cfg->module_conf, "python dns64 cachedb iterator") != 0
- && strcmp(cfg->module_conf, "python dns64 validator cachedb iterator") != 0
- && strcmp(cfg->module_conf, "dns64 python cachedb iterator") != 0
- && strcmp(cfg->module_conf, "dns64 python validator cachedb iterator") != 0
- && strcmp(cfg->module_conf, "python cachedb iterator") != 0
- && strcmp(cfg->module_conf, "python validator cachedb iterator") != 0
- && strcmp(cfg->module_conf, "cachedb python iterator") != 0
- && strcmp(cfg->module_conf, "validator cachedb python iterator") != 0
- && strcmp(cfg->module_conf, "validator python cachedb iterator") != 0
-#endif
-#ifdef CLIENT_SUBNET
- && strcmp(cfg->module_conf, "subnetcache iterator") != 0
- && strcmp(cfg->module_conf, "subnetcache validator iterator") != 0
-#endif
-#if defined(WITH_PYTHONMODULE) && defined(CLIENT_SUBNET)
- && strcmp(cfg->module_conf, "python subnetcache iterator") != 0
- && strcmp(cfg->module_conf, "subnetcache python iterator") != 0
- && strcmp(cfg->module_conf, "subnetcache validator iterator") != 0
- && strcmp(cfg->module_conf, "python subnetcache validator iterator") != 0
- && strcmp(cfg->module_conf, "subnetcache python validator iterator") != 0
- && strcmp(cfg->module_conf, "subnetcache validator python iterator") != 0
-#endif
- ) {
- fatal_exit("module conf '%s' is not known to work",
- cfg->module_conf);
- }
-
-#ifdef HAVE_GETPWNAM
- if(cfg->username && cfg->username[0]) {
- if(getpwnam(cfg->username) == NULL)
- fatal_exit("user '%s' does not exist.", cfg->username);
-# ifdef HAVE_ENDPWENT
- endpwent();
-# endif
- }
-#endif
- if(cfg->remote_control_enable && cfg->remote_control_use_cert) {
- check_chroot_string("server-key-file", &cfg->server_key_file,
- cfg->chrootdir, cfg);
- check_chroot_string("server-cert-file", &cfg->server_cert_file,
- cfg->chrootdir, cfg);
- if(!is_file(cfg->control_key_file))
- fatal_exit("control-key-file: \"%s\" does not exist",
- cfg->control_key_file);
- if(!is_file(cfg->control_cert_file))
- fatal_exit("control-cert-file: \"%s\" does not exist",
- cfg->control_cert_file);
- }
-
- localzonechecks(cfg);
- view_and_respipchecks(cfg);
-}
-
-/** check forwards */
-static void
-check_fwd(struct config_file* cfg)
-{
- struct iter_forwards* fwd = forwards_create();
- if(!fwd || !forwards_apply_cfg(fwd, cfg)) {
- fatal_exit("Could not set forward zones");
- }
- forwards_delete(fwd);
-}
-
-/** check hints */
-static void
-check_hints(struct config_file* cfg)
-{
- struct iter_hints* hints = hints_create();
- if(!hints || !hints_apply_cfg(hints, cfg)) {
- fatal_exit("Could not set root or stub hints");
- }
- hints_delete(hints);
-}
-
-/** check config file */
-static void
-checkconf(const char* cfgfile, const char* opt, int final)
-{
- char oldwd[4096];
- struct config_file* cfg = config_create();
- if(!cfg)
- fatal_exit("out of memory");
- oldwd[0] = 0;
- if(!getcwd(oldwd, sizeof(oldwd))) {
- log_err("cannot getcwd: %s", strerror(errno));
- oldwd[0] = 0;
- }
- if(!config_read(cfg, cfgfile, NULL)) {
- /* config_read prints messages to stderr */
- config_delete(cfg);
- exit(1);
- }
- if(oldwd[0] && chdir(oldwd) == -1)
- log_err("cannot chdir(%s): %s", oldwd, strerror(errno));
- if(opt) {
- print_option(cfg, opt, final);
- config_delete(cfg);
- return;
- }
- morechecks(cfg, cfgfile);
- check_mod(cfg, iter_get_funcblock());
- check_mod(cfg, val_get_funcblock());
-#ifdef WITH_PYTHONMODULE
- if(strstr(cfg->module_conf, "python"))
- check_mod(cfg, pythonmod_get_funcblock());
-#endif
- check_fwd(cfg);
- check_hints(cfg);
- printf("unbound-checkconf: no errors in %s\n", cfgfile);
- config_delete(cfg);
-}
-
-/** getopt global, in case header files fail to declare it. */
-extern int optind;
-/** getopt global, in case header files fail to declare it. */
-extern char* optarg;
-
-/** Main routine for checkconf */
-int main(int argc, char* argv[])
-{
- int c;
- int final = 0;
- const char* f;
- const char* opt = NULL;
- const char* cfgfile = CONFIGFILE;
- log_ident_set("unbound-checkconf");
- log_init(NULL, 0, NULL);
- checklock_start();
-#ifdef USE_WINSOCK
- /* use registry config file in preference to compiletime location */
- if(!(cfgfile=w_lookup_reg_str("Software\\Unbound", "ConfigFile")))
- cfgfile = CONFIGFILE;
-#endif /* USE_WINSOCK */
- /* parse the options */
- while( (c=getopt(argc, argv, "fho:")) != -1) {
- switch(c) {
- case 'f':
- final = 1;
- break;
- case 'o':
- opt = optarg;
- break;
- case '?':
- case 'h':
- default:
- usage();
- }
- }
- argc -= optind;
- argv += optind;
- if(argc != 0 && argc != 1)
- usage();
- if(argc == 1)
- f = argv[0];
- else f = cfgfile;
- checkconf(f, opt, final);
- checklock_stop();
- return 0;
-}
diff --git a/external/unbound/smallapp/unbound-control-setup.sh.in b/external/unbound/smallapp/unbound-control-setup.sh.in
deleted file mode 100644
index 0d759f441..000000000
--- a/external/unbound/smallapp/unbound-control-setup.sh.in
+++ /dev/null
@@ -1,160 +0,0 @@
-#!/bin/sh
-#
-# unbound-control-setup.sh - set up SSL certificates for unbound-control
-#
-# Copyright (c) 2008, NLnet Labs. All rights reserved.
-#
-# This software is open source.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-#
-# Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-#
-# Redistributions in binary form must reproduce the above copyright notice,
-# this list of conditions and the following disclaimer in the documentation
-# and/or other materials provided with the distribution.
-#
-# Neither the name of the NLNET LABS nor the names of its contributors may
-# be used to endorse or promote products derived from this software without
-# specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
-# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
-# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
-# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# settings:
-
-# directory for files
-DESTDIR=@ub_conf_dir@
-
-# issuer and subject name for certificates
-SERVERNAME=unbound
-CLIENTNAME=unbound-control
-
-# validity period for certificates
-DAYS=7200
-
-# size of keys in bits
-BITS=3072
-
-# hash algorithm
-HASH=sha256
-
-# base name for unbound server keys
-SVR_BASE=unbound_server
-
-# base name for unbound-control keys
-CTL_BASE=unbound_control
-
-# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no).
-umask 0027
-
-# end of options
-
-# functions:
-error ( ) {
- echo "$0 fatal error: $1"
- exit 1
-}
-
-# check arguments:
-while test $# -ne 0; do
- case $1 in
- -d)
- if test $# -eq 1; then error "need argument for -d"; fi
- DESTDIR="$2"
- shift
- ;;
- *)
- echo "unbound-control-setup.sh - setup SSL keys for unbound-control"
- echo " -d dir use directory to store keys and certificates."
- echo " default: $DESTDIR"
- echo "please run this command using the same user id that the "
- echo "unbound daemon uses, it needs read privileges."
- exit 1
- ;;
- esac
- shift
-done
-
-# go!:
-echo "setup in directory $DESTDIR"
-cd "$DESTDIR" || error "could not cd to $DESTDIR"
-
-# create certificate keys; do not recreate if they already exist.
-if test -f $SVR_BASE.key; then
- echo "$SVR_BASE.key exists"
-else
- echo "generating $SVR_BASE.key"
- openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa"
-fi
-if test -f $CTL_BASE.key; then
- echo "$CTL_BASE.key exists"
-else
- echo "generating $CTL_BASE.key"
- openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa"
-fi
-
-# create self-signed cert for server
-echo "[req]" > request.cfg
-echo "default_bits=$BITS" >> request.cfg
-echo "default_md=$HASH" >> request.cfg
-echo "prompt=no" >> request.cfg
-echo "distinguished_name=req_distinguished_name" >> request.cfg
-echo "" >> request.cfg
-echo "[req_distinguished_name]" >> request.cfg
-echo "commonName=$SERVERNAME" >> request.cfg
-
-test -f request.cfg || error "could not create request.cfg"
-
-echo "create $SVR_BASE.pem (self signed certificate)"
-openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
-# create trusted usage pem
-openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
-
-# create client request and sign it, piped
-echo "[req]" > request.cfg
-echo "default_bits=$BITS" >> request.cfg
-echo "default_md=$HASH" >> request.cfg
-echo "prompt=no" >> request.cfg
-echo "distinguished_name=req_distinguished_name" >> request.cfg
-echo "" >> request.cfg
-echo "[req_distinguished_name]" >> request.cfg
-echo "commonName=$CLIENTNAME" >> request.cfg
-
-test -f request.cfg || error "could not create request.cfg"
-
-echo "create $CTL_BASE.pem (signed client certificate)"
-openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem
-test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
-# create trusted usage pem
-# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
-
-# see details with openssl x509 -noout -text < $SVR_BASE.pem
-# echo "create $CTL_BASE""_browser.pfx (web client certificate)"
-# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:"
-# echo "preferences - advanced - encryption - view certificates - your certs"
-# echo "empty password is used, simply click OK on the password dialog box."
-# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
-
-# remove unused permissions
-chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
-
-# remove crap
-rm -f request.cfg
-rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl"
-
-echo "Setup success. Certificates created. Enable in unbound.conf file to use"
-
-exit 0
diff --git a/external/unbound/smallapp/unbound-control.c b/external/unbound/smallapp/unbound-control.c
deleted file mode 100644
index 6cd4e7086..000000000
--- a/external/unbound/smallapp/unbound-control.c
+++ /dev/null
@@ -1,791 +0,0 @@
-/*
- * checkconf/unbound-control.c - remote control utility for unbound.
- *
- * Copyright (c) 2008, NLnet Labs. All rights reserved.
- *
- * This software is open source.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * Redistributions of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- *
- * Neither the name of the NLNET LABS nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
- * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/**
- * \file
- *
- * The remote control utility contacts the unbound server over ssl and
- * sends the command, receives the answer, and displays the result
- * from the commandline.
- */
-
-#include "config.h"
-#ifdef HAVE_GETOPT_H
-#include <getopt.h>
-#endif
-#ifdef HAVE_OPENSSL_SSL_H
-#include <openssl/ssl.h>
-#endif
-#ifdef HAVE_OPENSSL_ERR_H
-#include <openssl/err.h>
-#endif
-#ifdef HAVE_OPENSSL_RAND_H
-#include <openssl/rand.h>
-#endif
-#include "util/log.h"
-#include "util/config_file.h"
-#include "util/locks.h"
-#include "util/net_help.h"
-#include "util/shm_side/shm_main.h"
-#include "daemon/stats.h"
-#include "sldns/wire2str.h"
-#include "sldns/pkthdr.h"
-
-#ifdef HAVE_SYS_IPC_H
-#include "sys/ipc.h"
-#endif
-#ifdef HAVE_SYS_SHM_H
-#include "sys/shm.h"
-#endif
-#ifdef HAVE_SYS_UN_H
-#include <sys/un.h>
-#endif
-
-/** Give unbound-control usage, and exit (1). */
-static void
-usage(void)
-{
- printf("Usage: unbound-control [options] command\n");
- printf(" Remote control utility for unbound server.\n");
- printf("Options:\n");
- printf(" -c file config file, default is %s\n", CONFIGFILE);
- printf(" -s ip[@port] server address, if omitted config is used.\n");
- printf(" -q quiet (don't print anything if it works ok).\n");
- printf(" -h show this usage help.\n");
- printf("Commands:\n");
- printf(" start start server; runs unbound(8)\n");
- printf(" stop stops the server\n");
- printf(" reload reloads the server\n");
- printf(" (this flushes data, stats, requestlist)\n");
- printf(" stats print statistics\n");
- printf(" stats_noreset peek at statistics\n");
-#ifdef HAVE_SHMGET
- printf(" stats_shm print statistics using shm\n");
-#endif
- printf(" status display status of server\n");
- printf(" verbosity <number> change logging detail\n");
- printf(" log_reopen close and open the logfile\n");
- printf(" local_zone <name> <type> add new local zone\n");
- printf(" local_zone_remove <name> remove local zone and its contents\n");
- printf(" local_data <RR data...> add local data, for example\n");
- printf(" local_data www.example.com A 192.0.2.1\n");
- printf(" local_data_remove <name> remove local RR data from name\n");
- printf(" local_zones, local_zones_remove, local_datas, local_datas_remove\n");
- printf(" same, but read list from stdin\n");
- printf(" (one entry per line).\n");
- printf(" dump_cache print cache to stdout\n");
- printf(" load_cache load cache from stdin\n");
- printf(" lookup <name> print nameservers for name\n");
- printf(" flush <name> flushes common types for name from cache\n");
- printf(" types: A, AAAA, MX, PTR, NS,\n");
- printf(" SOA, CNAME, DNAME, SRV, NAPTR\n");
- printf(" flush_type <name> <type> flush name, type from cache\n");
- printf(" flush_zone <name> flush everything at or under name\n");
- printf(" from rr and dnssec caches\n");
- printf(" flush_bogus flush all bogus data\n");
- printf(" flush_negative flush all negative data\n");
- printf(" flush_stats flush statistics, make zero\n");
- printf(" flush_requestlist drop queries that are worked on\n");
- printf(" dump_requestlist show what is worked on by first thread\n");
- printf(" flush_infra [all | ip] remove ping, edns for one IP or all\n");
- printf(" dump_infra show ping and edns entries\n");
- printf(" set_option opt: val set option to value, no reload\n");
- printf(" get_option opt get option value\n");
- printf(" list_stubs list stub-zones and root hints in use\n");
- printf(" list_forwards list forward-zones in use\n");
- printf(" list_insecure list domain-insecure zones\n");
- printf(" list_local_zones list local-zones in use\n");
- printf(" list_local_data list local-data RRs in use\n");
- printf(" insecure_add zone add domain-insecure zone\n");
- printf(" insecure_remove zone remove domain-insecure zone\n");
- printf(" forward_add [+i] zone addr.. add forward-zone with servers\n");
- printf(" forward_remove [+i] zone remove forward zone\n");
- printf(" stub_add [+ip] zone addr.. add stub-zone with servers\n");
- printf(" stub_remove [+i] zone remove stub zone\n");
- printf(" +i also do dnssec insecure point\n");
- printf(" +p set stub to use priming\n");
- printf(" forward [off | addr ...] without arg show forward setup\n");
- printf(" or off to turn off root forwarding\n");
- printf(" or give list of ip addresses\n");
- printf(" ratelimit_list [+a] list ratelimited domains\n");
- printf(" ip_ratelimit_list [+a] list ratelimited ip addresses\n");
- printf(" +a list all, also not ratelimited\n");
- printf(" view_list_local_zones view list local-zones in view\n");
- printf(" view_list_local_data view list local-data RRs in view\n");
- printf(" view_local_zone view name type add local-zone in view\n");
- printf(" view_local_zone_remove view name remove local-zone in view\n");
- printf(" view_local_data view RR... add local-data in view\n");
- printf(" view_local_data_remove view name remove local-data in view\n");
- printf("Version %s\n", PACKAGE_VERSION);
- printf("BSD licensed, see LICENSE in source package for details.\n");
- printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
- exit(1);
-}
-
-#ifdef HAVE_SHMGET
-/** what to put on statistics lines between var and value, ": " or "=" */
-#define SQ "="
-/** if true, inhibits a lot of =0 lines from the stats output */
-static const int inhibit_zero = 1;
-/** divide sum of timers to get average */
-static void
-timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
-{
-#ifndef S_SPLINT_S
- size_t leftover;
- if(d == 0) {
- avg->tv_sec = 0;
- avg->tv_usec = 0;
- return;
- }
- avg->tv_sec = sum->tv_sec / d;
- avg->tv_usec = sum->tv_usec / d;
- /* handle fraction from seconds divide */
- leftover = sum->tv_sec - avg->tv_sec*d;
- avg->tv_usec += (leftover*1000000)/d;
-#endif
-}
-
-/** print unsigned long stats value */
-#define PR_UL_NM(str, var) printf("%s."str SQ"%lu\n", nm, (unsigned long)(var));
-#define PR_UL(str, var) printf(str SQ"%lu\n", (unsigned long)(var));
-#define PR_UL_SUB(str, nm, var) printf(str".%s"SQ"%lu\n", nm, (unsigned long)(var));
-#define PR_TIMEVAL(str, var) printf(str SQ ARG_LL "d.%6.6d\n", \
- (long long)var.tv_sec, (int)var.tv_usec);
-#define PR_LL(str, var) printf(str SQ ARG_LL"d\n", (long long)(var));
-
-/** print stat block */
-static void pr_stats(const char* nm, struct stats_info* s)
-{
- struct timeval avg;
- PR_UL_NM("num.queries", s->svr.num_queries);
- PR_UL_NM("num.queries_ip_ratelimited",
- s->svr.num_queries_ip_ratelimited);
- PR_UL_NM("num.cachehits",
- s->svr.num_queries - s->svr.num_queries_missed_cache);
- PR_UL_NM("num.cachemiss", s->svr.num_queries_missed_cache);
- PR_UL_NM("num.prefetch", s->svr.num_queries_prefetch);
- PR_UL_NM("num.zero_ttl", s->svr.zero_ttl_responses);
- PR_UL_NM("num.recursivereplies", s->mesh_replies_sent);
-#ifdef USE_DNSCRYPT
- PR_UL_NM("num.dnscrypt.crypted", s->svr.num_query_dnscrypt_crypted);
- PR_UL_NM("num.dnscrypt.cert", s->svr.num_query_dnscrypt_cert);
- PR_UL_NM("num.dnscrypt.cleartext", s->svr.num_query_dnscrypt_cleartext);
- PR_UL_NM("num.dnscrypt.malformed",
- s->svr.num_query_dnscrypt_crypted_malformed);
-#endif
- printf("%s.requestlist.avg"SQ"%g\n", nm,
- (s->svr.num_queries_missed_cache+s->svr.num_queries_prefetch)?
- (double)s->svr.sum_query_list_size/
- (s->svr.num_queries_missed_cache+
- s->svr.num_queries_prefetch) : 0.0);
- PR_UL_NM("requestlist.max", s->svr.max_query_list_size);
- PR_UL_NM("requestlist.overwritten", s->mesh_jostled);
- PR_UL_NM("requestlist.exceeded", s->mesh_dropped);
- PR_UL_NM("requestlist.current.all", s->mesh_num_states);
- PR_UL_NM("requestlist.current.user", s->mesh_num_reply_states);
- timeval_divide(&avg, &s->mesh_replies_sum_wait, s->mesh_replies_sent);
- printf("%s.", nm);
- PR_TIMEVAL("recursion.time.avg", avg);
- printf("%s.recursion.time.median"SQ"%g\n", nm, s->mesh_time_median);
- PR_UL_NM("tcpusage", s->svr.tcp_accept_usage);
-}
-
-/** print uptime */
-static void print_uptime(struct shm_stat_info* shm_stat)
-{
- PR_TIMEVAL("time.now", shm_stat->time.now);
- PR_TIMEVAL("time.up", shm_stat->time.up);
- PR_TIMEVAL("time.elapsed", shm_stat->time.elapsed);
-}
-
-/** print memory usage */
-static void print_mem(struct shm_stat_info* shm_stat)
-{
- PR_LL("mem.cache.rrset", shm_stat->mem.rrset);
- PR_LL("mem.cache.message", shm_stat->mem.msg);
- PR_LL("mem.cache.iterator", shm_stat->mem.iter);
- PR_LL("mem.cache.validator", shm_stat->mem.val);
-#ifdef CLIENT_SUBNET
- PR_LL("mem.cache.subnet", shm_stat->mem.subnet);
-#endif
-}
-
-/** print histogram */
-static void print_hist(struct stats_info* s)
-{
- struct timehist* hist;
- size_t i;
- hist = timehist_setup();
- if(!hist)
- fatal_exit("out of memory");
- timehist_import(hist, s->svr.hist, NUM_BUCKETS_HIST);
- for(i=0; i<hist->num; i++) {
- printf("histogram.%6.6d.%6.6d.to.%6.6d.%6.6d=%lu\n",
- (int)hist->buckets[i].lower.tv_sec,
- (int)hist->buckets[i].lower.tv_usec,
- (int)hist->buckets[i].upper.tv_sec,
- (int)hist->buckets[i].upper.tv_usec,
- (unsigned long)hist->buckets[i].count);
- }
- timehist_delete(hist);
-}
-
-/** print extended */
-static void print_extended(struct stats_info* s)
-{
- int i;
- char nm[16];
-
- /* TYPE */
- for(i=0; i<STATS_QTYPE_NUM; i++) {
- if(inhibit_zero && s->svr.qtype[i] == 0)
- continue;
- sldns_wire2str_type_buf((uint16_t)i, nm, sizeof(nm));
- PR_UL_SUB("num.query.type", nm, s->svr.qtype[i]);
- }
- if(!inhibit_zero || s->svr.qtype_big) {
- PR_UL("num.query.type.other", s->svr.qtype_big);
- }
-
- /* CLASS */
- for(i=0; i<STATS_QCLASS_NUM; i++) {
- if(inhibit_zero && s->svr.qclass[i] == 0)
- continue;
- sldns_wire2str_class_buf((uint16_t)i, nm, sizeof(nm));
- PR_UL_SUB("num.query.class", nm, s->svr.qclass[i]);
- }
- if(!inhibit_zero || s->svr.qclass_big) {
- PR_UL("num.query.class.other", s->svr.qclass_big);
- }
-
- /* OPCODE */
- for(i=0; i<STATS_OPCODE_NUM; i++) {
- if(inhibit_zero && s->svr.qopcode[i] == 0)
- continue;
- sldns_wire2str_opcode_buf(i, nm, sizeof(nm));
- PR_UL_SUB("num.query.opcode", nm, s->svr.qopcode[i]);
- }
-
- /* transport */
- PR_UL("num.query.tcp", s->svr.qtcp);
- PR_UL("num.query.tcpout", s->svr.qtcp_outgoing);
- PR_UL("num.query.ipv6", s->svr.qipv6);
-
- /* flags */
- PR_UL("num.query.flags.QR", s->svr.qbit_QR);
- PR_UL("num.query.flags.AA", s->svr.qbit_AA);
- PR_UL("num.query.flags.TC", s->svr.qbit_TC);
- PR_UL("num.query.flags.RD", s->svr.qbit_RD);
- PR_UL("num.query.flags.RA", s->svr.qbit_RA);
- PR_UL("num.query.flags.Z", s->svr.qbit_Z);
- PR_UL("num.query.flags.AD", s->svr.qbit_AD);
- PR_UL("num.query.flags.CD", s->svr.qbit_CD);
- PR_UL("num.query.edns.present", s->svr.qEDNS);
- PR_UL("num.query.edns.DO", s->svr.qEDNS_DO);
-
- /* RCODE */
- for(i=0; i<STATS_RCODE_NUM; i++) {
- /* Always include RCODEs 0-5 */
- if(inhibit_zero && i > LDNS_RCODE_REFUSED && s->svr.ans_rcode[i] == 0)
- continue;
- sldns_wire2str_rcode_buf(i, nm, sizeof(nm));
- PR_UL_SUB("num.answer.rcode", nm, s->svr.ans_rcode[i]);
- }
- if(!inhibit_zero || s->svr.ans_rcode_nodata) {
- PR_UL("num.answer.rcode.nodata", s->svr.ans_rcode_nodata);
- }
- /* validation */
- PR_UL("num.answer.secure", s->svr.ans_secure);
- PR_UL("num.answer.bogus", s->svr.ans_bogus);
- PR_UL("num.rrset.bogus", s->svr.rrset_bogus);
- /* threat detection */
- PR_UL("unwanted.queries", s->svr.unwanted_queries);
- PR_UL("unwanted.replies", s->svr.unwanted_replies);
- /* cache counts */
- PR_UL("msg.cache.count", s->svr.msg_cache_count);
- PR_UL("rrset.cache.count", s->svr.rrset_cache_count);
- PR_UL("infra.cache.count", s->svr.infra_cache_count);
- PR_UL("key.cache.count", s->svr.key_cache_count);
-}
-
-/** print statistics out of memory structures */
-static void do_stats_shm(struct config_file* cfg, struct stats_info* stats,
- struct shm_stat_info* shm_stat)
-{
- int i;
- char nm[16];
- for(i=0; i<cfg->num_threads; i++) {
- snprintf(nm, sizeof(nm), "thread%d", i);
- pr_stats(nm, &stats[i+1]);
- }
- pr_stats("total", &stats[0]);
- print_uptime(shm_stat);
- if(cfg->stat_extended) {
- print_mem(shm_stat);
- print_hist(stats);
- print_extended(stats);
- }
-}
-#endif /* HAVE_SHMGET */
-
-/** print statistics from shm memory segment */
-static void print_stats_shm(const char* cfgfile)
-{
-#ifdef HAVE_SHMGET
- struct config_file* cfg;
- struct stats_info* stats;
- struct shm_stat_info* shm_stat;
- int id_ctl, id_arr;
- /* read config */
- if(!(cfg = config_create()))
- fatal_exit("out of memory");
- if(!config_read(cfg, cfgfile, NULL))
- fatal_exit("could not read config file");
- /* get shm segments */
- id_ctl = shmget(cfg->shm_key, sizeof(int), SHM_R|SHM_W);
- if(id_ctl == -1) {
- fatal_exit("shmget(%d): %s", cfg->shm_key, strerror(errno));
- }
- id_arr = shmget(cfg->shm_key+1, sizeof(int), SHM_R|SHM_W);
- if(id_arr == -1) {
- fatal_exit("shmget(%d): %s", cfg->shm_key+1, strerror(errno));
- }
- shm_stat = (struct shm_stat_info*)shmat(id_ctl, NULL, 0);
- if(shm_stat == (void*)-1) {
- fatal_exit("shmat(%d): %s", id_ctl, strerror(errno));
- }
- stats = (struct stats_info*)shmat(id_arr, NULL, 0);
- if(stats == (void*)-1) {
- fatal_exit("shmat(%d): %s", id_arr, strerror(errno));
- }
-
- /* print the stats */
- do_stats_shm(cfg, stats, shm_stat);
-
- /* shutdown */
- shmdt(shm_stat);
- shmdt(stats);
- config_delete(cfg);
-#else
- (void)cfgfile;
-#endif /* HAVE_SHMGET */
-}
-
-/** exit with ssl error */
-static void ssl_err(const char* s)
-{
- fprintf(stderr, "error: %s\n", s);
- ERR_print_errors_fp(stderr);
- exit(1);
-}
-
-/** setup SSL context */
-static SSL_CTX*
-setup_ctx(struct config_file* cfg)
-{
- char* s_cert=NULL, *c_key=NULL, *c_cert=NULL;
- SSL_CTX* ctx;
-
- if(cfg->remote_control_use_cert) {
- s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1);
- c_key = fname_after_chroot(cfg->control_key_file, cfg, 1);
- c_cert = fname_after_chroot(cfg->control_cert_file, cfg, 1);
- if(!s_cert || !c_key || !c_cert)
- fatal_exit("out of memory");
- }
- ctx = SSL_CTX_new(SSLv23_client_method());
- if(!ctx)
- ssl_err("could not allocate SSL_CTX pointer");
- if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
- != SSL_OP_NO_SSLv2)
- ssl_err("could not set SSL_OP_NO_SSLv2");
- if(cfg->remote_control_use_cert) {
- if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
- != SSL_OP_NO_SSLv3)
- ssl_err("could not set SSL_OP_NO_SSLv3");
- if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
- !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
- || !SSL_CTX_check_private_key(ctx))
- ssl_err("Error setting up SSL_CTX client key and cert");
- if (SSL_CTX_load_verify_locations(ctx, s_cert, NULL) != 1)
- ssl_err("Error setting up SSL_CTX verify, server cert");
- SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
-
- free(s_cert);
- free(c_key);
- free(c_cert);
- } else {
- /* Use ciphers that don't require authentication */
-#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
- SSL_CTX_set_security_level(ctx, 0);
-#endif
- if(!SSL_CTX_set_cipher_list(ctx, "aNULL, eNULL"))
- ssl_err("Error setting NULL cipher!");
- }
- return ctx;
-}
-
-/** contact the server with TCP connect */
-static int
-contact_server(const char* svr, struct config_file* cfg, int statuscmd)
-{
- struct sockaddr_storage addr;
- socklen_t addrlen;
- int addrfamily = 0;
- int fd;
- /* use svr or the first config entry */
- if(!svr) {
- if(cfg->control_ifs) {
- svr = cfg->control_ifs->str;
- } else if(cfg->do_ip4) {
- svr = "127.0.0.1";
- } else {
- svr = "::1";
- }
- /* config 0 addr (everything), means ask localhost */
- if(strcmp(svr, "0.0.0.0") == 0)
- svr = "127.0.0.1";
- else if(strcmp(svr, "::0") == 0 ||
- strcmp(svr, "0::0") == 0 ||
- strcmp(svr, "0::") == 0 ||
- strcmp(svr, "::") == 0)
- svr = "::1";
- }
- if(strchr(svr, '@')) {
- if(!extstrtoaddr(svr, &addr, &addrlen))
- fatal_exit("could not parse IP@port: %s", svr);
-#ifdef HAVE_SYS_UN_H
- } else if(svr[0] == '/') {
- struct sockaddr_un* usock = (struct sockaddr_un *) &addr;
- usock->sun_family = AF_LOCAL;
-#ifdef HAVE_STRUCT_SOCKADDR_UN_SUN_LEN
- usock->sun_len = (unsigned)sizeof(usock);
-#endif
- (void)strlcpy(usock->sun_path, svr, sizeof(usock->sun_path));
- addrlen = (socklen_t)sizeof(struct sockaddr_un);
- addrfamily = AF_LOCAL;
-#endif
- } else {
- if(!ipstrtoaddr(svr, cfg->control_port, &addr, &addrlen))
- fatal_exit("could not parse IP: %s", svr);
- }
-
- if(addrfamily == 0)
- addrfamily = addr_is_ip6(&addr, addrlen)?AF_INET6:AF_INET;
- fd = socket(addrfamily, SOCK_STREAM, 0);
- if(fd == -1) {
-#ifndef USE_WINSOCK
- fatal_exit("socket: %s", strerror(errno));
-#else
- fatal_exit("socket: %s", wsa_strerror(WSAGetLastError()));
-#endif
- }
- if(connect(fd, (struct sockaddr*)&addr, addrlen) < 0) {
-#ifndef USE_WINSOCK
- log_err_addr("connect", strerror(errno), &addr, addrlen);
- if(errno == ECONNREFUSED && statuscmd) {
- printf("unbound is stopped\n");
- exit(3);
- }
-#else
- log_err_addr("connect", wsa_strerror(WSAGetLastError()), &addr, addrlen);
- if(WSAGetLastError() == WSAECONNREFUSED && statuscmd) {
- printf("unbound is stopped\n");
- exit(3);
- }
-#endif
- exit(1);
- }
- return fd;
-}
-
-/** setup SSL on the connection */
-static SSL*
-setup_ssl(SSL_CTX* ctx, int fd, struct config_file* cfg)
-{
- SSL* ssl;
- X509* x;
- int r;
-
- ssl = SSL_new(ctx);
- if(!ssl)
- ssl_err("could not SSL_new");
- SSL_set_connect_state(ssl);
- (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
- if(!SSL_set_fd(ssl, fd))
- ssl_err("could not SSL_set_fd");
- while(1) {
- ERR_clear_error();
- if( (r=SSL_do_handshake(ssl)) == 1)
- break;
- r = SSL_get_error(ssl, r);
- if(r != SSL_ERROR_WANT_READ && r != SSL_ERROR_WANT_WRITE)
- ssl_err("SSL handshake failed");
- /* wants to be called again */
- }
-
- /* check authenticity of server */
- if(SSL_get_verify_result(ssl) != X509_V_OK)
- ssl_err("SSL verification failed");
- if(cfg->remote_control_use_cert) {
- x = SSL_get_peer_certificate(ssl);
- if(!x)
- ssl_err("Server presented no peer certificate");
- X509_free(x);
- }
-
- return ssl;
-}
-
-/** send stdin to server */
-static void
-send_file(SSL* ssl, FILE* in, char* buf, size_t sz)
-{
- while(fgets(buf, (int)sz, in)) {
- if(SSL_write(ssl, buf, (int)strlen(buf)) <= 0)
- ssl_err("could not SSL_write contents");
- }
-}
-
-/** send end-of-file marker to server */
-static void
-send_eof(SSL* ssl)
-{
- char e[] = {0x04, 0x0a};
- if(SSL_write(ssl, e, (int)sizeof(e)) <= 0)
- ssl_err("could not SSL_write end-of-file marker");
-}
-
-/** send command and display result */
-static int
-go_cmd(SSL* ssl, int quiet, int argc, char* argv[])
-{
- char pre[10];
- const char* space=" ";
- const char* newline="\n";
- int was_error = 0, first_line = 1;
- int r, i;
- char buf[1024];
- snprintf(pre, sizeof(pre), "UBCT%d ", UNBOUND_CONTROL_VERSION);
- if(SSL_write(ssl, pre, (int)strlen(pre)) <= 0)
- ssl_err("could not SSL_write");
- for(i=0; i<argc; i++) {
- if(SSL_write(ssl, space, (int)strlen(space)) <= 0)
- ssl_err("could not SSL_write");
- if(SSL_write(ssl, argv[i], (int)strlen(argv[i])) <= 0)
- ssl_err("could not SSL_write");
- }
- if(SSL_write(ssl, newline, (int)strlen(newline)) <= 0)
- ssl_err("could not SSL_write");
-
- if(argc == 1 && strcmp(argv[0], "load_cache") == 0) {
- send_file(ssl, stdin, buf, sizeof(buf));
- }
- else if(argc == 1 && (strcmp(argv[0], "local_zones") == 0 ||
- strcmp(argv[0], "local_zones_remove") == 0 ||
- strcmp(argv[0], "local_datas") == 0 ||
- strcmp(argv[0], "local_datas_remove") == 0)) {
- send_file(ssl, stdin, buf, sizeof(buf));
- send_eof(ssl);
- }
-
- while(1) {
- ERR_clear_error();
- if((r = SSL_read(ssl, buf, (int)sizeof(buf)-1)) <= 0) {
- if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) {
- /* EOF */
- break;
- }
- ssl_err("could not SSL_read");
- }
- buf[r] = 0;
- if(first_line && strncmp(buf, "error", 5) == 0) {
- printf("%s", buf);
- was_error = 1;
- } else if (!quiet)
- printf("%s", buf);
-
- first_line = 0;
- }
- return was_error;
-}
-
-/** go ahead and read config, contact server and perform command and display */
-static int
-go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[])
-{
- struct config_file* cfg;
- int fd, ret;
- SSL_CTX* ctx;
- SSL* ssl;
-
- /* read config */
- if(!(cfg = config_create()))
- fatal_exit("out of memory");
- if(!config_read(cfg, cfgfile, NULL))
- fatal_exit("could not read config file");
- if(!cfg->remote_control_enable)
- log_warn("control-enable is 'no' in the config file.");
-#ifdef UB_ON_WINDOWS
- w_config_adjust_directory(cfg);
-#endif
- ctx = setup_ctx(cfg);
-
- /* contact server */
- fd = contact_server(svr, cfg, argc>0&&strcmp(argv[0],"status")==0);
- ssl = setup_ssl(ctx, fd, cfg);
-
- /* send command */
- ret = go_cmd(ssl, quiet, argc, argv);
-
- SSL_free(ssl);
-#ifndef USE_WINSOCK
- close(fd);
-#else
- closesocket(fd);
-#endif
- SSL_CTX_free(ctx);
- config_delete(cfg);
- return ret;
-}
-
-/** getopt global, in case header files fail to declare it. */
-extern int optind;
-/** getopt global, in case header files fail to declare it. */
-extern char* optarg;
-
-/** Main routine for unbound-control */
-int main(int argc, char* argv[])
-{
- int c, ret;
- int quiet = 0;
- const char* cfgfile = CONFIGFILE;
- char* svr = NULL;
-#ifdef USE_WINSOCK
- int r;
- WSADATA wsa_data;
-#endif
-#ifdef USE_THREAD_DEBUG
- /* stop the file output from unbound-control, overwites the servers */
- extern int check_locking_order;
- check_locking_order = 0;
-#endif /* USE_THREAD_DEBUG */
- log_ident_set("unbound-control");
- log_init(NULL, 0, NULL);
- checklock_start();
-#ifdef USE_WINSOCK
- /* use registry config file in preference to compiletime location */
- if(!(cfgfile=w_lookup_reg_str("Software\\Unbound", "ConfigFile")))
- cfgfile = CONFIGFILE;
-#endif
- /* parse the options */
- while( (c=getopt(argc, argv, "c:s:qh")) != -1) {
- switch(c) {
- case 'c':
- cfgfile = optarg;
- break;
- case 's':
- svr = optarg;
- break;
- case 'q':
- quiet = 1;
- break;
- case '?':
- case 'h':
- default:
- usage();
- }
- }
- argc -= optind;
- argv += optind;
- if(argc == 0)
- usage();
- if(argc >= 1 && strcmp(argv[0], "start")==0) {
- if(execlp("unbound", "unbound", "-c", cfgfile,
- (char*)NULL) < 0) {
- fatal_exit("could not exec unbound: %s",
- strerror(errno));
- }
- }
- if(argc >= 1 && strcmp(argv[0], "stats_shm")==0) {
- print_stats_shm(cfgfile);
- return 0;
- }
-
-#ifdef USE_WINSOCK
- if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0)
- fatal_exit("WSAStartup failed: %s", wsa_strerror(r));
-#endif
-
-#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
- ERR_load_crypto_strings();
-#endif
- ERR_load_SSL_strings();
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
- OpenSSL_add_all_algorithms();
-#else
- OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
- | OPENSSL_INIT_ADD_ALL_DIGESTS
- | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
-#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
- (void)SSL_library_init();
-#else
- (void)OPENSSL_init_ssl(0, NULL);
-#endif
-
- if(!RAND_status()) {
- /* try to seed it */
- unsigned char buf[256];
- unsigned int seed=(unsigned)time(NULL) ^ (unsigned)getpid();
- unsigned int v = seed;
- size_t i;
- for(i=0; i<256/sizeof(v); i++) {
- memmove(buf+i*sizeof(v), &v, sizeof(v));
- v = v*seed + (unsigned int)i;
- }
- RAND_seed(buf, 256);
- log_warn("no entropy, seeding openssl PRNG with time\n");
- }
-
- ret = go(cfgfile, svr, quiet, argc, argv);
-
-#ifdef USE_WINSOCK
- WSACleanup();
-#endif
- checklock_stop();
- return ret;
-}
diff --git a/external/unbound/smallapp/unbound-host.c b/external/unbound/smallapp/unbound-host.c
deleted file mode 100644
index d7a36a231..000000000
--- a/external/unbound/smallapp/unbound-host.c
+++ /dev/null
@@ -1,497 +0,0 @@
-/*
- * checkconf/unbound-host.c - replacement for host that supports validation.
- *
- * Copyright (c) 2007, NLnet Labs. All rights reserved.
- *
- * This software is open source.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * Redistributions of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- *
- * Neither the name of the NLNET LABS nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
- * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/**
- * \file
- *
- * This file performs functionality like 'host', and also supports validation.
- * It uses the libunbound library.
- */
-
-#include "config.h"
-#ifdef HAVE_GETOPT_H
-#include <getopt.h>
-#endif
-/* remove alloc checks, not in this part of the code */
-#ifdef UNBOUND_ALLOC_STATS
-#undef malloc
-#undef calloc
-#undef free
-#undef realloc
-#endif
-#ifdef UNBOUND_ALLOC_LITE
-#undef malloc
-#undef calloc
-#undef free
-#undef realloc
-#undef strdup
-#define unbound_lite_wrapstr(s) s
-#endif
-#include "libunbound/unbound.h"
-#include "sldns/rrdef.h"
-#include "sldns/wire2str.h"
-#ifdef HAVE_NSS
-/* nss3 */
-#include "nss.h"
-#endif
-
-/** verbosity for unbound-host app */
-static int verb = 0;
-
-/** Give unbound-host usage, and exit (1). */
-static void
-usage(void)
-{
- printf("Usage: unbound-host [-vdhr46] [-c class] [-t type] hostname\n");
- printf(" [-y key] [-f keyfile] [-F namedkeyfile]\n");
- printf(" [-C configfile]\n");
- printf(" Queries the DNS for information.\n");
- printf(" The hostname is looked up for IP4, IP6 and mail.\n");
- printf(" If an ip-address is given a reverse lookup is done.\n");
- printf(" Use the -v option to see DNSSEC security information.\n");
- printf(" -t type what type to look for.\n");
- printf(" -c class what class to look for, if not class IN.\n");
- printf(" -y 'keystring' specify trust anchor, DS or DNSKEY, like\n");
- printf(" -y 'example.com DS 31560 5 1 1CFED8478...'\n");
- printf(" -D DNSSEC enable with default root anchor\n");
- printf(" from %s\n", ROOT_ANCHOR_FILE);
- printf(" -f keyfile read trust anchors from file, with lines as -y.\n");
- printf(" -F keyfile read named.conf-style trust anchors.\n");
- printf(" -C config use the specified unbound.conf (none read by default)\n");
- printf(" -r read forwarder information from /etc/resolv.conf\n");
- printf(" breaks validation if the forwarder does not do DNSSEC.\n");
- printf(" -v be more verbose, shows nodata and security.\n");
- printf(" -d debug, traces the action, -d -d shows more.\n");
- printf(" -4 use ipv4 network, avoid ipv6.\n");
- printf(" -6 use ipv6 network, avoid ipv4.\n");
- printf(" -h show this usage help.\n");
- printf("Version %s\n", PACKAGE_VERSION);
- printf("BSD licensed, see LICENSE in source package for details.\n");
- printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
- exit(1);
-}
-
-/** determine if str is ip4 and put into reverse lookup format */
-static int
-isip4(const char* nm, char** res)
-{
- struct in_addr addr;
- /* ddd.ddd.ddd.ddd.in-addr.arpa. is less than 32 */
- char buf[32];
- if(inet_pton(AF_INET, nm, &addr) <= 0) {
- return 0;
- }
- snprintf(buf, sizeof(buf), "%u.%u.%u.%u.in-addr.arpa",
- (unsigned)((uint8_t*)&addr)[3], (unsigned)((uint8_t*)&addr)[2],
- (unsigned)((uint8_t*)&addr)[1], (unsigned)((uint8_t*)&addr)[0]);
- *res = strdup(buf);
- return 1;
-}
-
-/** determine if str is ip6 and put into reverse lookup format */
-static int
-isip6(const char* nm, char** res)
-{
- struct in6_addr addr;
- /* [nibble.]{32}.ip6.arpa. is less than 128 */
- const char* hex = "0123456789abcdef";
- char buf[128];
- char *p;
- int i;
- if(inet_pton(AF_INET6, nm, &addr) <= 0) {
- return 0;
- }
- p = buf;
- for(i=15; i>=0; i--) {
- uint8_t b = ((uint8_t*)&addr)[i];
- *p++ = hex[ (b&0x0f) ];
- *p++ = '.';
- *p++ = hex[ (b&0xf0) >> 4 ];
- *p++ = '.';
- }
- snprintf(buf+16*4, sizeof(buf)-16*4, "ip6.arpa");
- *res = strdup(buf);
- if(!*res) {
- fprintf(stderr, "error: out of memory\n");
- exit(1);
- }
- return 1;
-}
-
-/** massage input name */
-static char*
-massage_qname(const char* nm, int* reverse)
-{
- /* recognise IP4 and IP6, create reverse addresses if needed */
- char* res;
- if(isip4(nm, &res)) {
- *reverse = 1;
- } else if(isip6(nm, &res)) {
- *reverse = 1;
- } else {
- res = strdup(nm);
- }
- if(!res) {
- fprintf(stderr, "error: out of memory\n");
- exit(1);
- }
- return res;
-}
-
-/** massage input type */
-static int
-massage_type(const char* t, int reverse, int* multi)
-{
- if(t) {
- int r = sldns_get_rr_type_by_name(t);
- if(r == 0 && strcasecmp(t, "TYPE0") != 0 &&
- strcmp(t, "") != 0) {
- fprintf(stderr, "error unknown type %s\n", t);
- exit(1);
- }
- return r;
- }
- if(!t && reverse)
- return LDNS_RR_TYPE_PTR;
- *multi = 1;
- return LDNS_RR_TYPE_A;
-}
-
-/** massage input class */
-static int
-massage_class(const char* c)
-{
- if(c) {
- int r = sldns_get_rr_class_by_name(c);
- if(r == 0 && strcasecmp(c, "CLASS0") != 0 &&
- strcmp(c, "") != 0) {
- fprintf(stderr, "error unknown class %s\n", c);
- exit(1);
- }
- return r;
- }
- return LDNS_RR_CLASS_IN;
-}
-
-/** nice security status string */
-static const char*
-secure_str(struct ub_result* result)
-{
- if(result->secure) return "(secure)";
- if(result->bogus) return "(BOGUS (security failure))";
- return "(insecure)";
-}
-
-/** nice string for type */
-static void
-pretty_type(char* s, size_t len, int t)
-{
- char d[16];
- sldns_wire2str_type_buf((uint16_t)t, d, sizeof(d));
- snprintf(s, len, "%s", d);
-}
-
-/** nice string for class */
-static void
-pretty_class(char* s, size_t len, int c)
-{
- char d[16];
- sldns_wire2str_class_buf((uint16_t)c, d, sizeof(d));
- snprintf(s, len, "%s", d);
-}
-
-/** nice string for rcode */
-static void
-pretty_rcode(char* s, size_t len, int r)
-{
- char d[16];
- sldns_wire2str_rcode_buf(r, d, sizeof(d));
- snprintf(s, len, "%s", d);
-}
-
-/** convert and print rdata */
-static void
-print_rd(int t, char* data, size_t len)
-{
- char s[65535];
- sldns_wire2str_rdata_buf((uint8_t*)data, len, s, sizeof(s), (uint16_t)t);
- printf(" %s", s);
-}
-
-/** pretty line of RR data for results */
-static void
-pretty_rdata(char* q, char* cstr, char* tstr, int t, const char* sec,
- char* data, size_t len)
-{
- printf("%s", q);
- if(strcmp(cstr, "IN") != 0)
- printf(" in class %s", cstr);
- if(t == LDNS_RR_TYPE_A)
- printf(" has address");
- else if(t == LDNS_RR_TYPE_AAAA)
- printf(" has IPv6 address");
- else if(t == LDNS_RR_TYPE_MX)
- printf(" mail is handled by");
- else if(t == LDNS_RR_TYPE_PTR)
- printf(" domain name pointer");
- else printf(" has %s record", tstr);
- print_rd(t, data, len);
- if(verb > 0)
- printf(" %s", sec);
- printf("\n");
-}
-
-/** pretty line of output for results */
-static void
-pretty_output(char* q, int t, int c, struct ub_result* result, int docname)
-{
- int i;
- const char *secstatus = secure_str(result);
- char tstr[16];
- char cstr[16];
- char rcodestr[16];
- pretty_type(tstr, 16, t);
- pretty_class(cstr, 16, c);
- pretty_rcode(rcodestr, 16, result->rcode);
-
- if(!result->havedata && result->rcode) {
- printf("Host %s not found: %d(%s).",
- q, result->rcode, rcodestr);
- if(verb > 0)
- printf(" %s", secstatus);
- printf("\n");
- if(result->bogus && result->why_bogus)
- printf("%s\n", result->why_bogus);
- return;
- }
- if(docname && result->canonname &&
- result->canonname != result->qname) {
- printf("%s is an alias for %s", result->qname,
- result->canonname);
- if(verb > 0)
- printf(" %s", secstatus);
- printf("\n");
- }
- /* remove trailing . from long canonnames for nicer output */
- if(result->canonname && strlen(result->canonname) > 1 &&
- result->canonname[strlen(result->canonname)-1] == '.')
- result->canonname[strlen(result->canonname)-1] = 0;
- if(!result->havedata) {
- if(verb > 0) {
- printf("%s", result->canonname?result->canonname:q);
- if(strcmp(cstr, "IN") != 0)
- printf(" in class %s", cstr);
- if(t == LDNS_RR_TYPE_A)
- printf(" has no address");
- else if(t == LDNS_RR_TYPE_AAAA)
- printf(" has no IPv6 address");
- else if(t == LDNS_RR_TYPE_PTR)
- printf(" has no domain name ptr");
- else if(t == LDNS_RR_TYPE_MX)
- printf(" has no mail handler record");
- else if(t == LDNS_RR_TYPE_ANY) {
- char* s = sldns_wire2str_pkt(
- result->answer_packet,
- (size_t)result->answer_len);
- if(!s) {
- fprintf(stderr, "alloc failure\n");
- exit(1);
- }
- printf("%s\n", s);
- } else printf(" has no %s record", tstr);
- printf(" %s\n", secstatus);
- }
- /* else: emptiness to indicate no data */
- if(result->bogus && result->why_bogus)
- printf("%s\n", result->why_bogus);
- return;
- }
- i=0;
- while(result->data[i])
- {
- pretty_rdata(
- result->canonname?result->canonname:q,
- cstr, tstr, t, secstatus, result->data[i],
- (size_t)result->len[i]);
- i++;
- }
- if(result->bogus && result->why_bogus)
- printf("%s\n", result->why_bogus);
-}
-
-/** perform a lookup and printout return if domain existed */
-static int
-dnslook(struct ub_ctx* ctx, char* q, int t, int c, int docname)
-{
- int ret;
- struct ub_result* result;
-
- ret = ub_resolve(ctx, q, t, c, &result);
- if(ret != 0) {
- fprintf(stderr, "resolve error: %s\n", ub_strerror(ret));
- exit(1);
- }
- pretty_output(q, t, c, result, docname);
- ret = result->nxdomain;
- ub_resolve_free(result);
- return ret;
-}
-
-/** perform host lookup */
-static void
-lookup(struct ub_ctx* ctx, const char* nm, const char* qt, const char* qc)
-{
- /* massage input into a query name, type and class */
- int multi = 0; /* no type, so do A, AAAA, MX */
- int reverse = 0; /* we are doing a reverse lookup */
- char* realq = massage_qname(nm, &reverse);
- int t = massage_type(qt, reverse, &multi);
- int c = massage_class(qc);
-
- /* perform the query */
- if(multi) {
- if(!dnslook(ctx, realq, LDNS_RR_TYPE_A, c, 1)) {
- /* domain exists, lookup more */
- (void)dnslook(ctx, realq, LDNS_RR_TYPE_AAAA, c, 0);
- (void)dnslook(ctx, realq, LDNS_RR_TYPE_MX, c, 0);
- }
- } else {
- (void)dnslook(ctx, realq, t, c, 1);
- }
- ub_ctx_delete(ctx);
- free(realq);
-}
-
-/** print error if any */
-static void
-check_ub_res(int r)
-{
- if(r != 0) {
- fprintf(stderr, "error: %s\n", ub_strerror(r));
- exit(1);
- }
-}
-
-/** getopt global, in case header files fail to declare it. */
-extern int optind;
-/** getopt global, in case header files fail to declare it. */
-extern char* optarg;
-
-/** Main routine for unbound-host */
-int main(int argc, char* argv[])
-{
- int c;
- char* qclass = NULL;
- char* qtype = NULL;
- struct ub_ctx* ctx = NULL;
- int debuglevel = 0;
-
- ctx = ub_ctx_create();
- if(!ctx) {
- fprintf(stderr, "error: out of memory\n");
- exit(1);
- }
- /* no need to fetch additional targets, we only do few lookups */
- check_ub_res(ub_ctx_set_option(ctx, "target-fetch-policy:", "0 0 0 0 0"));
-
- /* parse the options */
- while( (c=getopt(argc, argv, "46DF:c:df:hrt:vy:C:")) != -1) {
- switch(c) {
- case '4':
- check_ub_res(ub_ctx_set_option(ctx, "do-ip6:", "no"));
- break;
- case '6':
- check_ub_res(ub_ctx_set_option(ctx, "do-ip4:", "no"));
- break;
- case 'c':
- qclass = optarg;
- break;
- case 'C':
- check_ub_res(ub_ctx_config(ctx, optarg));
- break;
- case 'D':
- check_ub_res(ub_ctx_add_ta_file(ctx, ROOT_ANCHOR_FILE));
- break;
- case 'd':
- debuglevel++;
- if(debuglevel < 2)
- debuglevel = 2; /* at least VERB_DETAIL */
- break;
- case 'r':
- check_ub_res(ub_ctx_resolvconf(ctx, "/etc/resolv.conf"));
- break;
- case 't':
- qtype = optarg;
- break;
- case 'v':
- verb++;
- break;
- case 'y':
- check_ub_res(ub_ctx_add_ta(ctx, optarg));
- break;
- case 'f':
- check_ub_res(ub_ctx_add_ta_file(ctx, optarg));
- break;
- case 'F':
- check_ub_res(ub_ctx_trustedkeys(ctx, optarg));
- break;
- case '?':
- case 'h':
- default:
- usage();
- }
- }
- if(debuglevel != 0) /* set after possible -C options */
- check_ub_res(ub_ctx_debuglevel(ctx, debuglevel));
- if(ub_ctx_get_option(ctx, "use-syslog", &optarg) == 0) {
- if(strcmp(optarg, "yes") == 0) /* disable use-syslog */
- check_ub_res(ub_ctx_set_option(ctx,
- "use-syslog:", "no"));
- free(optarg);
- }
- argc -= optind;
- argv += optind;
- if(argc != 1)
- usage();
-
-#ifdef HAVE_NSS
- if(NSS_NoDB_Init(".") != SECSuccess) {
- fprintf(stderr, "could not init NSS\n");
- return 1;
- }
-#endif
- lookup(ctx, argv[0], qtype, qclass);
- return 0;
-}
diff --git a/external/unbound/smallapp/worker_cb.c b/external/unbound/smallapp/worker_cb.c
deleted file mode 100644
index e88e8c8d7..000000000
--- a/external/unbound/smallapp/worker_cb.c
+++ /dev/null
@@ -1,250 +0,0 @@
-/*
- * checkconf/worker_cb.c - fake callback routines to make fptr_wlist work
- *
- * Copyright (c) 2007, NLnet Labs. All rights reserved.
- *
- * This software is open source.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * Redistributions of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- *
- * Neither the name of the NLNET LABS nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
- * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/**
- * \file
- *
- * This file contains fake callback functions, so that the symbols exist
- * and the fptr_wlist continues to work even if the daemon/worker is not
- * linked into the resulting program.
- */
-#include "config.h"
-#include "libunbound/context.h"
-#include "libunbound/worker.h"
-#include "util/fptr_wlist.h"
-#include "util/log.h"
-#include "services/mesh.h"
-
-void worker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
- uint8_t* ATTR_UNUSED(buffer), size_t ATTR_UNUSED(len),
- int ATTR_UNUSED(error), void* ATTR_UNUSED(arg))
-{
- log_assert(0);
-}
-
-int worker_handle_request(struct comm_point* ATTR_UNUSED(c),
- void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
- struct comm_reply* ATTR_UNUSED(repinfo))
-{
- log_assert(0);
- return 0;
-}
-
-int worker_handle_reply(struct comm_point* ATTR_UNUSED(c),
- void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
- struct comm_reply* ATTR_UNUSED(reply_info))
-{
- log_assert(0);
- return 0;
-}
-
-int worker_handle_service_reply(struct comm_point* ATTR_UNUSED(c),
- void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
- struct comm_reply* ATTR_UNUSED(reply_info))
-{
- log_assert(0);
- return 0;
-}
-
-int remote_accept_callback(struct comm_point* ATTR_UNUSED(c),
- void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
- struct comm_reply* ATTR_UNUSED(repinfo))
-{
- log_assert(0);
- return 0;
-}
-
-int remote_control_callback(struct comm_point* ATTR_UNUSED(c),
- void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
- struct comm_reply* ATTR_UNUSED(repinfo))
-{
- log_assert(0);
- return 0;
-}
-
-void worker_sighandler(int ATTR_UNUSED(sig), void* ATTR_UNUSED(arg))
-{
- log_assert(0);
-}
-
-struct outbound_entry* worker_send_query(
- struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags),
- int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
- int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
- socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
- size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(ssl_upstream),
- struct module_qstate* ATTR_UNUSED(q))
-{
- log_assert(0);
- return 0;
-}
-
-#ifdef UB_ON_WINDOWS
-void
-worker_win_stop_cb(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev), void*
- ATTR_UNUSED(arg)) {
- log_assert(0);
-}
-
-void
-wsvc_cron_cb(void* ATTR_UNUSED(arg))
-{
- log_assert(0);
-}
-#endif /* UB_ON_WINDOWS */
-
-void
-worker_alloc_cleanup(void* ATTR_UNUSED(arg))
-{
- log_assert(0);
-}
-
-struct outbound_entry* libworker_send_query(
- struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags),
- int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
- int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
- socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
- size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(ssl_upstream),
- struct module_qstate* ATTR_UNUSED(q))
-{
- log_assert(0);
- return 0;
-}
-
-int libworker_handle_reply(struct comm_point* ATTR_UNUSED(c),
- void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
- struct comm_reply* ATTR_UNUSED(reply_info))
-{
- log_assert(0);
- return 0;
-}
-
-int libworker_handle_service_reply(struct comm_point* ATTR_UNUSED(c),
- void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
- struct comm_reply* ATTR_UNUSED(reply_info))
-{
- log_assert(0);
- return 0;
-}
-
-void libworker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
- uint8_t* ATTR_UNUSED(buffer), size_t ATTR_UNUSED(len),
- int ATTR_UNUSED(error), void* ATTR_UNUSED(arg))
-{
- log_assert(0);
-}
-
-void libworker_fg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
- struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
- char* ATTR_UNUSED(why_bogus))
-{
- log_assert(0);
-}
-
-void libworker_bg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
- struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
- char* ATTR_UNUSED(why_bogus))
-{
- log_assert(0);
-}
-
-void libworker_event_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
- struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
- char* ATTR_UNUSED(why_bogus))
-{
- log_assert(0);
-}
-
-int context_query_cmp(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b))
-{
- log_assert(0);
- return 0;
-}
-
-void worker_stat_timer_cb(void* ATTR_UNUSED(arg))
-{
- log_assert(0);
-}
-
-void worker_probe_timer_cb(void* ATTR_UNUSED(arg))
-{
- log_assert(0);
-}
-
-void worker_start_accept(void* ATTR_UNUSED(arg))
-{
- log_assert(0);
-}
-
-void worker_stop_accept(void* ATTR_UNUSED(arg))
-{
- log_assert(0);
-}
-
-/** keep track of lock id in lock-verify application */
-struct order_id {
- /** the thread id that created it */
- int thr;
- /** the instance number of creation */
- int instance;
-};
-
-int order_lock_cmp(const void* e1, const void* e2)
-{
- const struct order_id* o1 = e1;
- const struct order_id* o2 = e2;
- if(o1->thr < o2->thr) return -1;
- if(o1->thr > o2->thr) return 1;
- if(o1->instance < o2->instance) return -1;
- if(o1->instance > o2->instance) return 1;
- return 0;
-}
-
-int
-codeline_cmp(const void* a, const void* b)
-{
- return strcmp(a, b);
-}
-
-int replay_var_compare(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b))
-{
- log_assert(0);
- return 0;
-}
-
-void remote_get_opt_ssl(char* ATTR_UNUSED(str), void* ATTR_UNUSED(arg))
-{
- log_assert(0);
-}