xref: /freebsd/contrib/unbound/dnscrypt/dnscrypt.h (revision 24e365220007c415f495cf8dcb228ece6002b8b7)
1 #ifndef UNBOUND_DNSCRYPT_H
2 #define UNBOUND_DNSCRYPT_H
3 
4 /**
5  * \file
6  * dnscrypt functions for encrypting DNS packets.
7  */
8 
9 #include "dnscrypt/dnscrypt_config.h"
10 #ifdef USE_DNSCRYPT
11 
12 #define DNSCRYPT_MAGIC_HEADER_LEN 8U
13 #define DNSCRYPT_MAGIC_RESPONSE  "r6fnvWj8"
14 
15 #ifndef DNSCRYPT_MAX_PADDING
16 # define DNSCRYPT_MAX_PADDING 256U
17 #endif
18 #ifndef DNSCRYPT_BLOCK_SIZE
19 # define DNSCRYPT_BLOCK_SIZE 64U
20 #endif
21 #ifndef DNSCRYPT_MIN_PAD_LEN
22 # define DNSCRYPT_MIN_PAD_LEN 8U
23 #endif
24 
25 #define crypto_box_HALF_NONCEBYTES (crypto_box_NONCEBYTES / 2U)
26 
27 #include "config.h"
28 #include "dnscrypt/cert.h"
29 #include "util/locks.h"
30 
31 #define DNSCRYPT_QUERY_HEADER_SIZE \
32     (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_PUBLICKEYBYTES + crypto_box_HALF_NONCEBYTES + crypto_box_MACBYTES)
33 #define DNSCRYPT_RESPONSE_HEADER_SIZE \
34     (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_NONCEBYTES + crypto_box_MACBYTES)
35 
36 #define DNSCRYPT_REPLY_HEADER_SIZE \
37     (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_HALF_NONCEBYTES * 2 + crypto_box_MACBYTES)
38 
39 struct sldns_buffer;
40 struct config_file;
41 struct comm_reply;
42 struct slabhash;
43 
44 typedef struct KeyPair_ {
45     uint8_t crypt_publickey[crypto_box_PUBLICKEYBYTES];
46     uint8_t crypt_secretkey[crypto_box_SECRETKEYBYTES];
47 } KeyPair;
48 
49 typedef struct cert_ {
50     uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN];
51     uint8_t es_version[2];
52     KeyPair *keypair;
53 } dnsccert;
54 
55 struct dnsc_env {
56 	struct SignedCert *signed_certs;
57 	struct SignedCert **rotated_certs;
58 	dnsccert *certs;
59 	size_t signed_certs_count;
60 	size_t rotated_certs_count;
61 	uint8_t provider_publickey[crypto_sign_ed25519_PUBLICKEYBYTES];
62 	uint8_t provider_secretkey[crypto_sign_ed25519_SECRETKEYBYTES];
63 	KeyPair *keypairs;
64 	size_t keypairs_count;
65 	uint64_t nonce_ts_last;
66 	unsigned char hash_key[crypto_shorthash_KEYBYTES];
67 	char * provider_name;
68 
69     /** Caches */
70 	struct slabhash *shared_secrets_cache;
71 	/** lock on shared secret cache counters */
72 	lock_basic_type shared_secrets_cache_lock;
73 	/** number of misses from shared_secrets_cache */
74 	size_t num_query_dnscrypt_secret_missed_cache;
75 
76 	/** slabhash keeping track of nonce/cient pk/server sk pairs. */
77 	struct slabhash *nonces_cache;
78 	/** lock on nonces_cache, used to avoid race condition in updating the hash */
79 	lock_basic_type nonces_cache_lock;
80 	/** number of replayed queries */
81 	size_t num_query_dnscrypt_replay;
82 };
83 
84 struct dnscrypt_query_header {
85     uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN];
86     uint8_t publickey[crypto_box_PUBLICKEYBYTES];
87     uint8_t nonce[crypto_box_HALF_NONCEBYTES];
88     uint8_t mac[crypto_box_MACBYTES];
89 };
90 
91 /**
92  * Initialize DNSCrypt environment.
93  * Initialize sodium library and allocate the dnsc_env structure.
94  * \return an uninitialized struct dnsc_env.
95  */
96 struct dnsc_env * dnsc_create(void);
97 
98 /**
99  * Apply configuration.
100  * Read certificates and secret keys from configuration. Initialize hashkey and
101  * provider name as well as loading cert TXT records.
102  * In case of issue applying configuration, this function fatals.
103  * \param[in] env the struct dnsc_env to populate.
104  * \param[in] cfg the config_file struct with dnscrypt options.
105  * \return 0 on success.
106  */
107 int dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg);
108 
109 /**
110  * Delete DNSCrypt environment
111  *
112  */
113 void dnsc_delete(struct dnsc_env *env);
114 
115 /**
116  * handle a crypted dnscrypt request.
117  * Determine whether or not a query is coming over the dnscrypt listener and
118  * attempt to uncurve it or detect if it is a certificate query.
119  * return 0 in case of failure.
120  */
121 int dnsc_handle_curved_request(struct dnsc_env* dnscenv,
122                                struct comm_reply* repinfo);
123 /**
124  * handle an unencrypted dnscrypt request.
125  * Determine whether or not a query is going over the dnscrypt channel and
126  * attempt to curve it unless it was not crypted like when  it is a
127  * certificate query.
128  * \return 0 in case of failure.
129  */
130 
131 int dnsc_handle_uncurved_request(struct comm_reply *repinfo);
132 
133 /**
134  * Computes the size of the shared secret cache entry.
135  */
136 size_t dnsc_shared_secrets_sizefunc(void *k, void *d);
137 
138 /**
139  * Compares two shared secret cache keys.
140  */
141 int dnsc_shared_secrets_compfunc(void *m1, void *m2);
142 
143 /**
144  * Function to delete a shared secret cache key.
145  */
146 void dnsc_shared_secrets_delkeyfunc(void *k, void* arg);
147 
148 /**
149  * Function to delete a share secret cache value.
150  */
151 void dnsc_shared_secrets_deldatafunc(void* d, void* arg);
152 
153 /**
154  * Computes the size of the nonce cache entry.
155  */
156 size_t dnsc_nonces_sizefunc(void *k, void *d);
157 
158 /**
159  * Compares two nonce cache keys.
160  */
161 int dnsc_nonces_compfunc(void *m1, void *m2);
162 
163 /**
164  * Function to delete a nonce cache key.
165  */
166 void dnsc_nonces_delkeyfunc(void *k, void* arg);
167 
168 /**
169  * Function to delete a nonce cache value.
170  */
171 void dnsc_nonces_deldatafunc(void* d, void* arg);
172 
173 
174 #endif /* USE_DNSCRYPT */
175 #endif
176