1 #ifndef UNBOUND_DNSCRYPT_H 2 #define UNBOUND_DNSCRYPT_H 3 4 /** 5 * \file 6 * dnscrypt functions for encrypting DNS packets. 7 */ 8 9 #include "dnscrypt/dnscrypt_config.h" 10 #ifdef USE_DNSCRYPT 11 12 #define DNSCRYPT_MAGIC_HEADER_LEN 8U 13 #define DNSCRYPT_MAGIC_RESPONSE "r6fnvWj8" 14 15 #ifndef DNSCRYPT_MAX_PADDING 16 # define DNSCRYPT_MAX_PADDING 256U 17 #endif 18 #ifndef DNSCRYPT_BLOCK_SIZE 19 # define DNSCRYPT_BLOCK_SIZE 64U 20 #endif 21 #ifndef DNSCRYPT_MIN_PAD_LEN 22 # define DNSCRYPT_MIN_PAD_LEN 8U 23 #endif 24 25 #define crypto_box_HALF_NONCEBYTES (crypto_box_NONCEBYTES / 2U) 26 27 #include "config.h" 28 #include "dnscrypt/cert.h" 29 #include "util/locks.h" 30 31 #define DNSCRYPT_QUERY_HEADER_SIZE \ 32 (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_PUBLICKEYBYTES + crypto_box_HALF_NONCEBYTES + crypto_box_MACBYTES) 33 #define DNSCRYPT_RESPONSE_HEADER_SIZE \ 34 (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_NONCEBYTES + crypto_box_MACBYTES) 35 36 #define DNSCRYPT_REPLY_HEADER_SIZE \ 37 (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_HALF_NONCEBYTES * 2 + crypto_box_MACBYTES) 38 39 struct sldns_buffer; 40 struct config_file; 41 struct comm_reply; 42 struct slabhash; 43 44 typedef struct KeyPair_ { 45 uint8_t crypt_publickey[crypto_box_PUBLICKEYBYTES]; 46 uint8_t crypt_secretkey[crypto_box_SECRETKEYBYTES]; 47 } KeyPair; 48 49 typedef struct cert_ { 50 uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN]; 51 uint8_t es_version[2]; 52 KeyPair *keypair; 53 } dnsccert; 54 55 struct dnsc_env { 56 struct SignedCert *signed_certs; 57 struct SignedCert **rotated_certs; 58 dnsccert *certs; 59 size_t signed_certs_count; 60 size_t rotated_certs_count; 61 uint8_t provider_publickey[crypto_sign_ed25519_PUBLICKEYBYTES]; 62 uint8_t provider_secretkey[crypto_sign_ed25519_SECRETKEYBYTES]; 63 KeyPair *keypairs; 64 size_t keypairs_count; 65 uint64_t nonce_ts_last; 66 unsigned char hash_key[crypto_shorthash_KEYBYTES]; 67 char * provider_name; 68 69 /** Caches */ 70 struct slabhash *shared_secrets_cache; 71 /** lock on shared secret cache counters */ 72 lock_basic_type shared_secrets_cache_lock; 73 /** number of misses from shared_secrets_cache */ 74 size_t num_query_dnscrypt_secret_missed_cache; 75 76 /** slabhash keeping track of nonce/cient pk/server sk pairs. */ 77 struct slabhash *nonces_cache; 78 /** lock on nonces_cache, used to avoid race condition in updating the hash */ 79 lock_basic_type nonces_cache_lock; 80 /** number of replayed queries */ 81 size_t num_query_dnscrypt_replay; 82 }; 83 84 struct dnscrypt_query_header { 85 uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN]; 86 uint8_t publickey[crypto_box_PUBLICKEYBYTES]; 87 uint8_t nonce[crypto_box_HALF_NONCEBYTES]; 88 uint8_t mac[crypto_box_MACBYTES]; 89 }; 90 91 /** 92 * Initialize DNSCrypt environment. 93 * Initialize sodium library and allocate the dnsc_env structure. 94 * \return an uninitialized struct dnsc_env. 95 */ 96 struct dnsc_env * dnsc_create(void); 97 98 /** 99 * Apply configuration. 100 * Read certificates and secret keys from configuration. Initialize hashkey and 101 * provider name as well as loading cert TXT records. 102 * In case of issue applying configuration, this function fatals. 103 * \param[in] env the struct dnsc_env to populate. 104 * \param[in] cfg the config_file struct with dnscrypt options. 105 * \return 0 on success. 106 */ 107 int dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg); 108 109 /** 110 * Delete DNSCrypt environment 111 * 112 */ 113 void dnsc_delete(struct dnsc_env *env); 114 115 /** 116 * handle a crypted dnscrypt request. 117 * Determine whether or not a query is coming over the dnscrypt listener and 118 * attempt to uncurve it or detect if it is a certificate query. 119 * return 0 in case of failure. 120 */ 121 int dnsc_handle_curved_request(struct dnsc_env* dnscenv, 122 struct comm_reply* repinfo); 123 /** 124 * handle an unencrypted dnscrypt request. 125 * Determine whether or not a query is going over the dnscrypt channel and 126 * attempt to curve it unless it was not crypted like when it is a 127 * certificate query. 128 * \return 0 in case of failure. 129 */ 130 131 int dnsc_handle_uncurved_request(struct comm_reply *repinfo); 132 133 /** 134 * Computes the size of the shared secret cache entry. 135 */ 136 size_t dnsc_shared_secrets_sizefunc(void *k, void *d); 137 138 /** 139 * Compares two shared secret cache keys. 140 */ 141 int dnsc_shared_secrets_compfunc(void *m1, void *m2); 142 143 /** 144 * Function to delete a shared secret cache key. 145 */ 146 void dnsc_shared_secrets_delkeyfunc(void *k, void* arg); 147 148 /** 149 * Function to delete a share secret cache value. 150 */ 151 void dnsc_shared_secrets_deldatafunc(void* d, void* arg); 152 153 /** 154 * Computes the size of the nonce cache entry. 155 */ 156 size_t dnsc_nonces_sizefunc(void *k, void *d); 157 158 /** 159 * Compares two nonce cache keys. 160 */ 161 int dnsc_nonces_compfunc(void *m1, void *m2); 162 163 /** 164 * Function to delete a nonce cache key. 165 */ 166 void dnsc_nonces_delkeyfunc(void *k, void* arg); 167 168 /** 169 * Function to delete a nonce cache value. 170 */ 171 void dnsc_nonces_deldatafunc(void* d, void* arg); 172 173 174 #endif /* USE_DNSCRYPT */ 175 #endif 176