diff --git a/src/Makefile.in b/src/Makefile.in index 05e32b6f..48e8da3e 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -95,7 +95,7 @@ COMPAT_OBJ=$(LIBOBJS:.o=.lo) UTIL_OBJ=rbtree.lo lruhash.lo lookup3.lo locks.lo JSMN_OBJ=jsmn.lo -TLS_OBJ=tls.lo pubkey-pinning.lo keyraw-internal.lo val_secalgo.lo +TLS_OBJ=tls.lo pubkey-pinning.lo keyraw-internal.lo val_secalgo.lo anchor-internal.lo YXML_OBJ=yxml.lo YAML_OBJ=convert_yaml_to_json.lo @@ -147,7 +147,7 @@ $(EXTENSION_OBJ): $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -c $(srcdir)/extension/$(@:.lo=.c) -o $@ anchor.lo: - $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/$(tlsdir)/anchor.c -o anchor.lo + $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/anchor.c -o anchor.lo context.lo: $(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/context.c -o context.lo diff --git a/src/openssl/anchor.c b/src/anchor.c similarity index 80% rename from src/openssl/anchor.c rename to src/anchor.c index 31e0e6f0..12f16841 100644 --- a/src/openssl/anchor.c +++ b/src/anchor.c @@ -33,9 +33,6 @@ #include "debug.h" #include "anchor.h" #include -#include -#include -#include #include #include #include "types-internal.h" @@ -52,141 +49,6 @@ #include "util-internal.h" #include "platform.h" -/* get key usage out of its extension, returns 0 if no key_usage extension */ -static unsigned long -_getdns_get_usage_of_ex(X509* cert) -{ - unsigned long val = 0; - ASN1_BIT_STRING* s; - - if((s=X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL))) { - if(s->length > 0) { - val = s->data[0]; - if(s->length > 1) - val |= s->data[1] << 8; - } - ASN1_BIT_STRING_free(s); - } - return val; -} - -/** get valid signers from the list of signers in the signature */ -static STACK_OF(X509)* -_getdns_get_valid_signers(PKCS7* p7, const char* p7signer) -{ - int i; - STACK_OF(X509)* validsigners = sk_X509_new_null(); - STACK_OF(X509)* signers = PKCS7_get0_signers(p7, NULL, 0); - unsigned long usage = 0; - if(!validsigners) { - DEBUG_ANCHOR("ERROR %s(): Failed to allocated validsigners\n" - , __FUNC__); - sk_X509_free(signers); - return NULL; - } - if(!signers) { - DEBUG_ANCHOR("ERROR %s(): Failed to allocated signers\n" - , __FUNC__); - sk_X509_free(validsigners); - return NULL; - } - for(i=0; idata, xml_bd->size))) - DEBUG_ANCHOR("ERROR %s(): Failed allocating xml BIO\n" - , __FUNC__); - - else if (!(p7s = BIO_new_mem_buf(p7s_bd->data, p7s_bd->size))) - DEBUG_ANCHOR("ERROR %s(): Failed allocating p7s BIO\n" - , __FUNC__); - - else if (!(crt = BIO_new_mem_buf(crt_bd->data, crt_bd->size))) - DEBUG_ANCHOR("ERROR %s(): Failed allocating crt BIO\n" - , __FUNC__); - - else if (!(x = PEM_read_bio_X509(crt, NULL, 0, NULL))) - DEBUG_ANCHOR("ERROR %s(): Parsing builtin certificate\n" - , __FUNC__); - - else if (!(store = X509_STORE_new())) - DEBUG_ANCHOR("ERROR %s(): Failed allocating store\n" - , __FUNC__); - - else if (!X509_STORE_add_cert(store, x)) - DEBUG_ANCHOR("ERROR %s(): Adding certificate to store\n" - , __FUNC__); - - else if (_getdns_verify_p7sig(xml, p7s, store, p7signer)) { - gldns_buffer gbuf; - - gldns_buffer_init_vfixed_frm_data(&gbuf, tas, *tas_len); - - if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, now_ms, - (char *)xml_bd->data, xml_bd->size)) - DEBUG_ANCHOR("Failed to parse trust anchor XML data"); - - else if (gldns_buffer_position(&gbuf) > *tas_len) { - *tas_len = gldns_buffer_position(&gbuf); - if ((success = GETDNS_XMALLOC(*mf, uint8_t, *tas_len))) { - gldns_buffer_init_frm_data(&gbuf, success, *tas_len); - if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, - now_ms, (char *)xml_bd->data, xml_bd->size)) { - - DEBUG_ANCHOR("Failed to re-parse trust" - " anchor XML data\n"); - GETDNS_FREE(*mf, success); - success = NULL; - } - } else - DEBUG_ANCHOR("Could not allocate space for " - "trust anchors\n"); - } else { - success = tas; - *tas_len = gldns_buffer_position(&gbuf); - } - } else { - DEBUG_ANCHOR("Verifying trust-anchors failed!\n"); - } - if (store) X509_STORE_free(store); - if (x) X509_free(x); - if (crt) BIO_free(crt); - if (xml) BIO_free(xml); - if (p7s) BIO_free(p7s); - return success; -} - -void _getdns_context_equip_with_anchor( - getdns_context *context, uint64_t *now_ms) -{ - uint8_t xml_spc[4096], *xml_data = NULL; - uint8_t p7s_spc[4096], *p7s_data = NULL; - size_t xml_len, p7s_len; - const char *verify_email = NULL; - const char *verify_CA = NULL; - getdns_return_t r; - - BIO *xml = NULL, *p7s = NULL, *crt = NULL; - X509 *x = NULL; - X509_STORE *store = NULL; - - if ((r = getdns_context_get_trust_anchors_verify_CA( - context, &verify_CA))) - DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify" - " CA: \"%s\"\n", __FUNC__ - , getdns_get_errorstr_by_id(r)); - - else if (!verify_CA || !*verify_CA) - DEBUG_ANCHOR("NOTICE: Trust anchor verification explicitely " - "disabled by empty verify CA\n"); - - else if ((r = getdns_context_get_trust_anchors_verify_email( - context, &verify_email))) - DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify email " - "address: \"%s\"\n", __FUNC__ - , getdns_get_errorstr_by_id(r)); - - else if (!verify_email || !*verify_email) - DEBUG_ANCHOR("NOTICE: Trust anchor verification explicitely " - "disabled by empty verify email\n"); - - else if (!(xml_data = _getdns_context_get_priv_file(context, - "root-anchors.xml", xml_spc, sizeof(xml_spc), &xml_len))) - DEBUG_ANCHOR("DEBUG %s(): root-anchors.xml not present\n" - , __FUNC__); - - else if (!(p7s_data = _getdns_context_get_priv_file(context, - "root-anchors.p7s", p7s_spc, sizeof(p7s_spc), &p7s_len))) - DEBUG_ANCHOR("DEBUG %s(): root-anchors.p7s not present\n" - , __FUNC__); - - else if (!(xml = BIO_new_mem_buf(xml_data, xml_len))) - DEBUG_ANCHOR("ERROR %s(): Failed allocating xml BIO\n" - , __FUNC__); - - else if (!(p7s = BIO_new_mem_buf(p7s_data, p7s_len))) - DEBUG_ANCHOR("ERROR %s(): Failed allocating p7s BIO\n" - , __FUNC__); - - else if (!(crt = BIO_new_mem_buf((void *)verify_CA, -1))) - DEBUG_ANCHOR("ERROR %s(): Failed allocating crt BIO\n" - , __FUNC__); - - else if (!(x = PEM_read_bio_X509(crt, NULL, 0, NULL))) - DEBUG_ANCHOR("ERROR %s(): Parsing builtin certificate\n" - , __FUNC__); - - else if (!(store = X509_STORE_new())) - DEBUG_ANCHOR("ERROR %s(): Failed allocating store\n" - , __FUNC__); - - else if (!X509_STORE_add_cert(store, x)) - DEBUG_ANCHOR("ERROR %s(): Adding certificate to store\n" - , __FUNC__); - - else if (_getdns_verify_p7sig(xml, p7s, store, verify_email)) { - uint8_t ta_spc[sizeof(context->trust_anchors_spc)]; - size_t ta_len; - uint8_t *ta = NULL; - gldns_buffer gbuf; - - gldns_buffer_init_vfixed_frm_data( - &gbuf, ta_spc, sizeof(ta_spc)); - - if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, now_ms, - (char *)xml_data, xml_len)) - DEBUG_ANCHOR("Failed to parse trust anchor XML data"); - else if ((ta_len = gldns_buffer_position(&gbuf)) > sizeof(ta_spc)) { - if ((ta = GETDNS_XMALLOC(context->mf, uint8_t, ta_len))) { - gldns_buffer_init_frm_data(&gbuf, ta, - gldns_buffer_position(&gbuf)); - if (!_getdns_parse_xml_trust_anchors_buf( - &gbuf, now_ms, (char *)xml_data, xml_len)) { - DEBUG_ANCHOR("Failed to re-parse trust" - " anchor XML data"); - GETDNS_FREE(context->mf, ta); - } else { - context->trust_anchors = ta; - context->trust_anchors_len = ta_len; - context->trust_anchors_source = GETDNS_TASRC_XML; - _getdns_ta_notify_dnsreqs(context); - } - } else - DEBUG_ANCHOR("Could not allocate space for XML file"); - } else { - (void)memcpy(context->trust_anchors_spc, ta_spc, ta_len); - context->trust_anchors = context->trust_anchors_spc; - context->trust_anchors_len = ta_len; - context->trust_anchors_source = GETDNS_TASRC_XML; - _getdns_ta_notify_dnsreqs(context); - } - DEBUG_ANCHOR("ta: %p, ta_len: %d\n", - (void *)context->trust_anchors, (int)context->trust_anchors_len); - - } else { - DEBUG_ANCHOR("Verifying trust-anchors failed!\n"); - } - if (store) X509_STORE_free(store); - if (x) X509_free(x); - if (crt) BIO_free(crt); - if (xml) BIO_free(xml); - if (p7s) BIO_free(p7s); - if (xml_data && xml_data != xml_spc) - GETDNS_FREE(context->mf, xml_data); - if (p7s_data && p7s_data != p7s_spc) - GETDNS_FREE(context->mf, p7s_data); -} - static const char tas_write_p7s_buf[] = "GET %s HTTP/1.1\r\n" "Host: %s\r\n" @@ -1032,7 +700,7 @@ static void tas_doc_read(getdns_context *context, tas_connection *a) " email address: \"%s\"\n", __FUNC__ , getdns_get_errorstr_by_id(r)); - else if (!(tas = tas_validate(&context->mf, &a->xml, &p7s_bd, + else if (!(tas = _getdns_tas_validate(&context->mf, &a->xml, &p7s_bd, &verify_CA, verify_email, &now_ms, tas, &tas_len))) ; /* pass */ diff --git a/src/anchor.h b/src/anchor.h index 3c826384..139dd341 100644 --- a/src/anchor.h +++ b/src/anchor.h @@ -39,6 +39,29 @@ #include #include "rr-iter.h" +#include "types-internal.h" + +/** + ** Internal functions, implemented in anchor-internal.c. + **/ +void _getdns_context_equip_with_anchor(getdns_context *context, uint64_t *now_ms); + +uint8_t *_getdns_tas_validate(struct mem_funcs *mf, + const getdns_bindata *xml_bd, const getdns_bindata *p7s_bd, + const getdns_bindata *crt_bd, const char *p7signer, + uint64_t *now_ms, uint8_t *tas, size_t *tas_len); + + +/** + ** anchor.c functions used by anchor-internal.c. + **/ +time_t _getdns_xml_convertdate(const char* str); + +uint16_t _getdns_parse_xml_trust_anchors_buf(gldns_buffer *gbuf, uint64_t *now_ms, char *xml_data, size_t xml_len); + +/** + ** Public interface. + **/ void _getdns_context_equip_with_anchor(getdns_context *context, uint64_t *now_ms); void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop); diff --git a/src/gnutls/anchor.c b/src/gnutls/anchor-internal.c similarity index 82% rename from src/gnutls/anchor.c rename to src/gnutls/anchor-internal.c index 57fb60e1..45b58d52 100644 --- a/src/gnutls/anchor.c +++ b/src/gnutls/anchor-internal.c @@ -34,15 +34,15 @@ #include "config.h" #include "anchor.h" -void _getdns_context_equip_with_anchor(getdns_context *context, uint64_t *now_ms) +void _getdns_context_equip_with_anchor( + getdns_context *context, uint64_t *now_ms) { } -void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop) -{ -} - -void _getdns_context_update_root_ksk( - getdns_context *context, _getdns_rrset *dnskey_set) +uint8_t *_getdns_tas_validate(struct mem_funcs *mf, + const getdns_bindata *xml_bd, const getdns_bindata *p7s_bd, + const getdns_bindata *crt_bd, const char *p7signer, + uint64_t *now_ms, uint8_t *tas, size_t *tas_len) { + return NULL; } diff --git a/src/openssl/anchor-internal.c b/src/openssl/anchor-internal.c new file mode 100644 index 00000000..db9e01f8 --- /dev/null +++ b/src/openssl/anchor-internal.c @@ -0,0 +1,382 @@ +/** + * + * /brief functions for DNSSEC trust anchor management + */ +/* + * Copyright (c) 2017, NLnet Labs, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the names of the copyright holders nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#include "debug.h" +#include "anchor.h" +#include +#include +#include +#include +#include +#include +#include "types-internal.h" +#include "context.h" +#include "dnssec.h" +#include "yxml/yxml.h" +#include "gldns/parseutil.h" +#include "gldns/gbuffer.h" +#include "gldns/str2wire.h" +#include "gldns/wire2str.h" +#include "gldns/pkthdr.h" +#include "gldns/keyraw.h" +#include "general.h" +#include "util-internal.h" +#include "platform.h" + +/* get key usage out of its extension, returns 0 if no key_usage extension */ +static unsigned long +_getdns_get_usage_of_ex(X509* cert) +{ + unsigned long val = 0; + ASN1_BIT_STRING* s; + + if((s=X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL))) { + if(s->length > 0) { + val = s->data[0]; + if(s->length > 1) + val |= s->data[1] << 8; + } + ASN1_BIT_STRING_free(s); + } + return val; +} + +/** get valid signers from the list of signers in the signature */ +static STACK_OF(X509)* +_getdns_get_valid_signers(PKCS7* p7, const char* p7signer) +{ + int i; + STACK_OF(X509)* validsigners = sk_X509_new_null(); + STACK_OF(X509)* signers = PKCS7_get0_signers(p7, NULL, 0); + unsigned long usage = 0; + if(!validsigners) { + DEBUG_ANCHOR("ERROR %s(): Failed to allocated validsigners\n" + , __FUNC__); + sk_X509_free(signers); + return NULL; + } + if(!signers) { + DEBUG_ANCHOR("ERROR %s(): Failed to allocated signers\n" + , __FUNC__); + sk_X509_free(validsigners); + return NULL; + } + for(i=0; idata, xml_bd->size))) + DEBUG_ANCHOR("ERROR %s(): Failed allocating xml BIO\n" + , __FUNC__); + + else if (!(p7s = BIO_new_mem_buf(p7s_bd->data, p7s_bd->size))) + DEBUG_ANCHOR("ERROR %s(): Failed allocating p7s BIO\n" + , __FUNC__); + + else if (!(crt = BIO_new_mem_buf(crt_bd->data, crt_bd->size))) + DEBUG_ANCHOR("ERROR %s(): Failed allocating crt BIO\n" + , __FUNC__); + + else if (!(x = PEM_read_bio_X509(crt, NULL, 0, NULL))) + DEBUG_ANCHOR("ERROR %s(): Parsing builtin certificate\n" + , __FUNC__); + + else if (!(store = X509_STORE_new())) + DEBUG_ANCHOR("ERROR %s(): Failed allocating store\n" + , __FUNC__); + + else if (!X509_STORE_add_cert(store, x)) + DEBUG_ANCHOR("ERROR %s(): Adding certificate to store\n" + , __FUNC__); + + else if (_getdns_verify_p7sig(xml, p7s, store, p7signer)) { + gldns_buffer gbuf; + + gldns_buffer_init_vfixed_frm_data(&gbuf, tas, *tas_len); + + if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, now_ms, + (char *)xml_bd->data, xml_bd->size)) + DEBUG_ANCHOR("Failed to parse trust anchor XML data"); + + else if (gldns_buffer_position(&gbuf) > *tas_len) { + *tas_len = gldns_buffer_position(&gbuf); + if ((success = GETDNS_XMALLOC(*mf, uint8_t, *tas_len))) { + gldns_buffer_init_frm_data(&gbuf, success, *tas_len); + if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, + now_ms, (char *)xml_bd->data, xml_bd->size)) { + + DEBUG_ANCHOR("Failed to re-parse trust" + " anchor XML data\n"); + GETDNS_FREE(*mf, success); + success = NULL; + } + } else + DEBUG_ANCHOR("Could not allocate space for " + "trust anchors\n"); + } else { + success = tas; + *tas_len = gldns_buffer_position(&gbuf); + } + } else { + DEBUG_ANCHOR("Verifying trust-anchors failed!\n"); + } + if (store) X509_STORE_free(store); + if (x) X509_free(x); + if (crt) BIO_free(crt); + if (xml) BIO_free(xml); + if (p7s) BIO_free(p7s); + return success; +} + +void _getdns_context_equip_with_anchor( + getdns_context *context, uint64_t *now_ms) +{ + uint8_t xml_spc[4096], *xml_data = NULL; + uint8_t p7s_spc[4096], *p7s_data = NULL; + size_t xml_len, p7s_len; + const char *verify_email = NULL; + const char *verify_CA = NULL; + getdns_return_t r; + + BIO *xml = NULL, *p7s = NULL, *crt = NULL; + X509 *x = NULL; + X509_STORE *store = NULL; + + if ((r = getdns_context_get_trust_anchors_verify_CA( + context, &verify_CA))) + DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify" + " CA: \"%s\"\n", __FUNC__ + , getdns_get_errorstr_by_id(r)); + + else if (!verify_CA || !*verify_CA) + DEBUG_ANCHOR("NOTICE: Trust anchor verification explicitely " + "disabled by empty verify CA\n"); + + else if ((r = getdns_context_get_trust_anchors_verify_email( + context, &verify_email))) + DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify email " + "address: \"%s\"\n", __FUNC__ + , getdns_get_errorstr_by_id(r)); + + else if (!verify_email || !*verify_email) + DEBUG_ANCHOR("NOTICE: Trust anchor verification explicitely " + "disabled by empty verify email\n"); + + else if (!(xml_data = _getdns_context_get_priv_file(context, + "root-anchors.xml", xml_spc, sizeof(xml_spc), &xml_len))) + DEBUG_ANCHOR("DEBUG %s(): root-anchors.xml not present\n" + , __FUNC__); + + else if (!(p7s_data = _getdns_context_get_priv_file(context, + "root-anchors.p7s", p7s_spc, sizeof(p7s_spc), &p7s_len))) + DEBUG_ANCHOR("DEBUG %s(): root-anchors.p7s not present\n" + , __FUNC__); + + else if (!(xml = BIO_new_mem_buf(xml_data, xml_len))) + DEBUG_ANCHOR("ERROR %s(): Failed allocating xml BIO\n" + , __FUNC__); + + else if (!(p7s = BIO_new_mem_buf(p7s_data, p7s_len))) + DEBUG_ANCHOR("ERROR %s(): Failed allocating p7s BIO\n" + , __FUNC__); + + else if (!(crt = BIO_new_mem_buf((void *)verify_CA, -1))) + DEBUG_ANCHOR("ERROR %s(): Failed allocating crt BIO\n" + , __FUNC__); + + else if (!(x = PEM_read_bio_X509(crt, NULL, 0, NULL))) + DEBUG_ANCHOR("ERROR %s(): Parsing builtin certificate\n" + , __FUNC__); + + else if (!(store = X509_STORE_new())) + DEBUG_ANCHOR("ERROR %s(): Failed allocating store\n" + , __FUNC__); + + else if (!X509_STORE_add_cert(store, x)) + DEBUG_ANCHOR("ERROR %s(): Adding certificate to store\n" + , __FUNC__); + + else if (_getdns_verify_p7sig(xml, p7s, store, verify_email)) { + uint8_t ta_spc[sizeof(context->trust_anchors_spc)]; + size_t ta_len; + uint8_t *ta = NULL; + gldns_buffer gbuf; + + gldns_buffer_init_vfixed_frm_data( + &gbuf, ta_spc, sizeof(ta_spc)); + + if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, now_ms, + (char *)xml_data, xml_len)) + DEBUG_ANCHOR("Failed to parse trust anchor XML data"); + else if ((ta_len = gldns_buffer_position(&gbuf)) > sizeof(ta_spc)) { + if ((ta = GETDNS_XMALLOC(context->mf, uint8_t, ta_len))) { + gldns_buffer_init_frm_data(&gbuf, ta, + gldns_buffer_position(&gbuf)); + if (!_getdns_parse_xml_trust_anchors_buf( + &gbuf, now_ms, (char *)xml_data, xml_len)) { + DEBUG_ANCHOR("Failed to re-parse trust" + " anchor XML data"); + GETDNS_FREE(context->mf, ta); + } else { + context->trust_anchors = ta; + context->trust_anchors_len = ta_len; + context->trust_anchors_source = GETDNS_TASRC_XML; + _getdns_ta_notify_dnsreqs(context); + } + } else + DEBUG_ANCHOR("Could not allocate space for XML file"); + } else { + (void)memcpy(context->trust_anchors_spc, ta_spc, ta_len); + context->trust_anchors = context->trust_anchors_spc; + context->trust_anchors_len = ta_len; + context->trust_anchors_source = GETDNS_TASRC_XML; + _getdns_ta_notify_dnsreqs(context); + } + DEBUG_ANCHOR("ta: %p, ta_len: %d\n", + (void *)context->trust_anchors, (int)context->trust_anchors_len); + + } else { + DEBUG_ANCHOR("Verifying trust-anchors failed!\n"); + } + if (store) X509_STORE_free(store); + if (x) X509_free(x); + if (crt) BIO_free(crt); + if (xml) BIO_free(xml); + if (p7s) BIO_free(p7s); + if (xml_data && xml_data != xml_spc) + GETDNS_FREE(context->mf, xml_data); + if (p7s_data && p7s_data != p7s_spc) + GETDNS_FREE(context->mf, p7s_data); +}