diff options
Diffstat (limited to 'usr.sbin/unbound/smallapp/unbound-anchor.c')
-rw-r--r-- | usr.sbin/unbound/smallapp/unbound-anchor.c | 140 |
1 files changed, 64 insertions, 76 deletions
diff --git a/usr.sbin/unbound/smallapp/unbound-anchor.c b/usr.sbin/unbound/smallapp/unbound-anchor.c index 8ea4726b063..9df0d95b417 100644 --- a/usr.sbin/unbound/smallapp/unbound-anchor.c +++ b/usr.sbin/unbound/smallapp/unbound-anchor.c @@ -244,7 +244,7 @@ get_builtin_ds(void) /** print hex data */ static void -print_data(char* msg, char* data, int len) +print_data(const char* msg, const char* data, int len) { int i; printf("%s: ", msg); @@ -268,8 +268,8 @@ ub_ctx_error_exit(struct ub_ctx* ctx, const char* str, const char* str2) * Create a new unbound context with the commandline settings applied */ static struct ub_ctx* -create_unbound_context(char* res_conf, char* root_hints, char* debugconf, - int ip4only, int ip6only) +create_unbound_context(const char* res_conf, const char* root_hints, + const char* debugconf, int ip4only, int ip6only) { int r; struct ub_ctx* ctx = ub_ctx_create(); @@ -306,7 +306,7 @@ create_unbound_context(char* res_conf, char* root_hints, char* debugconf, /** printout certificate in detail */ static void -verb_cert(char* msg, X509* x) +verb_cert(const char* msg, X509* x) { if(verb == 0 || verb == 1) return; if(verb == 2) { @@ -322,7 +322,7 @@ verb_cert(char* msg, X509* x) /** printout certificates in detail */ static void -verb_certs(char* msg, STACK_OF(X509)* sk) +verb_certs(const char* msg, STACK_OF(X509)* sk) { int i, num = sk_X509_num(sk); if(verb == 0 || verb == 1) return; @@ -360,7 +360,7 @@ read_cert_bio(BIO* bio) /* read the certificate file */ static STACK_OF(X509)* -read_cert_file(char* file) +read_cert_file(const char* file) { STACK_OF(X509)* sk; FILE* in; @@ -435,7 +435,7 @@ read_builtin_cert(void) /** read update cert file or use builtin */ static STACK_OF(X509)* -read_cert_or_builtin(char* file) +read_cert_or_builtin(const char* file) { STACK_OF(X509) *sk = read_cert_file(file); if(!sk) { @@ -459,7 +459,7 @@ do_list_builtin(void) /** printout IP address with message */ static void -verb_addr(char* msg, struct ip_list* ip) +verb_addr(const char* msg, struct ip_list* ip) { if(verb) { char out[100]; @@ -526,7 +526,7 @@ RR_to_ip(int tp, char* data, int len, int port) /** Resolve name, type, class and add addresses to iplist */ static void -resolve_host_ip(struct ub_ctx* ctx, char* host, int port, int tp, int cl, +resolve_host_ip(struct ub_ctx* ctx, const char* host, int port, int tp, int cl, struct ip_list** head) { struct ub_result* res = NULL; @@ -561,29 +561,27 @@ resolve_host_ip(struct ub_ctx* ctx, char* host, int port, int tp, int cl, /** parse a text IP address into a sockaddr */ static struct ip_list* -parse_ip_addr(char* str, int port) +parse_ip_addr(const char* str, int port) { socklen_t len = 0; - struct sockaddr_storage* addr = NULL; - struct sockaddr_in6 a6; - struct sockaddr_in a; + union { + struct sockaddr_in6 a6; + struct sockaddr_in a; + } addr; struct ip_list* ip; uint16_t p = (uint16_t)port; - memset(&a6, 0, sizeof(a6)); - memset(&a, 0, sizeof(a)); + memset(&addr, 0, sizeof(addr)); - if(inet_pton(AF_INET6, str, &a6.sin6_addr) > 0) { + if(inet_pton(AF_INET6, str, &addr.a6.sin6_addr) > 0) { /* it is an IPv6 */ - a6.sin6_family = AF_INET6; - a6.sin6_port = (in_port_t)htons(p); - addr = (struct sockaddr_storage*)&a6; - len = (socklen_t)sizeof(struct sockaddr_in6); + addr.a6.sin6_family = AF_INET6; + addr.a6.sin6_port = (in_port_t)htons(p); + len = (socklen_t)sizeof(addr.a6); } - if(inet_pton(AF_INET, str, &a.sin_addr) > 0) { + if(inet_pton(AF_INET, str, &addr.a.sin_addr) > 0) { /* it is an IPv4 */ - a.sin_family = AF_INET; - a.sin_port = (in_port_t)htons(p); - addr = (struct sockaddr_storage*)&a; + addr.a.sin_family = AF_INET; + addr.a.sin_port = (in_port_t)htons(p); len = (socklen_t)sizeof(struct sockaddr_in); } if(!len) return NULL; @@ -593,7 +591,7 @@ parse_ip_addr(char* str, int port) exit(0); } ip->len = len; - memmove(&ip->addr, addr, len); + memmove(&ip->addr, &addr, len); if(verb) printf("server address is %s\n", str); return ip; } @@ -613,8 +611,8 @@ parse_ip_addr(char* str, int port) * @return list of IP addresses. */ static struct ip_list* -resolve_name(char* host, int port, char* res_conf, char* root_hints, - char* debugconf, int ip4only, int ip6only) +resolve_name(const char* host, int port, const char* res_conf, + const char* root_hints, const char* debugconf, int ip4only, int ip6only) { struct ub_ctx* ctx; struct ip_list* list = NULL; @@ -669,15 +667,6 @@ count_unused(struct ip_list* p) return num; } -static int get_random(void) -{ - int r; - if (RAND_bytes((unsigned char*)&r, (int)sizeof(r)) == 1) { - return r; - } - return (int)random(); -} - /** pick random unused element from IP list */ static struct ip_list* pick_random_ip(struct ip_list* list) @@ -687,7 +676,7 @@ pick_random_ip(struct ip_list* list) int sel; if(num == 0) return NULL; /* not perfect, but random enough */ - sel = get_random() % num; + sel = (int)arc4random_uniform((uint32_t)num); /* skip over unused elements that we did not select */ while(sel > 0 && p) { if(!p->used) sel--; @@ -810,7 +799,7 @@ TLS_shutdown(int fd, SSL* ssl, SSL_CTX* sslctx) /** write a line over SSL */ static int -write_ssl_line(SSL* ssl, char* str, char* sec) +write_ssl_line(SSL* ssl, const char* str, const char* sec) { char buf[1024]; size_t l; @@ -1029,7 +1018,7 @@ do_chunked_read(SSL* ssl) /** start HTTP1.1 transaction on SSL */ static int -write_http_get(SSL* ssl, char* pathname, char* urlname) +write_http_get(SSL* ssl, const char* pathname, const char* urlname) { if(write_ssl_line(ssl, "GET /%s HTTP/1.1", pathname) && write_ssl_line(ssl, "Host: %s", urlname) && @@ -1100,7 +1089,7 @@ read_http_result(SSL* ssl) /** https to an IP addr, return BIO with pathname or NULL */ static BIO* -https_to_ip(struct ip_list* ip, char* pathname, char* urlname) +https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname) { int fd; SSL* ssl; @@ -1140,7 +1129,7 @@ https_to_ip(struct ip_list* ip, char* pathname, char* urlname) * @return a memory BIO with the file in it. */ static BIO* -https(struct ip_list* ip_list, char* pathname, char* urlname) +https(struct ip_list* ip_list, const char* pathname, const char* urlname) { struct ip_list* ip; BIO* bio = NULL; @@ -1222,7 +1211,7 @@ xml_selectbio(struct xml_data* data, const char* tag) * NOT zero terminated. * @param len: length of this part of the data. */ -void +static void xml_charhandle(void *userData, const XML_Char *s, int len) { struct xml_data* data = (struct xml_data*)userData; @@ -1265,7 +1254,7 @@ xml_charhandle(void *userData, const XML_Char *s, int len) * @return the value or NULL. (ptr into atts). */ static const XML_Char* -find_att(const XML_Char **atts, XML_Char* name) +find_att(const XML_Char **atts, const XML_Char* name) { int i; for(i=0; atts[i]; i+=2) { @@ -1379,7 +1368,7 @@ handle_keydigest(struct xml_data* data, const XML_Char **atts) /** See if XML element equals the zone name */ static int -xml_is_zone_name(BIO* zone, char* name) +xml_is_zone_name(BIO* zone, const char* name) { char buf[1024]; char* z = NULL; @@ -1611,8 +1600,6 @@ xml_parse(BIO* xml, time_t now) XML_ParserFree(parser); if(verb >= 4) { - char* pp = NULL; - int len; (void)BIO_seek(data.ds, 0); len = BIO_get_mem_data(data.ds, &pp); printf("got DS bio %d: '", len); @@ -1655,7 +1642,7 @@ get_usage_of_ex(X509* cert) /** get valid signers from the list of signers in the signature */ static STACK_OF(X509)* -get_valid_signers(PKCS7* p7, char* p7signer) +get_valid_signers(PKCS7* p7, const char* p7signer) { int i; STACK_OF(X509)* validsigners = sk_X509_new_null(); @@ -1738,7 +1725,7 @@ get_valid_signers(PKCS7* p7, char* p7signer) /** verify a PKCS7 signature, false on failure */ static int -verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, char* p7signer) +verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, const char* p7signer) { PKCS7* p7; X509_STORE *store = X509_STORE_new(); @@ -1816,7 +1803,7 @@ verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, char* p7signer) /** write unsigned root anchor file, a 5011 revoked tp */ static void -write_unsigned_root(char* root_anchor_file) +write_unsigned_root(const char* root_anchor_file) { FILE* out; time_t now = time(NULL); @@ -1842,7 +1829,7 @@ write_unsigned_root(char* root_anchor_file) /** write root anchor file */ static void -write_root_anchor(char* root_anchor_file, BIO* ds) +write_root_anchor(const char* root_anchor_file, BIO* ds) { char* pp = NULL; int len; @@ -1868,8 +1855,8 @@ write_root_anchor(char* root_anchor_file, BIO* ds) /** Perform the verification and update of the trustanchor file */ static void -verify_and_update_anchor(char* root_anchor_file, BIO* xml, BIO* p7s, - STACK_OF(X509)* cert, char* p7signer) +verify_and_update_anchor(const char* root_anchor_file, BIO* xml, BIO* p7s, + STACK_OF(X509)* cert, const char* p7signer) { BIO* ds; @@ -1897,10 +1884,11 @@ static void do_wsa_cleanup(void) { WSACleanup(); } /** perform actual certupdate work */ static int -do_certupdate(char* root_anchor_file, char* root_cert_file, - char* urlname, char* xmlname, char* p7sname, char* p7signer, - char* res_conf, char* root_hints, char* debugconf, - int ip4only, int ip6only, int port, struct ub_result* dnskey) +do_certupdate(const char* root_anchor_file, const char* root_cert_file, + const char* urlname, const char* xmlname, const char* p7sname, + const char* p7signer, const char* res_conf, const char* root_hints, + const char* debugconf, int ip4only, int ip6only, int port, + struct ub_result* dnskey) { STACK_OF(X509)* cert; BIO *xml, *p7s; @@ -1954,7 +1942,7 @@ do_certupdate(char* root_anchor_file, char* root_cert_file, * 2 if it is OK. */ static int -try_read_anchor(char* file) +try_read_anchor(const char* file) { int empty = 1; char line[10240]; @@ -1998,7 +1986,7 @@ try_read_anchor(char* file) /** Write the builtin root anchor to a file */ static void -write_builtin_anchor(char* file) +write_builtin_anchor(const char* file) { const char* builtin_root_anchor = get_builtin_ds(); FILE* out = fopen(file, "w"); @@ -2024,7 +2012,7 @@ write_builtin_anchor(char* file) * @return 0 if trustpoint is insecure, 1 on success. Exit on failure. */ static int -provide_builtin(char* root_anchor_file, int* used_builtin) +provide_builtin(const char* root_anchor_file, int* used_builtin) { /* try to read it */ switch(try_read_anchor(root_anchor_file)) @@ -2046,7 +2034,7 @@ provide_builtin(char* root_anchor_file, int* used_builtin) * add an autotrust anchor for the root to the context */ static void -add_5011_probe_root(struct ub_ctx* ctx, char* root_anchor_file) +add_5011_probe_root(struct ub_ctx* ctx, const char* root_anchor_file) { int r; r = ub_ctx_set_option(ctx, "auto-trust-anchor-file:", root_anchor_file); @@ -2083,7 +2071,7 @@ prime_root_key(struct ub_ctx* ctx) /** see if ADDPEND keys exist in autotrust file (if possible) */ static int -read_if_pending_keys(char* file) +read_if_pending_keys(const char* file) { FILE* in = fopen(file, "r"); char line[8192]; @@ -2105,7 +2093,7 @@ read_if_pending_keys(char* file) /** read last successful probe time from autotrust file (if possible) */ static int32_t -read_last_success_time(char* file) +read_last_success_time(const char* file) { FILE* in = fopen(file, "r"); char line[1024]; @@ -2142,7 +2130,7 @@ read_last_success_time(char* file) * @return true if certupdate is ok. */ static int -probe_date_allows_certupdate(char* root_anchor_file) +probe_date_allows_certupdate(const char* root_anchor_file) { int has_pending_keys = read_if_pending_keys(root_anchor_file); int32_t last_success = read_last_success_time(root_anchor_file); @@ -2180,10 +2168,10 @@ probe_date_allows_certupdate(char* root_anchor_file) /** perform the unbound-anchor work */ static int -do_root_update_work(char* root_anchor_file, char* root_cert_file, - char* urlname, char* xmlname, char* p7sname, char* p7signer, - char* res_conf, char* root_hints, char* debugconf, - int ip4only, int ip6only, int force, int port) +do_root_update_work(const char* root_anchor_file, const char* root_cert_file, + const char* urlname, const char* xmlname, const char* p7sname, + const char* p7signer, const char* res_conf, const char* root_hints, + const char* debugconf, int ip4only, int ip6only, int force, int port) { struct ub_ctx* ctx; struct ub_result* dnskey; @@ -2233,15 +2221,15 @@ extern char* optarg; int main(int argc, char* argv[]) { int c; - char* root_anchor_file = ROOT_ANCHOR_FILE; - char* root_cert_file = ROOT_CERT_FILE; - char* urlname = URLNAME; - char* xmlname = XMLNAME; - char* p7sname = P7SNAME; - char* p7signer = P7SIGNER; - char* res_conf = NULL; - char* root_hints = NULL; - char* debugconf = NULL; + const char* root_anchor_file = ROOT_ANCHOR_FILE; + const char* root_cert_file = ROOT_CERT_FILE; + const char* urlname = URLNAME; + const char* xmlname = XMLNAME; + const char* p7sname = P7SNAME; + const char* p7signer = P7SIGNER; + const char* res_conf = NULL; + const char* root_hints = NULL; + const char* debugconf = NULL; int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT; /* parse the options */ while( (c=getopt(argc, argv, "46C:FP:a:c:f:hln:r:s:u:vx:")) != -1) { |