Exemple #1
0
int unbound_init(struct ub_ctx *dnsctx)
{
	int ugh;
	/* create unbound resolver context */
	dnsctx = ub_ctx_create();
        if(!dnsctx) {
                libreswan_log("error: could not create unbound context\n");
                return 0;
        }
		DBG(DBG_DNS, 
			ub_ctx_debuglevel(dnsctx,5);
			DBG_log("unbound context created - setting debug level to 5\n"));

	/* lookup from /etc/hosts before DNS lookups as people expect that */
	if( (ugh=ub_ctx_hosts(dnsctx, "/etc/hosts")) != 0) {
		libreswan_log("error reading hosts: %s: %s\n",
			ub_strerror(ugh), strerror(errno));
		return 0;
	}
	DBG(DBG_DNS, DBG_log("/etc/hosts lookups activated\n"));

	/*
	 * Use /etc/resolv.conf as forwarding cache - we expect people to reconfigure this
	 * file if they need to work around DHCP DNS obtained servers
	 */
	if( (ugh=ub_ctx_resolvconf(dnsctx, "/etc/resolv.conf")) != 0) {
		libreswan_log("error reading resolv.conf: %s: %s\n",
			ub_strerror(ugh), strerror(errno));
		return 0;
	}
	DBG(DBG_DNS, DBG_log("/etc/resolv.conf usage activated\n"));

        /* add trust anchors to libunbound context - make this configurable later */
	DBG(DBG_DNS, DBG_log("Loading root key:%s\n",rootanchor));
        ugh = ub_ctx_add_ta(dnsctx, rootanchor);
        if(ugh != 0) {
                libreswan_log("error adding the DNSSEC root key: %s: %s\n", ub_strerror(ugh), strerror(errno));
		return 0;
	}

        /* Enable DLV */
	DBG(DBG_DNS, DBG_log("Loading dlv key:%s\n",dlvanchor));
        ugh = ub_ctx_set_option(dnsctx, "dlv-anchor:",dlvanchor);
        if(ugh != 0) {
                libreswan_log("error adding the DLV key: %s: %s\n", ub_strerror(ugh), strerror(errno));
		return 0;
	}

	return 1;
}
Exemple #2
0
DNSResolver::DNSResolver() : m_data(new DNSResolverData())
{
  int use_dns_public = 0;
  const char* dns_public_addr = "8.8.4.4";
  if (auto res = getenv("DNS_PUBLIC"))
  {
    std::string dns_public(res);
    // TODO: could allow parsing of IP and protocol: e.g. DNS_PUBLIC=tcp:8.8.8.8
    if (dns_public == "tcp")
    {
      LOG_PRINT_L0("Using public DNS server: " << dns_public_addr << " (TCP)");
      use_dns_public = 1;
    }
  }

  // init libunbound context
  m_data->m_ub_context = ub_ctx_create();

  if (use_dns_public)
  {
    ub_ctx_set_fwd(m_data->m_ub_context, dns_public_addr);
    ub_ctx_set_option(m_data->m_ub_context, "do-udp:", "no");
    ub_ctx_set_option(m_data->m_ub_context, "do-tcp:", "yes");
  }
  else {
    // look for "/etc/resolv.conf" and "/etc/hosts" or platform equivalent
    ub_ctx_resolvconf(m_data->m_ub_context, NULL);
    ub_ctx_hosts(m_data->m_ub_context, NULL);
  }

  #ifdef DEVELOPER_LIBUNBOUND_OLD
    #pragma message "Using the work around for old libunbound"
    { // work around for bug https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=515 needed for it to compile on e.g. Debian 7
      char * ds_copy = NULL; // this will be the writable copy of string that bugged version of libunbound requires
      try {
        char * ds_copy = strdup( ::get_builtin_ds() );
        ub_ctx_add_ta(m_data->m_ub_context, ds_copy);
      } catch(...) { // probably not needed but to work correctly in every case...
        if (ds_copy) { free(ds_copy); ds_copy=NULL; } // for the strdup
        throw ;
      }
      if (ds_copy) { free(ds_copy); ds_copy=NULL; } // for the strdup
    }
  #else
    // normal version for fixed libunbound
    ub_ctx_add_ta(m_data->m_ub_context, ::get_builtin_ds() );
  #endif

}
Exemple #3
0
DNSResolver::DNSResolver() : m_data(new DNSResolverData())
{
  int use_dns_public = 0;
  std::vector<std::string> dns_public_addr;
  if (auto res = getenv("DNS_PUBLIC"))
  {
    dns_public_addr = tools::dns_utils::parse_dns_public(res);
    if (!dns_public_addr.empty())
    {
      MGINFO("Using public DNS server(s): " << boost::join(dns_public_addr, ", ") << " (TCP)");
      use_dns_public = 1;
    }
    else
    {
      MERROR("Failed to parse DNS_PUBLIC");
    }
  }

  // init libunbound context
  m_data->m_ub_context = ub_ctx_create();

  if (use_dns_public)
  {
    for (const auto &ip: dns_public_addr)
      ub_ctx_set_fwd(m_data->m_ub_context, string_copy(ip.c_str()));
    ub_ctx_set_option(m_data->m_ub_context, string_copy("do-udp:"), string_copy("no"));
    ub_ctx_set_option(m_data->m_ub_context, string_copy("do-tcp:"), string_copy("yes"));
  }
  else {
    // look for "/etc/resolv.conf" and "/etc/hosts" or platform equivalent
    ub_ctx_resolvconf(m_data->m_ub_context, NULL);
    ub_ctx_hosts(m_data->m_ub_context, NULL);
  }

  const char * const *ds = ::get_builtin_ds();
  while (*ds)
  {
    MINFO("adding trust anchor: " << *ds);
    ub_ctx_add_ta(m_data->m_ub_context, string_copy(*ds++));
  }
}
Exemple #4
0
static void unbound_ctx_config(bool do_dnssec, const char *rootfile, const char *trusted)
{
	int ugh;

	if (DBGP(DBG_DNS)) {
		ub_ctx_debuglevel(dns_ctx, 5);
		DBG_log("unbound context created - setting debug level to 5");
	};

	/* lookup from /etc/hosts before DNS lookups as people expect that */
	ugh = ub_ctx_hosts(dns_ctx, "/etc/hosts");
	if (ugh != 0) {
		loglog(RC_LOG_SERIOUS, "error reading hosts: %s: %s",
			ub_strerror(ugh), strerror(errno));
	} else {
		DBG(DBG_DNS, DBG_log("/etc/hosts lookups activated"));
	}

	/*
	 * Use /etc/resolv.conf as forwarding cache - we expect people
	 * to reconfigure this file if they need to work around DHCP DNS
	 * obtained servers.
	 */
	/*
	 * ??? ub_ctx_resolvconf is not currently documented to set errno.
	 * Private communications with W.C.A. Wijngaards 2017 October:
	 * "Is errno is meaningful after a failed call to libunbound?"
	 * "Yes it is.  Specifically for the error-to-read-file case.
	 *  Not other cases (eg. socket errors happen too far away in the code)."
	 */
	errno = 0;
	ugh = ub_ctx_resolvconf(dns_ctx, "/etc/resolv.conf");
	if (ugh != 0) {
		int e = errno;	/* protect value from ub_strerror */

		loglog(RC_LOG_SERIOUS, "error reading /etc/resolv.conf: %s: [errno: %s]",
			ub_strerror(ugh), strerror(e));
	} else {
		DBG(DBG_DNS, DBG_log("/etc/resolv.conf usage activated"));
	}

	if (!do_dnssec) {
		/* No DNSSEC - nothing more to configure */
		DBG(DBG_DNS, DBG_log("dnssec validation disabled by configuration"));
	}

	if (rootfile == NULL) {
		if (trusted != NULL) {
			loglog(RC_LOG_SERIOUS, "dnssec-enable=yes but no dnssec-rootkey-file or trust anchors specified.");
			loglog(RC_LOG_SERIOUS, "WARNING: DNSSEC validation disabled");
		}
	} else {
		DBG(DBG_DNS, DBG_log("Loading dnssec root key from:%s", rootfile));
		/* the cast is there for unbound < 1.4.12 */
		/* ??? ub_ctx_add_ta_autr is not documented to set errno */
		errno = 0;
		ugh = ub_ctx_add_ta_autr(dns_ctx, (char *) rootfile);
		if (ugh != 0) {
			int e = errno;	/* protect value from ub_strerror */

			loglog(RC_LOG_SERIOUS, "error adding dnssec root key: %s [errno: %s]",
				ub_strerror(ugh), strerror(e));
			loglog(RC_LOG_SERIOUS, "WARNING: DNSSEC validation likely broken!");
		}
	}

	if (trusted == NULL) {
		DBG(DBG_DNS,DBG_log("No additional dnssec trust anchors defined via dnssec-trusted= option"));
	} else {
		glob_t globbuf;
		char **fnp;
		int r = glob(trusted, GLOB_ERR, globugh_ta, &globbuf);

		switch (r) {
		case 0:	/* success */
			for (fnp = globbuf.gl_pathv; fnp != NULL && *fnp != NULL; fnp++) {
				ugh = ub_ctx_add_ta_file(dns_ctx, *fnp);
				if (ugh != 0) {
					loglog(RC_LOG_SERIOUS, "Ignored trusted key file %s: %s",
						*fnp,  ub_strerror(ugh));
				} else {
					DBG(DBG_DNS, DBG_log("Added contents of trusted key file %s to unbound resolver context",
						*fnp));
				}
			}
			break;

		case GLOB_NOSPACE:
			loglog(RC_LOG_SERIOUS, "out of space processing dnssec-trusted= argument: %s",
				trusted);
			break;

		case GLOB_ABORTED:
			/* already logged by globugh_ta */
			break;

		case GLOB_NOMATCH:
			loglog(RC_LOG_SERIOUS, "no trust anchor files matched '%s'", trusted);
			break;

		default:
			loglog(RC_LOG_SERIOUS, "trusted key file '%s': unknown glob error %d",
				trusted, r);
			break;
		}
		globfree(&globbuf);
	}
}
Exemple #5
0
int
ub_ctx_hosts(struct ub_ctx* ctx, char* fname)
{
    FILE* in;
    char buf[1024], ldata[1024];
    char* parse, *addr, *name, *ins;
    lock_basic_lock(&ctx->cfglock);
    if(ctx->finalized) {
        lock_basic_unlock(&ctx->cfglock);
        errno=EINVAL;
        return UB_AFTERFINAL;
    }
    lock_basic_unlock(&ctx->cfglock);
    if(fname == NULL) {
#if defined(UB_ON_WINDOWS) && defined(HAVE_WINDOWS_H)
        /*
         * If this is Windows NT/XP/2K it's in
         * %WINDIR%\system32\drivers\etc\hosts.
         * If this is Windows 95/98/Me it's in %WINDIR%\hosts.
         */
        name = getenv("WINDIR");
        if (name != NULL) {
            int retval=0;
            snprintf(buf, sizeof(buf), "%s%s", name,
                     "\\system32\\drivers\\etc\\hosts");
            if((retval=ub_ctx_hosts(ctx, buf)) !=0 ) {
                snprintf(buf, sizeof(buf), "%s%s", name,
                         "\\hosts");
                retval=ub_ctx_hosts(ctx, buf);
            }
            free(name);
            return retval;
        }
        return UB_READFILE;
#else
        fname = "/etc/hosts";
#endif /* WIN32 */
    }
    in = fopen(fname, "r");
    if(!in) {
        /* error in errno! perror(fname) */
        return UB_READFILE;
    }
    while(fgets(buf, (int)sizeof(buf), in)) {
        buf[sizeof(buf)-1] = 0;
        parse=buf;
        while(*parse == ' ' || *parse == '\t')
            parse++;
        if(*parse == '#')
            continue; /* skip comment */
        /* format: <addr> spaces <name> spaces <name> ... */
        addr = parse;
        /* skip addr */
        while(isxdigit(*parse) || *parse == '.' || *parse == ':')
            parse++;
        if(*parse == '\n' || *parse == 0)
            continue;
        if(*parse == '%')
            continue; /* ignore macOSX fe80::1%lo0 localhost */
        if(*parse != ' ' && *parse != '\t') {
            /* must have whitespace after address */
            fclose(in);
            errno=EINVAL;
            return UB_SYNTAX;
        }
        *parse++ = 0; /* end delimiter for addr ... */
        /* go to names and add them */
        while(*parse) {
            while(*parse == ' ' || *parse == '\t' || *parse=='\n')
                parse++;
            if(*parse == 0 || *parse == '#')
                break;
            /* skip name, allows (too) many printable characters */
            name = parse;
            while('!' <= *parse && *parse <= '~')
                parse++;
            if(*parse)
                *parse++ = 0; /* end delimiter for name */
            snprintf(ldata, sizeof(ldata), "%s %s %s",
                     name, str_is_ip6(addr)?"AAAA":"A", addr);
            ins = strdup(ldata);
            if(!ins) {
                /* out of memory */
                fclose(in);
                errno=ENOMEM;
                return UB_NOMEM;
            }
            lock_basic_lock(&ctx->cfglock);
            if(!cfg_strlist_insert(&ctx->env->cfg->local_data,
                                   ins)) {
                lock_basic_unlock(&ctx->cfglock);
                fclose(in);
                free(ins);
                errno=ENOMEM;
                return UB_NOMEM;
            }
            lock_basic_unlock(&ctx->cfglock);
        }
    }
    fclose(in);
    return UB_NOERROR;
}
Exemple #6
0
/** main program for asynclook */
int main(int argc, char** argv) 
{
	int c;
	struct ub_ctx* ctx;
	struct lookinfo* lookups;
	int i, r, cancel=0, blocking=0, ext=0;

	/* init log now because solaris thr_key_create() is not threadsafe */
	log_init(0,0,0);
	/* lock debug start (if any) */
	checklock_start();

	/* create context */
	ctx = ub_ctx_create();
	if(!ctx) {
		printf("could not create context, %s\n", strerror(errno));
		return 1;
	}

	/* command line options */
	if(argc == 1) {
		usage(argv);
	}
	while( (c=getopt(argc, argv, "bcdf:hH:r:tx")) != -1) {
		switch(c) {
			case 'd':
				r = ub_ctx_debuglevel(ctx, 3);
				checkerr("ub_ctx_debuglevel", r);
				break;
			case 't':
				r = ub_ctx_async(ctx, 1);
				checkerr("ub_ctx_async", r);
				break;
			case 'c':
				cancel = 1;
				break;
			case 'b':
				blocking = 1;
				break;
			case 'r':
				r = ub_ctx_resolvconf(ctx, optarg);
				if(r != 0) {
					printf("ub_ctx_resolvconf "
						"error: %s : %s\n",
						ub_strerror(r), 
						strerror(errno));
					return 1;
				}
				break;
			case 'H':
				r = ub_ctx_hosts(ctx, optarg);
				if(r != 0) {
					printf("ub_ctx_hosts "
						"error: %s : %s\n",
						ub_strerror(r), 
						strerror(errno));
					return 1;
				}
				break;
			case 'f':
				r = ub_ctx_set_fwd(ctx, optarg);
				checkerr("ub_ctx_set_fwd", r);
				break;
			case 'x':
				ext = 1;
				break;
			case 'h':
			case '?':
			default:
				usage(argv);
		}
	}
	argc -= optind;
	argv += optind;

	if(ext)
		return ext_test(ctx, argc, argv);

	/* allocate array for results. */
	lookups = (struct lookinfo*)calloc((size_t)argc, 
		sizeof(struct lookinfo));
	if(!lookups) {
		printf("out of memory\n");
		return 1;
	}

	/* perform asynchronous calls */
	num_wait = argc;
	for(i=0; i<argc; i++) {
		lookups[i].name = argv[i];
		if(blocking) {
			fprintf(stderr, "lookup %s\n", argv[i]);
			r = ub_resolve(ctx, argv[i], LDNS_RR_TYPE_A,
				LDNS_RR_CLASS_IN, &lookups[i].result);
			checkerr("ub_resolve", r);
		} else {
			fprintf(stderr, "start async lookup %s\n", argv[i]);
			r = ub_resolve_async(ctx, argv[i], LDNS_RR_TYPE_A,
				LDNS_RR_CLASS_IN, &lookups[i], &lookup_is_done, 
				&lookups[i].async_id);
			checkerr("ub_resolve_async", r);
		}
	}
	if(blocking)
		num_wait = 0;
	else if(cancel) {
		for(i=0; i<argc; i++) {
			fprintf(stderr, "cancel %s\n", argv[i]);
			r = ub_cancel(ctx, lookups[i].async_id);
			if(r != UB_NOID) 
				checkerr("ub_cancel", r);
		}
		num_wait = 0;
	}

	/* wait while the hostnames are looked up. Do something useful here */
	if(num_wait > 0)
	    for(i=0; i<1000; i++) {
		usleep(100000);
		fprintf(stderr, "%g seconds passed\n", 0.1*(double)i);
		r = ub_process(ctx);
		checkerr("ub_process", r);
		if(num_wait == 0)
			break;
	}
	if(i>=999) {
		printf("timed out\n");
		return 0;
	}
	printf("lookup complete\n");

	/* print lookup results */
	for(i=0; i<argc; i++) {
		print_result(&lookups[i]);
		ub_resolve_free(lookups[i].result);
	}

	ub_ctx_delete(ctx);
	free(lookups);
	checklock_stop();
	return 0;
}
Exemple #7
0
int ifconf_acquire_addresses(const char *name, 
        struct address **_list, unsigned *_n_list) {

        struct {
                struct nlmsghdr hdr;
                struct rtgenmsg gen;
        } req;
        struct rtgenmsg *gen;
        int fd, r, on = 1;
        uint32_t seq = 4711;
        struct address *list = NULL;
        unsigned n_list = 0;
        struct ub_ctx* ctx;
        struct ub_result* result;
        int retval, i;

        char *server = "127.0.0.1:8080";
        char url[3000];

        fprintf(stderr, "ifconf_acquire_addresses \n");

        URL *curl;
        CURLcode res;
    
        curl = curl_easy_init();
        if(curl) {
            sprintf(url, "http://%s/address/%s", server, name);
            curl_easy_setopt(curl, CURLOPT_URL,url);
            /*  send all data to this function  */ 
            //curl_easy_setopt(curl_handle, CURLOPT_WRITEFUNCTION, write_data);
            fprintf(stderr, "Sending http request\n");
            res = curl_easy_perform(curl);
                    
            //printf("read:%s\n", reply);

            /*  always cleanup */ 
            curl_easy_cleanup(curl);
        }
        ctx = ub_ctx_create();
        if(!ctx) {
            printf("error: could not create unbound context\n");
            retval = -1;
            goto finish;
        }

        //ub_ctx_debuglevel(ctx, 10);

        //requesting ip address from signpost


        /*  read /etc/resolv.conf for DNS proxy settings (from DHCP) */
        if( (retval=ub_ctx_resolvconf(ctx, "/etc/resolv.conf")) != 0) {
            fprintf(stderr, "error reading resolv.conf: %s. errno says: %s\n", 
                    ub_strerror(retval), strerror(errno));
            //retval = errno;
            //goto finish;
        }

        /*  read /etc/hosts for locally supplied host addresses */
        if( (retval=ub_ctx_hosts(ctx, "/etc/hosts")) != 0) {
            fprintf(stderr, "error reading hosts: %s. errno says: %s\n", 
                    ub_strerror(retval), strerror(errno));
            //retval = errno;
            //goto finish;
        }
        /*  query for webserver */
        retval = ub_resolve(ctx, name, 
                1 /*  TYPE A (IPv4 address) */, 
                1 /*  CLASS IN (internet) */, &result);
        if(retval != 0) {
            fprintf(stderr, "error resolving: %s. errno says: %s\n", 
                    ub_strerror(retval), strerror(errno));
            retval = -ENOENT;
            goto finish;
        }

        if(!result->havedata) {
           //fprintf(stderr, "no response found\n"); 
            retval = -ENOENT;
            goto finish;
        }


        while(result->data[n_list]) {
            list = realloc(list, (n_list+1) * sizeof(struct address));
            if (!list) {
                retval = -ENOMEM;
                goto finish;
            }
                 struct in_addr in;
            in.s_addr = *(uint32_t *)result->data[n_list];
            fprintf(stderr, "found ip %s\n", inet_ntoa(in));
            list[n_list].family = AF_INET;
            list[n_list].scope = 1; //ifaddrmsg->ifa_scope;
            memcpy(list[n_list].address, result->data[n_list], 4);
            list[n_list].ifindex = 1; //ifaddrmsg->ifa_index;

            n_list++;
        }
        r= n_list;
        goto finish;
finish:
        close(fd);

        ub_resolve_free(result);
        ub_ctx_delete(ctx);

        if (r < 0)
            free(list);
        else {
            qsort(list, n_list, sizeof(struct address), address_compare);

            *_list = list;
            *_n_list = n_list;
        }
        //fprintf(stderr, "returned %d addr\n", n_list);

        return r;
}
Exemple #8
0
{
	int ugh;

	/* create unbound resolver context */
	dnsctx = ub_ctx_create();
	if (!dnsctx) {
		libreswan_log("error: could not create unbound context");
		return FALSE;
	}
	DBG(DBG_DNS,
		ub_ctx_debuglevel(dnsctx, 5);
		DBG_log("unbound context created - setting debug level to 5");
		);

	/* lookup from /etc/hosts before DNS lookups as people expect that */
	ugh = ub_ctx_hosts(dnsctx, "/etc/hosts");
	if (ugh != 0) {
		libreswan_log("error reading hosts: %s: %s",
			ub_strerror(ugh), strerror(errno));
		return FALSE;
	}
	DBG(DBG_DNS,
		DBG_log("/etc/hosts lookups activated");
		);

	/*
	 * Use /etc/resolv.conf as forwarding cache - we expect people to
	 * reconfigure this file if they need to work around DHCP DNS obtained
	 * servers
	 */
	ugh = ub_ctx_resolvconf(dnsctx, "/etc/resolv.conf");
int main(int argc, char **argv)
{
	struct ub_ctx* ctx;
	struct ub_result* result;
	int retval;
        int i;
        struct timeval starttime, endtime;

        int number = 100000;
        if (argc > 1) {
            number = atoi(argv[1]);
        }

	/* create context */
	ctx = ub_ctx_create();
	if(!ctx) {
		printf("error: could not create unbound context\n");
		return 1;
	}

	/* read /etc/resolv.conf for DNS proxy settings (from DHCP) */
	if( (retval=ub_ctx_resolvconf(ctx, "resolv.conf")) != 0) {
		printf("error reading resolv.conf: %s. errno says: %s\n", 
			ub_strerror(retval), strerror(errno));
		return 1;
	}

	/* read /etc/hosts for locally supplied host addresses */
	if( (retval=ub_ctx_hosts(ctx, "hosts")) != 0) {
		printf("error reading hosts: %s. errno says: %s\n", 
			ub_strerror(retval), strerror(errno));
		return 1;
	}

	/* read public keys for DNSSEC verification */
	if( (retval=ub_ctx_add_ta_file(ctx, "keys")) != 0) {
		printf("error adding keys: %s\n", ub_strerror(retval));
		return 1;
	}

	/* query for webserver */
	retval = ub_resolve(ctx, LOOKUP_NAME, 1, 1, &result);
	if(retval != 0) {
		printf("resolve error: %s\n", ub_strerror(retval));
		return 1;
	}

	/* show first result */
	if(result->havedata)
		printf("The address is %s\n", 
			inet_ntoa(*(struct in_addr*)result->data[0]));
	/* show security status */
	if(!result->secure) {
            fprintf(stderr, "something very wrong; not validated response returned\n");
            exit(1);
        }
        fprintf(stderr, "validated response returned\n");

        // Note: this is without proper memory freeing
        fprintf(stderr, "starting %d queries without context....\n", number);
        gettimeofday(&starttime, NULL);
        for (i = 0; i < number; i++) {
            retval = ub_resolve(ctx, LOOKUP_NAME, 1, 1, &result);
        }
        gettimeofday(&endtime, NULL);
        fprintf(stderr, "time elapsed (ms) for %d queries: %d\n", number, timeofday_diff(&starttime, &endtime));

	ub_resolve_free(result);
	ub_ctx_delete(ctx);

	return 0;
}
int dane_verify_cb(int ok, X509_STORE_CTX *store) {
	struct ub_result *dns_result;
	struct ub_ctx* ctx;
	char dns_name[256];
	X509 *cert;
	SSL *con;
	typedef struct {
		int verbose_mode;
		int verify_depth;
		int always_continue;
	} mydata_t;
	int mydata_index;
	mydata_t *mydata;
	int retval, err, depth;
	
	if (b_err == NULL)
		b_err=BIO_new_fp(stderr,BIO_NOCLOSE);
	
	cert = X509_STORE_CTX_get_current_cert(store);
	err = X509_STORE_CTX_get_error(store);
	depth = X509_STORE_CTX_get_error_depth(ctx);
	
	int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
	if (ssl_idx < 0) {
		BIO_printf(b_err, "DANE failed to find SSL index: %d\n", ssl_idx);
		return -1;
	}
	con = X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx());
	mydata = SSL_get_ex_data(con, mydata_index);
	
	int peerfd;
	peerfd = SSL_get_fd(con);
	socklen_t len;
	struct sockaddr_storage addr;
	char ipstr[INET6_ADDRSTRLEN];
	char node[NI_MAXHOST];
	int port;

	len = sizeof addr;
	getpeername(peerfd, (struct sockaddr*)&addr, &len);

	// deal with both IPv4 and IPv6:
	if (addr.ss_family == AF_INET) {
	    struct sockaddr_in *s = (struct sockaddr_in *)&addr;
	    port = ntohs(s->sin_port);
	    inet_ntop(AF_INET, &s->sin_addr, ipstr, sizeof ipstr);
		struct sockaddr_in sa;
		sa.sin_family = AF_INET;
		inet_pton(AF_INET, ipstr, &sa.sin_addr);
		int res = getnameinfo((struct sockaddr*)&sa, sizeof(sa), node, sizeof(node), NULL, 0, 0);
	} else { // AF_INET6
		struct sockaddr_in6 *s = (struct sockaddr_in6 *)&addr;
	    port = ntohs(s->sin6_port);
	    inet_ntop(AF_INET6, &s->sin6_addr, ipstr, sizeof ipstr);
	}

	BIO_printf(b_err, "Peer IP address: %s\n", ipstr);
	BIO_printf(b_err, "Peer port      : %d\n", port);
	BIO_printf(b_err, "Peer hostname  : %s\n", node);
		
	ctx = ub_ctx_create();
	if(!ctx) {
		printf("error: could not create unbound context\n");
		return -1;
	}
	if( (retval=ub_ctx_resolvconf(ctx, "/etc/resolv.conf")) != 0) {
		printf("error reading resolv.conf: %s. errno says: %s\n", 
			ub_strerror(retval), strerror(errno));
		return -1;
	}
	if( (retval=ub_ctx_hosts(ctx, "/etc/hosts")) != 0) {
		printf("error reading hosts: %s. errno says: %s\n", 
			ub_strerror(retval), strerror(errno));
		return -1;
	}
	
	retval = sprintf(dns_name, "_%d._tcp.%s", port, node);
	if(retval < 0) {
		printf("failure to create dns name\n");
		return -1;
	}
	BIO_printf(b_err,"DANE dane_verify_cb() dns name: %s\n", dns_name);
	retval = ub_resolve(ctx, dns_name, 65534, 1, &dns_result);
	if(retval != 0) {
		BIO_printf(b_err, "resolve error: %s\n", ub_strerror(retval));
		return -1;
	}
	
	if(dns_result->havedata) {
		int i;
		for (i = 0; dns_result->data[i] != NULL; i++) {
			unsigned char usage, selector, matching_type;
			unsigned char *tlsa_bytes;
			
			if (dns_result->len[i] < 35) {
				// must have at least 1+1+1+32 bytes for the SHA-256 case
				BIO_printf(b_err, "DANE: Not enough data: %d available\n",
					dns_result->len[i]);
				return -1;
			}
			unsigned char *rdata = (unsigned char *)dns_result->data[i];
			usage = (char) *rdata++;
			selector = (char) *rdata++;
			matching_type = (char) *rdata++;
			tlsa_bytes = (unsigned char *) rdata;
			X509 *tlsa_cert;
			tlsa_cert = d2i_X509(NULL, &tlsa_bytes, dns_result->len[i]-3);
			
			BIO_printf(b_err, "DANE: Usage %d Selector %d Matching Type %d\n",
				usage, selector, matching_type);
			
			if (selector != 0)
				continue;
			if (matching_type != 0)
				continue;
			
			if (usage == 0 || usage == 2) {
				int retval;
				retval = ca_constraint(con, tlsa_cert, usage);
				if (retval == 0)
					BIO_printf(b_err, "DANE dane_verify_cb() Passed validation for usage %d\n", usage);
				else
					BIO_printf(b_err, "DANE dane_verify_cb() Failed validation for usage %d\n", usage);
				return retval;
			}
			if (usage == 1) {
				int retval;
				retval = service_cert_constraint(cert, tlsa_cert);
				if (retval == 0)
					BIO_printf(b_err, "DANE dane_verify_cb() Passed validation for usage %d\n", usage);
				else
					BIO_printf(b_err, "DANE dane_verify_cb() Failed validation for usage %d\n", usage);
				return retval;
			}
		}
	}
	return ok;
}