1 /* 2 * util/net_help.h - network help functions 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains functions to perform network related tasks. 40 */ 41 42 #ifndef NET_HELP_H 43 #define NET_HELP_H 44 #include "util/log.h" 45 #include "util/random.h" 46 struct sock_list; 47 struct regional; 48 struct config_strlist; 49 50 /** DNS constants for uint16_t style flag manipulation. host byteorder. 51 * 1 1 1 1 1 1 52 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 53 * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 54 * |QR| Opcode |AA|TC|RD|RA| Z|AD|CD| RCODE | 55 * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 56 */ 57 /** CD flag */ 58 #define BIT_CD 0x0010 59 /** AD flag */ 60 #define BIT_AD 0x0020 61 /** Z flag */ 62 #define BIT_Z 0x0040 63 /** RA flag */ 64 #define BIT_RA 0x0080 65 /** RD flag */ 66 #define BIT_RD 0x0100 67 /** TC flag */ 68 #define BIT_TC 0x0200 69 /** AA flag */ 70 #define BIT_AA 0x0400 71 /** QR flag */ 72 #define BIT_QR 0x8000 73 /** get RCODE bits from uint16 flags */ 74 #define FLAGS_GET_RCODE(f) ((f) & 0xf) 75 /** set RCODE bits in uint16 flags */ 76 #define FLAGS_SET_RCODE(f, r) (f = (((f) & 0xfff0) | (r))) 77 78 /** timeout in milliseconds for UDP queries to auth servers. */ 79 #define UDP_AUTH_QUERY_TIMEOUT 3000 80 /** Advertised version of EDNS capabilities */ 81 #define EDNS_ADVERTISED_VERSION 0 82 /** Advertised size of EDNS capabilities */ 83 extern uint16_t EDNS_ADVERTISED_SIZE; 84 /** bits for EDNS bitfield */ 85 #define EDNS_DO 0x8000 /* Dnssec Ok */ 86 /** byte size of ip4 address */ 87 #define INET_SIZE 4 88 /** byte size of ip6 address */ 89 #define INET6_SIZE 16 90 91 /** DNSKEY zone sign key flag */ 92 #define DNSKEY_BIT_ZSK 0x0100 93 /** DNSKEY secure entry point, KSK flag */ 94 #define DNSKEY_BIT_SEP 0x0001 95 96 /** return a random 16-bit number given a random source */ 97 #define GET_RANDOM_ID(rnd) (((unsigned)ub_random(rnd)>>8) & 0xffff) 98 99 /** define MSG_DONTWAIT for unsupported platforms */ 100 #ifndef MSG_DONTWAIT 101 #define MSG_DONTWAIT 0 102 #endif 103 104 /** minimal responses when positive answer */ 105 extern int MINIMAL_RESPONSES; 106 107 /** rrset order roundrobin */ 108 extern int RRSET_ROUNDROBIN; 109 110 /** log tag queries with name instead of 'info' for filtering */ 111 extern int LOG_TAG_QUERYREPLY; 112 113 /** 114 * See if string is ip4 or ip6. 115 * @param str: IP specification. 116 * @return: true if string addr is an ip6 specced address. 117 */ 118 int str_is_ip6(const char* str); 119 120 /** 121 * Set fd nonblocking. 122 * @param s: file descriptor. 123 * @return: 0 on error (error is printed to log). 124 */ 125 int fd_set_nonblock(int s); 126 127 /** 128 * Set fd (back to) blocking. 129 * @param s: file descriptor. 130 * @return: 0 on error (error is printed to log). 131 */ 132 int fd_set_block(int s); 133 134 /** 135 * See if number is a power of 2. 136 * @param num: the value. 137 * @return: true if the number is a power of 2. 138 */ 139 int is_pow2(size_t num); 140 141 /** 142 * Allocate memory and copy over contents. 143 * @param data: what to copy over. 144 * @param len: length of data. 145 * @return: NULL on malloc failure, or newly malloced data. 146 */ 147 void* memdup(void* data, size_t len); 148 149 /** 150 * Prints the sockaddr in readable format with log_info. Debug helper. 151 * @param v: at what verbosity level to print this. 152 * @param str: descriptive string printed with it. 153 * @param addr: the sockaddr to print. Can be ip4 or ip6. 154 * @param addrlen: length of addr. 155 */ 156 void log_addr(enum verbosity_value v, const char* str, 157 struct sockaddr_storage* addr, socklen_t addrlen); 158 159 /** 160 * Prints zone name and sockaddr in readable format with log_info. Debug. 161 * @param v: at what verbosity level to print this. 162 * @param str: descriptive string printed with it. 163 * @param zone: DNS domain name, uncompressed wireformat. 164 * @param addr: the sockaddr to print. Can be ip4 or ip6. 165 * @param addrlen: length of addr. 166 */ 167 void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone, 168 struct sockaddr_storage* addr, socklen_t addrlen); 169 170 /** 171 * Log errno and addr. 172 * @param str: descriptive string printed with it. 173 * @param err: errno string to print, i.e. strerror(errno). 174 * @param addr: the sockaddr to print. Can be ip4 or ip6. 175 * @param addrlen: length of addr. 176 */ 177 void log_err_addr(const char* str, const char* err, 178 struct sockaddr_storage* addr, socklen_t addrlen); 179 180 /** 181 * Convert address string, with "@port" appendix, to sockaddr. 182 * Uses DNS port by default. 183 * @param str: the string 184 * @param addr: where to store sockaddr. 185 * @param addrlen: length of stored sockaddr is returned. 186 * @param port: default port. 187 * @return 0 on error. 188 */ 189 int extstrtoaddr(const char* str, struct sockaddr_storage* addr, 190 socklen_t* addrlen, int port); 191 192 /** 193 * Convert ip address string and port to sockaddr. 194 * @param ip: ip4 or ip6 address string. 195 * @param port: port number, host format. 196 * @param addr: where to store sockaddr. 197 * @param addrlen: length of stored sockaddr is returned. 198 * @return 0 on error. 199 */ 200 int ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr, 201 socklen_t* addrlen); 202 203 /** 204 * Convert ip netblock (ip/netsize) string and port to sockaddr. 205 * performs a copy internally to avoid writing over 'ip' string. 206 * @param ip: ip4 or ip6 address string. 207 * @param port: port number, host format. 208 * @param addr: where to store sockaddr. 209 * @param addrlen: length of stored sockaddr is returned. 210 * @param net: netblock size is returned. 211 * @return 0 on error. 212 */ 213 int netblockstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr, 214 socklen_t* addrlen, int* net); 215 216 /** 217 * Convert address string, with "@port" appendix, to sockaddr. 218 * It can also have an "#tls-auth-name" appendix (after the port). 219 * The returned auth_name string is a pointer into the input string. 220 * Uses DNS port by default; TLS port when a "#tls-auth-name" is configured. 221 * @param str: the string 222 * @param addr: where to store sockaddr. 223 * @param addrlen: length of stored sockaddr is returned. 224 * @param auth_name: returned pointer to tls_auth_name, or NULL if none. 225 * @return 0 on error. 226 */ 227 int authextstrtoaddr(char* str, struct sockaddr_storage* addr, 228 socklen_t* addrlen, char** auth_name); 229 230 /** 231 * Convert domain string, with "@port" appendix, to dname. 232 * It can also have an "#tls-auth-name" appendix (after the port). 233 * The return port is the parsed port. 234 * Uses DNS port by default; TLS port when a "#tls-auth-name" is configured. 235 * The returned auth_name string is a pointer into the input string. 236 * @param str: the string 237 * @param port: pointer to be assigned the parsed port value. 238 * @param auth_name: returned pointer to tls_auth_name, or NULL if none. 239 * @return pointer to the dname. 240 */ 241 uint8_t* authextstrtodname(char* str, int* port, char** auth_name); 242 243 /** 244 * Store port number into sockaddr structure 245 * @param addr: sockaddr structure, ip4 or ip6. 246 * @param addrlen: length of addr. 247 * @param port: port number to put into the addr. 248 */ 249 void sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen, 250 int port); 251 252 /** 253 * Print string with neat domain name, type and class. 254 * @param v: at what verbosity level to print this. 255 * @param str: string of message. 256 * @param name: domain name uncompressed wireformat. 257 * @param type: host format RR type. 258 * @param dclass: host format RR class. 259 */ 260 void log_nametypeclass(enum verbosity_value v, const char* str, 261 uint8_t* name, uint16_t type, uint16_t dclass); 262 263 /** 264 * Like log_nametypeclass, but logs with log_query for query logging 265 */ 266 void log_query_in(const char* str, uint8_t* name, uint16_t type, 267 uint16_t dclass); 268 269 /** 270 * Compare two sockaddrs. Imposes an ordering on the addresses. 271 * Compares address and port. 272 * @param addr1: address 1. 273 * @param len1: lengths of addr1. 274 * @param addr2: address 2. 275 * @param len2: lengths of addr2. 276 * @return: 0 if addr1 == addr2. -1 if addr1 is smaller, +1 if larger. 277 */ 278 int sockaddr_cmp(struct sockaddr_storage* addr1, socklen_t len1, 279 struct sockaddr_storage* addr2, socklen_t len2); 280 281 /** 282 * Compare two sockaddrs. Compares address, not the port. 283 * @param addr1: address 1. 284 * @param len1: lengths of addr1. 285 * @param addr2: address 2. 286 * @param len2: lengths of addr2. 287 * @return: 0 if addr1 == addr2. -1 if addr1 is smaller, +1 if larger. 288 */ 289 int sockaddr_cmp_addr(struct sockaddr_storage* addr1, socklen_t len1, 290 struct sockaddr_storage* addr2, socklen_t len2); 291 292 /** 293 * Compare two sockaddrs. Imposes an ordering on the addresses. 294 * Compares address and port. It also compares scope_id for ip6. 295 * @param addr1: address 1. 296 * @param len1: lengths of addr1. 297 * @param addr2: address 2. 298 * @param len2: lengths of addr2. 299 * @return: 0 if addr1 == addr2. -1 if addr1 is smaller, +1 if larger. 300 */ 301 int sockaddr_cmp_scopeid(struct sockaddr_storage* addr1, socklen_t len1, 302 struct sockaddr_storage* addr2, socklen_t len2); 303 304 /** 305 * Checkout address family. 306 * @param addr: the sockaddr to examine. 307 * @param len: the length of addr. 308 * @return: true if sockaddr is ip6. 309 */ 310 int addr_is_ip6(struct sockaddr_storage* addr, socklen_t len); 311 312 /** 313 * Make sure the sockaddr ends in zeroes. For tree insertion and subsequent 314 * comparison. 315 * @param addr: the ip4 or ip6 addr. 316 * @param len: length of addr. 317 * @param net: number of bits to leave untouched, the rest of the netblock 318 * address is zeroed. 319 */ 320 void addr_mask(struct sockaddr_storage* addr, socklen_t len, int net); 321 322 /** 323 * See how many bits are shared, equal, between two addrs. 324 * @param addr1: first addr. 325 * @param net1: netblock size of first addr. 326 * @param addr2: second addr. 327 * @param net2: netblock size of second addr. 328 * @param addrlen: length of first addr and of second addr. 329 * They must be of the same length (i.e. same type IP4, IP6). 330 * @return: number of bits the same. 331 */ 332 int addr_in_common(struct sockaddr_storage* addr1, int net1, 333 struct sockaddr_storage* addr2, int net2, socklen_t addrlen); 334 335 /** 336 * Put address into string, works for IPv4 and IPv6. 337 * @param addr: address 338 * @param addrlen: length of address 339 * @param buf: result string stored here 340 * @param len: length of buf. 341 * On failure a string with "error" is stored inside. 342 */ 343 void addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen, 344 char* buf, size_t len); 345 346 /** 347 * Check if the prefix network length is one of the allowed 32, 40, 48, 56, 64, 348 * or 96. 349 * @param prefixnet: prefix network length to check. 350 * @return 1 on success, 0 on failure. 351 */ 352 int prefixnet_is_nat64(int prefixnet); 353 354 /** 355 * Create a NAT64 address from a given address (needs to be IPv4) and a given 356 * NAT64 prefix. The NAT64 prefix net needs to be one of 32, 40, 48, 56, 64, 96. 357 * @param addr: IPv4 address. 358 * @param nat64_prefix: NAT64 prefix. 359 * @param nat64_prefixlen: NAT64 prefix len. 360 * @param nat64_prefixnet: NAT64 prefix mask. 361 * @param nat64_addr: the resulting NAT64 address. 362 * @param nat64_addrlen: the resulting NAT64 address length. 363 */ 364 void addr_to_nat64(const struct sockaddr_storage* addr, 365 const struct sockaddr_storage* nat64_prefix, 366 socklen_t nat64_prefixlen, int nat64_prefixnet, 367 struct sockaddr_storage* nat64_addr, socklen_t* nat64_addrlen); 368 369 /** 370 * See if sockaddr is an ipv6 mapped ipv4 address, "::ffff:0.0.0.0" 371 * @param addr: address 372 * @param addrlen: length of address 373 * @return true if so 374 */ 375 int addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen); 376 377 /** 378 * See if sockaddr is an ipv6 fe80::/10 link local address. 379 * @param addr: address 380 * @param addrlen: length of address 381 * @return true if so 382 */ 383 int addr_is_ip6linklocal(struct sockaddr_storage* addr, socklen_t addrlen); 384 385 /** 386 * See if sockaddr is 255.255.255.255. 387 * @param addr: address 388 * @param addrlen: length of address 389 * @return true if so 390 */ 391 int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen); 392 393 /** 394 * See if sockaddr is 0.0.0.0 or ::0. 395 * @param addr: address 396 * @param addrlen: length of address 397 * @return true if so 398 */ 399 int addr_is_any(struct sockaddr_storage* addr, socklen_t addrlen); 400 401 /** 402 * Insert new socket list item. If fails logs error. 403 * @param list: pointer to pointer to first item. 404 * @param addr: address or NULL if 'cache'. 405 * @param len: length of addr, or 0 if 'cache'. 406 * @param region: where to allocate 407 */ 408 void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr, 409 socklen_t len, struct regional* region); 410 411 /** 412 * Append one list to another. Must both be from same qstate(regional). 413 * @param list: pointer to result list that is modified. 414 * @param add: item(s) to add. They are prepended to list. 415 */ 416 void sock_list_prepend(struct sock_list** list, struct sock_list* add); 417 418 /** 419 * Find addr in list. 420 * @param list: to search in 421 * @param addr: address to look for. 422 * @param len: length. Can be 0, look for 'cache entry'. 423 * @return true if found. 424 */ 425 int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr, 426 socklen_t len); 427 428 /** 429 * Merge socklist into another socket list. Allocates the new entries 430 * freshly and copies them over, so also performs a region switchover. 431 * Allocation failures are logged. 432 * @param list: the destination list (checked for duplicates) 433 * @param region: where to allocate 434 * @param add: the list of entries to add. 435 */ 436 void sock_list_merge(struct sock_list** list, struct regional* region, 437 struct sock_list* add); 438 439 /** 440 * Log libcrypto error with descriptive string. Calls log_err(). 441 * @param str: what failed. 442 */ 443 void log_crypto_err(const char* str); 444 445 /** 446 * Log libcrypto error from errcode with descriptive string, calls log_err. 447 * @param str: what failed. 448 * @param err: error code from ERR_get_error. 449 */ 450 void log_crypto_err_code(const char* str, unsigned long err); 451 452 /** 453 * Log an error from libcrypto that came from SSL_write and so on, with 454 * a value from SSL_get_error, calls log_err. If that fails it logs with 455 * log_crypto_err. 456 * @param str: what failed 457 * @param r: output of SSL_get_error on the I/O operation result. 458 */ 459 void log_crypto_err_io(const char* str, int r); 460 461 /** 462 * Log an error from libcrypt that came from an I/O routine with the 463 * errcode from ERR_get_error. Calls log_err() and log_crypto_err_code. 464 * @param str: what failed 465 * @param r: output of SSL_get_error on the I/O operation result. 466 * @param err: error code from ERR_get_error 467 */ 468 void log_crypto_err_io_code(const char* str, int r, unsigned long err); 469 470 /** 471 * Log certificate details verbosity, string, of X509 cert 472 * @param level: verbosity level 473 * @param str: string to prefix on output 474 * @param cert: X509* structure. 475 */ 476 void log_cert(unsigned level, const char* str, void* cert); 477 478 /** 479 * Set SSL_OP_NOxxx options on SSL context to disable bad crypto 480 * @param ctxt: SSL_CTX* 481 * @return false on failure. 482 */ 483 int listen_sslctx_setup(void* ctxt); 484 485 /** 486 * Further setup of listening SSL context, after keys loaded. 487 * @param ctxt: SSL_CTX* 488 */ 489 void listen_sslctx_setup_2(void* ctxt); 490 491 /** 492 * create SSL listen context 493 * @param key: private key file. 494 * @param pem: public key cert. 495 * @param verifypem: if nonNULL, verifylocation file. 496 * @param tls_ciphers: if non empty string, tls ciphers to use. 497 * @param tls_ciphersuites: if non empty string, tls ciphersuites to use. 498 * @param set_ticket_keys_cb: if the callback for configured ticket keys needs 499 * to be set. 500 * @param is_dot: if the TLS connection is for DoT to set the appropriate ALPN. 501 * @param is_doh: if the TLS connection is for DoH to set the appropriate ALPN. 502 * return SSL_CTX* or NULL on failure (logged). 503 */ 504 void* listen_sslctx_create(const char* key, const char* pem, 505 const char* verifypem, const char* tls_ciphers, 506 const char* tls_ciphersuites, int set_ticket_keys_cb, 507 int is_dot, int is_doh); 508 509 /** 510 * create SSL connect context 511 * @param key: if nonNULL (also pem nonNULL), the client private key. 512 * @param pem: client public key (or NULL if key is NULL). 513 * @param verifypem: if nonNULL used for verifylocation file. 514 * @param wincert: add system certificate store to ctx (add to verifypem ca 515 * certs). 516 * @return SSL_CTX* or NULL on failure (logged). 517 */ 518 void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert); 519 520 /** 521 * accept a new fd and wrap it in a BIO in SSL 522 * @param sslctx: the SSL_CTX to use (from listen_sslctx_create()). 523 * @param fd: from accept, nonblocking. 524 * @return SSL or NULL on alloc failure. 525 */ 526 void* incoming_ssl_fd(void* sslctx, int fd); 527 528 /** 529 * connect a new fd and wrap it in a BIO in SSL 530 * @param sslctx: the SSL_CTX to use (from connect_sslctx_create()) 531 * @param fd: from connect. 532 * @return SSL or NULL on alloc failure 533 */ 534 void* outgoing_ssl_fd(void* sslctx, int fd); 535 536 /** 537 * check if authname SSL functionality is available, false if not 538 * @param auth_name: the name for the remote server, used for error print. 539 * @return false if SSL functionality to check the SSL name is not available. 540 */ 541 int check_auth_name_for_ssl(char* auth_name); 542 543 /** 544 * set auth name on SSL for verification 545 * @param ssl: SSL* to set 546 * @param auth_name: if NULL nothing happens, otherwise the name to check. 547 * @param use_sni: if SNI will be used. 548 * @return 1 on success or NULL auth_name, 0 on failure. 549 */ 550 int set_auth_name_on_ssl(void* ssl, char* auth_name, int use_sni); 551 552 /** 553 * Initialize openssl locking for thread safety 554 * @return false on failure (alloc failure). 555 */ 556 int ub_openssl_lock_init(void); 557 558 /** 559 * De-init the allocated openssl locks 560 */ 561 void ub_openssl_lock_delete(void); 562 563 /** 564 * setup TLS session ticket 565 * @param tls_session_ticket_keys: TLS ticket secret filenames 566 * @return false on failure (alloc failure). 567 */ 568 int listen_sslctx_setup_ticket_keys(struct config_strlist* tls_session_ticket_keys); 569 570 /** Free memory used for TLS session ticket keys */ 571 void listen_sslctx_delete_ticket_keys(void); 572 573 /** 574 * RPZ format netblock to network byte order address and netblock 575 * example RPZ netblock format dnames: 576 * - 24.10.100.51.198.rpz-ip -> 198.51.100.10/24 577 * - 32.10.zz.db8.2001.rpz-ip -> 2001:db8:0:0:0:0:0:10/32 578 * @param dname: the dname containing RPZ format netblock 579 * @param dnamelen: length of dname 580 * @param addr: where to store sockaddr. 581 * @param addrlen: length of stored sockaddr is returned. 582 * @param net: where to store netmask 583 * @param af: where to store address family. 584 * @return 0 on error. 585 */ 586 int netblockdnametoaddr(uint8_t* dname, size_t dnamelen, 587 struct sockaddr_storage* addr, socklen_t* addrlen, int* net, int* af); 588 589 /** Return strerror or wsastrerror for socket error printout */ 590 char* sock_strerror(int errn); 591 /** close the socket with close, or wsa closesocket */ 592 void sock_close(int socket); 593 594 /** 595 * Convert binary data to a string of hexadecimal characters. 596 */ 597 ssize_t hex_ntop(uint8_t const *src, size_t srclength, char *target, 598 size_t targsize); 599 600 /** Convert hexadecimal data to binary. */ 601 ssize_t hex_pton(const char* src, uint8_t* target, size_t targsize); 602 603 #endif /* NET_HELP_H */ 604