1 /*
2 * util/net_help.c - implementation of the network helper code
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35 /**
36 * \file
37 * Implementation of net_help.h.
38 */
39
40 #include "config.h"
41 #ifdef HAVE_SYS_TYPES_H
42 # include <sys/types.h>
43 #endif
44 #ifdef HAVE_NET_IF_H
45 #include <net/if.h>
46 #endif
47 #ifdef HAVE_NETIOAPI_H
48 #include <netioapi.h>
49 #endif
50 #include <ctype.h>
51 #include "util/net_help.h"
52 #include "util/log.h"
53 #include "util/data/dname.h"
54 #include "util/module.h"
55 #include "util/regional.h"
56 #include "util/config_file.h"
57 #include "sldns/parseutil.h"
58 #include "sldns/wire2str.h"
59 #include "sldns/str2wire.h"
60 #include <fcntl.h>
61 #ifdef HAVE_OPENSSL_SSL_H
62 #include <openssl/ssl.h>
63 #include <openssl/evp.h>
64 #include <openssl/rand.h>
65 #endif
66 #ifdef HAVE_OPENSSL_ERR_H
67 #include <openssl/err.h>
68 #endif
69 #ifdef HAVE_OPENSSL_CORE_NAMES_H
70 #include <openssl/core_names.h>
71 #endif
72 #ifdef USE_WINSOCK
73 #include <wincrypt.h>
74 #endif
75 #ifdef HAVE_NGHTTP2_NGHTTP2_H
76 #include <nghttp2/nghttp2.h>
77 #endif
78
79 /** max length of an IP address (the address portion) that we allow */
80 #define MAX_ADDR_STRLEN 128 /* characters */
81 /** max length of a hostname (with port and tls name) that we allow */
82 #define MAX_HOST_STRLEN (LDNS_MAX_DOMAINLEN * 3) /* characters */
83 /** default value for EDNS ADVERTISED size */
84 uint16_t EDNS_ADVERTISED_SIZE = 4096;
85
86 /** minimal responses when positive answer: default is no */
87 int MINIMAL_RESPONSES = 0;
88
89 /** rrset order roundrobin: default is yes */
90 int RRSET_ROUNDROBIN = 1;
91
92 /** log tag queries with name instead of 'info' for filtering */
93 int LOG_TAG_QUERYREPLY = 0;
94
95 #ifdef HAVE_SSL
96 static struct tls_session_ticket_key {
97 unsigned char *key_name;
98 unsigned char *aes_key;
99 unsigned char *hmac_key;
100 } *ticket_keys;
101 #endif /* HAVE_SSL */
102
103 #ifdef HAVE_SSL
104 /**
105 * callback TLS session ticket encrypt and decrypt
106 * For use with SSL_CTX_set_tlsext_ticket_key_cb or
107 * SSL_CTX_set_tlsext_ticket_key_evp_cb
108 * @param s: the SSL_CTX to use (from connect_sslctx_create())
109 * @param key_name: secret name, 16 bytes
110 * @param iv: up to EVP_MAX_IV_LENGTH.
111 * @param evp_ctx: the evp cipher context, function sets this.
112 * @param hmac_ctx: the hmac context, function sets this.
113 * with ..key_cb it is of type HMAC_CTX*
114 * with ..key_evp_cb it is of type EVP_MAC_CTX*
115 * @param enc: 1 is encrypt, 0 is decrypt
116 * @return 0 on no ticket, 1 for okay, and 2 for okay but renew the ticket
117 * (the ticket is decrypt only). and <0 for failures.
118 */
119 int tls_session_ticket_key_cb(SSL *s, unsigned char* key_name,
120 unsigned char* iv, EVP_CIPHER_CTX *evp_ctx,
121 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
122 EVP_MAC_CTX *hmac_ctx,
123 #else
124 HMAC_CTX* hmac_ctx,
125 #endif
126 int enc);
127 #endif /* HAVE_SSL */
128
129 /* returns true is string addr is an ip6 specced address */
130 int
str_is_ip6(const char * str)131 str_is_ip6(const char* str)
132 {
133 if(strchr(str, ':'))
134 return 1;
135 else return 0;
136 }
137
138 int
fd_set_nonblock(int s)139 fd_set_nonblock(int s)
140 {
141 #ifdef HAVE_FCNTL
142 int flag;
143 if((flag = fcntl(s, F_GETFL)) == -1) {
144 log_err("can't fcntl F_GETFL: %s", strerror(errno));
145 flag = 0;
146 }
147 flag |= O_NONBLOCK;
148 if(fcntl(s, F_SETFL, flag) == -1) {
149 log_err("can't fcntl F_SETFL: %s", strerror(errno));
150 return 0;
151 }
152 #elif defined(HAVE_IOCTLSOCKET)
153 unsigned long on = 1;
154 if(ioctlsocket(s, FIONBIO, &on) != 0) {
155 log_err("can't ioctlsocket FIONBIO on: %s",
156 wsa_strerror(WSAGetLastError()));
157 }
158 #endif
159 return 1;
160 }
161
162 int
fd_set_block(int s)163 fd_set_block(int s)
164 {
165 #ifdef HAVE_FCNTL
166 int flag;
167 if((flag = fcntl(s, F_GETFL)) == -1) {
168 log_err("cannot fcntl F_GETFL: %s", strerror(errno));
169 flag = 0;
170 }
171 flag &= ~O_NONBLOCK;
172 if(fcntl(s, F_SETFL, flag) == -1) {
173 log_err("cannot fcntl F_SETFL: %s", strerror(errno));
174 return 0;
175 }
176 #elif defined(HAVE_IOCTLSOCKET)
177 unsigned long off = 0;
178 if(ioctlsocket(s, FIONBIO, &off) != 0) {
179 if(WSAGetLastError() != WSAEINVAL || verbosity >= 4)
180 log_err("can't ioctlsocket FIONBIO off: %s",
181 wsa_strerror(WSAGetLastError()));
182 }
183 #endif
184 return 1;
185 }
186
187 int
is_pow2(size_t num)188 is_pow2(size_t num)
189 {
190 if(num == 0) return 1;
191 return (num & (num-1)) == 0;
192 }
193
194 void*
memdup(void * data,size_t len)195 memdup(void* data, size_t len)
196 {
197 void* d;
198 if(!data) return NULL;
199 if(len == 0) return NULL;
200 d = malloc(len);
201 if(!d) return NULL;
202 memcpy(d, data, len);
203 return d;
204 }
205
206 void
log_addr(enum verbosity_value v,const char * str,struct sockaddr_storage * addr,socklen_t addrlen)207 log_addr(enum verbosity_value v, const char* str,
208 struct sockaddr_storage* addr, socklen_t addrlen)
209 {
210 uint16_t port;
211 const char* family = "unknown";
212 char dest[100];
213 int af = (int)((struct sockaddr_in*)addr)->sin_family;
214 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
215 if(verbosity < v)
216 return;
217 switch(af) {
218 case AF_INET: family="ip4"; break;
219 case AF_INET6: family="ip6";
220 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
221 break;
222 case AF_LOCAL:
223 dest[0]=0;
224 (void)inet_ntop(af, sinaddr, dest,
225 (socklen_t)sizeof(dest));
226 verbose(v, "%s local %s", str, dest);
227 return; /* do not continue and try to get port */
228 default: break;
229 }
230 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
231 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
232 }
233 dest[sizeof(dest)-1] = 0;
234 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
235 if(verbosity >= 4)
236 verbose(v, "%s %s %s port %d (len %d)", str, family, dest,
237 (int)port, (int)addrlen);
238 else verbose(v, "%s %s port %d", str, dest, (int)port);
239 }
240
241 int
extstrtoaddr(const char * str,struct sockaddr_storage * addr,socklen_t * addrlen,int port)242 extstrtoaddr(const char* str, struct sockaddr_storage* addr,
243 socklen_t* addrlen, int port)
244 {
245 char* s;
246 if((s=strchr(str, '@'))) {
247 char buf[MAX_ADDR_STRLEN];
248 if(s-str >= MAX_ADDR_STRLEN) {
249 return 0;
250 }
251 (void)strlcpy(buf, str, sizeof(buf));
252 buf[s-str] = 0;
253 port = atoi(s+1);
254 if(port == 0 && strcmp(s+1,"0")!=0) {
255 return 0;
256 }
257 return ipstrtoaddr(buf, port, addr, addrlen);
258 }
259 return ipstrtoaddr(str, port, addr, addrlen);
260 }
261
262 int
ipstrtoaddr(const char * ip,int port,struct sockaddr_storage * addr,socklen_t * addrlen)263 ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr,
264 socklen_t* addrlen)
265 {
266 uint16_t p;
267 if(!ip) return 0;
268 p = (uint16_t) port;
269 if(str_is_ip6(ip)) {
270 char buf[MAX_ADDR_STRLEN];
271 char* s;
272 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
273 *addrlen = (socklen_t)sizeof(struct sockaddr_in6);
274 memset(sa, 0, *addrlen);
275 sa->sin6_family = AF_INET6;
276 sa->sin6_port = (in_port_t)htons(p);
277 if((s=strchr(ip, '%'))) { /* ip6%interface, rfc 4007 */
278 if(s-ip >= MAX_ADDR_STRLEN)
279 return 0;
280 (void)strlcpy(buf, ip, sizeof(buf));
281 buf[s-ip]=0;
282 #ifdef HAVE_IF_NAMETOINDEX
283 if (!(sa->sin6_scope_id = if_nametoindex(s+1)))
284 #endif /* HAVE_IF_NAMETOINDEX */
285 sa->sin6_scope_id = (uint32_t)atoi(s+1);
286 ip = buf;
287 }
288 if(inet_pton((int)sa->sin6_family, ip, &sa->sin6_addr) <= 0) {
289 return 0;
290 }
291 } else { /* ip4 */
292 struct sockaddr_in* sa = (struct sockaddr_in*)addr;
293 *addrlen = (socklen_t)sizeof(struct sockaddr_in);
294 memset(sa, 0, *addrlen);
295 sa->sin_family = AF_INET;
296 sa->sin_port = (in_port_t)htons(p);
297 if(inet_pton((int)sa->sin_family, ip, &sa->sin_addr) <= 0) {
298 return 0;
299 }
300 }
301 return 1;
302 }
303
netblockstrtoaddr(const char * str,int port,struct sockaddr_storage * addr,socklen_t * addrlen,int * net)304 int netblockstrtoaddr(const char* str, int port, struct sockaddr_storage* addr,
305 socklen_t* addrlen, int* net)
306 {
307 char buf[64];
308 char* s;
309 *net = (str_is_ip6(str)?128:32);
310 if((s=strchr(str, '/'))) {
311 if(atoi(s+1) > *net) {
312 log_err("netblock too large: %s", str);
313 return 0;
314 }
315 *net = atoi(s+1);
316 if(*net == 0 && strcmp(s+1, "0") != 0) {
317 log_err("cannot parse netblock: '%s'", str);
318 return 0;
319 }
320 if(*net < 0) {
321 log_err("netblock value %d is negative in: '%s'",
322 *net, str);
323 return 0;
324 }
325 strlcpy(buf, str, sizeof(buf));
326 s = strchr(buf, '/');
327 if(s) *s = 0;
328 s = buf;
329 }
330 if(!ipstrtoaddr(s?s:str, port, addr, addrlen)) {
331 log_err("cannot parse ip address: '%s'", str);
332 return 0;
333 }
334 if(s) {
335 addr_mask(addr, *addrlen, *net);
336 }
337 return 1;
338 }
339
340 /* RPZ format address dname to network byte order address */
ipdnametoaddr(uint8_t * dname,size_t dnamelen,struct sockaddr_storage * addr,socklen_t * addrlen,int * af)341 static int ipdnametoaddr(uint8_t* dname, size_t dnamelen,
342 struct sockaddr_storage* addr, socklen_t* addrlen, int* af)
343 {
344 uint8_t* ia;
345 int dnamelabs = dname_count_labels(dname);
346 uint8_t lablen;
347 char* e = NULL;
348 int z = 0;
349 size_t len = 0;
350 int i;
351 *af = AF_INET;
352
353 /* need 1 byte for label length */
354 if(dnamelen < 1)
355 return 0;
356
357 if(dnamelabs > 6 ||
358 dname_has_label(dname, dnamelen, (uint8_t*)"\002zz")) {
359 *af = AF_INET6;
360 }
361 len = *dname;
362 lablen = *dname++;
363 i = (*af == AF_INET) ? 3 : 15;
364 if(*af == AF_INET6) {
365 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
366 *addrlen = (socklen_t)sizeof(struct sockaddr_in6);
367 memset(sa, 0, *addrlen);
368 sa->sin6_family = AF_INET6;
369 ia = (uint8_t*)&sa->sin6_addr;
370 } else { /* ip4 */
371 struct sockaddr_in* sa = (struct sockaddr_in*)addr;
372 *addrlen = (socklen_t)sizeof(struct sockaddr_in);
373 memset(sa, 0, *addrlen);
374 sa->sin_family = AF_INET;
375 ia = (uint8_t*)&sa->sin_addr;
376 }
377 while(lablen && i >= 0 && len <= dnamelen) {
378 char buff[LDNS_MAX_LABELLEN+1];
379 uint16_t chunk; /* big enough to not overflow on IPv6 hextet */
380 if((*af == AF_INET && (lablen > 3 || dnamelabs > 6)) ||
381 (*af == AF_INET6 && (lablen > 4 || dnamelabs > 10))) {
382 return 0;
383 }
384 if(memcmp(dname, "zz", 2) == 0 && *af == AF_INET6) {
385 /* Add one or more 0 labels. Address is initialised at
386 * 0, so just skip the zero part. */
387 int zl = 11 - dnamelabs;
388 if(z || zl < 0)
389 return 0;
390 z = 1;
391 i -= (zl*2);
392 } else {
393 memcpy(buff, dname, lablen);
394 buff[lablen] = '\0';
395 chunk = strtol(buff, &e, (*af == AF_INET) ? 10 : 16);
396 if(!e || *e != '\0' || (*af == AF_INET && chunk > 255))
397 return 0;
398 if(*af == AF_INET) {
399 log_assert(i < 4 && i >= 0);
400 ia[i] = (uint8_t)chunk;
401 i--;
402 } else {
403 log_assert(i < 16 && i >= 1);
404 /* ia in network byte order */
405 ia[i-1] = (uint8_t)(chunk >> 8);
406 ia[i] = (uint8_t)(chunk & 0x00FF);
407 i -= 2;
408 }
409 }
410 dname += lablen;
411 lablen = *dname++;
412 len += lablen;
413 }
414 if(i != -1)
415 /* input too short */
416 return 0;
417 return 1;
418 }
419
netblockdnametoaddr(uint8_t * dname,size_t dnamelen,struct sockaddr_storage * addr,socklen_t * addrlen,int * net,int * af)420 int netblockdnametoaddr(uint8_t* dname, size_t dnamelen,
421 struct sockaddr_storage* addr, socklen_t* addrlen, int* net, int* af)
422 {
423 char buff[3 /* 3 digit netblock */ + 1];
424 size_t nlablen;
425 if(dnamelen < 1 || *dname > 3)
426 /* netblock invalid */
427 return 0;
428 nlablen = *dname;
429
430 if(dnamelen < 1 + nlablen)
431 return 0;
432
433 memcpy(buff, dname+1, nlablen);
434 buff[nlablen] = '\0';
435 *net = atoi(buff);
436 if(*net == 0 && strcmp(buff, "0") != 0)
437 return 0;
438 if(*net < 0)
439 return 0;
440 dname += nlablen;
441 dname++;
442 if(!ipdnametoaddr(dname, dnamelen-1-nlablen, addr, addrlen, af))
443 return 0;
444 if((*af == AF_INET6 && *net > 128) || (*af == AF_INET && *net > 32))
445 return 0;
446 return 1;
447 }
448
authextstrtoaddr(char * str,struct sockaddr_storage * addr,socklen_t * addrlen,char ** auth_name)449 int authextstrtoaddr(char* str, struct sockaddr_storage* addr,
450 socklen_t* addrlen, char** auth_name)
451 {
452 char* s;
453 int port = UNBOUND_DNS_PORT;
454 if((s=strchr(str, '@'))) {
455 char buf[MAX_ADDR_STRLEN];
456 size_t len = (size_t)(s-str);
457 char* hash = strchr(s+1, '#');
458 if(hash) {
459 *auth_name = hash+1;
460 } else {
461 *auth_name = NULL;
462 }
463 if(len >= MAX_ADDR_STRLEN) {
464 return 0;
465 }
466 (void)strlcpy(buf, str, sizeof(buf));
467 buf[len] = 0;
468 port = atoi(s+1);
469 if(port == 0) {
470 if(!hash && strcmp(s+1,"0")!=0)
471 return 0;
472 if(hash && strncmp(s+1,"0#",2)!=0)
473 return 0;
474 }
475 return ipstrtoaddr(buf, port, addr, addrlen);
476 }
477 if((s=strchr(str, '#'))) {
478 char buf[MAX_ADDR_STRLEN];
479 size_t len = (size_t)(s-str);
480 if(len >= MAX_ADDR_STRLEN) {
481 return 0;
482 }
483 (void)strlcpy(buf, str, sizeof(buf));
484 buf[len] = 0;
485 port = UNBOUND_DNS_OVER_TLS_PORT;
486 *auth_name = s+1;
487 return ipstrtoaddr(buf, port, addr, addrlen);
488 }
489 *auth_name = NULL;
490 return ipstrtoaddr(str, port, addr, addrlen);
491 }
492
authextstrtodname(char * str,int * port,char ** auth_name)493 uint8_t* authextstrtodname(char* str, int* port, char** auth_name)
494 {
495 char* s;
496 uint8_t* dname;
497 size_t dname_len;
498 *port = UNBOUND_DNS_PORT;
499 *auth_name = NULL;
500 if((s=strchr(str, '@'))) {
501 char buf[MAX_HOST_STRLEN];
502 size_t len = (size_t)(s-str);
503 char* hash = strchr(s+1, '#');
504 if(hash) {
505 *auth_name = hash+1;
506 } else {
507 *auth_name = NULL;
508 }
509 if(len >= MAX_HOST_STRLEN) {
510 return NULL;
511 }
512 (void)strlcpy(buf, str, sizeof(buf));
513 buf[len] = 0;
514 *port = atoi(s+1);
515 if(*port == 0) {
516 if(!hash && strcmp(s+1,"0")!=0)
517 return NULL;
518 if(hash && strncmp(s+1,"0#",2)!=0)
519 return NULL;
520 }
521 dname = sldns_str2wire_dname(buf, &dname_len);
522 } else if((s=strchr(str, '#'))) {
523 char buf[MAX_HOST_STRLEN];
524 size_t len = (size_t)(s-str);
525 if(len >= MAX_HOST_STRLEN) {
526 return NULL;
527 }
528 (void)strlcpy(buf, str, sizeof(buf));
529 buf[len] = 0;
530 *port = UNBOUND_DNS_OVER_TLS_PORT;
531 *auth_name = s+1;
532 dname = sldns_str2wire_dname(buf, &dname_len);
533 } else {
534 dname = sldns_str2wire_dname(str, &dname_len);
535 }
536 return dname;
537 }
538
539 /** store port number into sockaddr structure */
540 void
sockaddr_store_port(struct sockaddr_storage * addr,socklen_t addrlen,int port)541 sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen, int port)
542 {
543 if(addr_is_ip6(addr, addrlen)) {
544 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
545 sa->sin6_port = (in_port_t)htons((uint16_t)port);
546 } else {
547 struct sockaddr_in* sa = (struct sockaddr_in*)addr;
548 sa->sin_port = (in_port_t)htons((uint16_t)port);
549 }
550 }
551
552 void
log_nametypeclass(enum verbosity_value v,const char * str,uint8_t * name,uint16_t type,uint16_t dclass)553 log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name,
554 uint16_t type, uint16_t dclass)
555 {
556 char buf[LDNS_MAX_DOMAINLEN];
557 char t[12], c[12];
558 const char *ts, *cs;
559 if(verbosity < v)
560 return;
561 dname_str(name, buf);
562 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG";
563 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR";
564 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR";
565 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB";
566 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA";
567 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY";
568 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name)
569 ts = sldns_rr_descript(type)->_name;
570 else {
571 snprintf(t, sizeof(t), "TYPE%d", (int)type);
572 ts = t;
573 }
574 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) &&
575 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name)
576 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name;
577 else {
578 snprintf(c, sizeof(c), "CLASS%d", (int)dclass);
579 cs = c;
580 }
581 log_info("%s %s %s %s", str, buf, ts, cs);
582 }
583
584 void
log_query_in(const char * str,uint8_t * name,uint16_t type,uint16_t dclass)585 log_query_in(const char* str, uint8_t* name, uint16_t type, uint16_t dclass)
586 {
587 char buf[LDNS_MAX_DOMAINLEN];
588 char t[12], c[12];
589 const char *ts, *cs;
590 dname_str(name, buf);
591 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG";
592 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR";
593 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR";
594 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB";
595 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA";
596 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY";
597 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name)
598 ts = sldns_rr_descript(type)->_name;
599 else {
600 snprintf(t, sizeof(t), "TYPE%d", (int)type);
601 ts = t;
602 }
603 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) &&
604 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name)
605 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name;
606 else {
607 snprintf(c, sizeof(c), "CLASS%d", (int)dclass);
608 cs = c;
609 }
610 if(LOG_TAG_QUERYREPLY)
611 log_query("%s %s %s %s", str, buf, ts, cs);
612 else log_info("%s %s %s %s", str, buf, ts, cs);
613 }
614
log_name_addr(enum verbosity_value v,const char * str,uint8_t * zone,struct sockaddr_storage * addr,socklen_t addrlen)615 void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone,
616 struct sockaddr_storage* addr, socklen_t addrlen)
617 {
618 uint16_t port;
619 const char* family = "unknown_family ";
620 char namebuf[LDNS_MAX_DOMAINLEN];
621 char dest[100];
622 int af = (int)((struct sockaddr_in*)addr)->sin_family;
623 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
624 if(verbosity < v)
625 return;
626 switch(af) {
627 case AF_INET: family=""; break;
628 case AF_INET6: family="";
629 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
630 break;
631 case AF_LOCAL: family="local "; break;
632 default: break;
633 }
634 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
635 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
636 }
637 dest[sizeof(dest)-1] = 0;
638 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
639 dname_str(zone, namebuf);
640 if(af != AF_INET && af != AF_INET6)
641 verbose(v, "%s <%s> %s%s#%d (addrlen %d)",
642 str, namebuf, family, dest, (int)port, (int)addrlen);
643 else verbose(v, "%s <%s> %s%s#%d",
644 str, namebuf, family, dest, (int)port);
645 }
646
log_err_addr(const char * str,const char * err,struct sockaddr_storage * addr,socklen_t addrlen)647 void log_err_addr(const char* str, const char* err,
648 struct sockaddr_storage* addr, socklen_t addrlen)
649 {
650 uint16_t port;
651 char dest[100];
652 int af = (int)((struct sockaddr_in*)addr)->sin_family;
653 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
654 if(af == AF_INET6)
655 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
656 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
657 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
658 }
659 dest[sizeof(dest)-1] = 0;
660 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
661 if(verbosity >= 4)
662 log_err("%s: %s for %s port %d (len %d)", str, err, dest,
663 (int)port, (int)addrlen);
664 else log_err("%s: %s for %s port %d", str, err, dest, (int)port);
665 }
666
667 int
sockaddr_cmp(struct sockaddr_storage * addr1,socklen_t len1,struct sockaddr_storage * addr2,socklen_t len2)668 sockaddr_cmp(struct sockaddr_storage* addr1, socklen_t len1,
669 struct sockaddr_storage* addr2, socklen_t len2)
670 {
671 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
672 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
673 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
674 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
675 if(len1 < len2)
676 return -1;
677 if(len1 > len2)
678 return 1;
679 log_assert(len1 == len2);
680 if( p1_in->sin_family < p2_in->sin_family)
681 return -1;
682 if( p1_in->sin_family > p2_in->sin_family)
683 return 1;
684 log_assert( p1_in->sin_family == p2_in->sin_family );
685 /* compare ip4 */
686 if( p1_in->sin_family == AF_INET ) {
687 /* just order it, ntohs not required */
688 if(p1_in->sin_port < p2_in->sin_port)
689 return -1;
690 if(p1_in->sin_port > p2_in->sin_port)
691 return 1;
692 log_assert(p1_in->sin_port == p2_in->sin_port);
693 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
694 } else if (p1_in6->sin6_family == AF_INET6) {
695 /* just order it, ntohs not required */
696 if(p1_in6->sin6_port < p2_in6->sin6_port)
697 return -1;
698 if(p1_in6->sin6_port > p2_in6->sin6_port)
699 return 1;
700 log_assert(p1_in6->sin6_port == p2_in6->sin6_port);
701 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
702 INET6_SIZE);
703 } else {
704 /* eek unknown type, perform this comparison for sanity. */
705 return memcmp(addr1, addr2, len1);
706 }
707 }
708
709 int
sockaddr_cmp_addr(struct sockaddr_storage * addr1,socklen_t len1,struct sockaddr_storage * addr2,socklen_t len2)710 sockaddr_cmp_addr(struct sockaddr_storage* addr1, socklen_t len1,
711 struct sockaddr_storage* addr2, socklen_t len2)
712 {
713 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
714 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
715 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
716 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
717 if(len1 < len2)
718 return -1;
719 if(len1 > len2)
720 return 1;
721 log_assert(len1 == len2);
722 if( p1_in->sin_family < p2_in->sin_family)
723 return -1;
724 if( p1_in->sin_family > p2_in->sin_family)
725 return 1;
726 log_assert( p1_in->sin_family == p2_in->sin_family );
727 /* compare ip4 */
728 if( p1_in->sin_family == AF_INET ) {
729 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
730 } else if (p1_in6->sin6_family == AF_INET6) {
731 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
732 INET6_SIZE);
733 } else {
734 /* eek unknown type, perform this comparison for sanity. */
735 return memcmp(addr1, addr2, len1);
736 }
737 }
738
739 int
sockaddr_cmp_scopeid(struct sockaddr_storage * addr1,socklen_t len1,struct sockaddr_storage * addr2,socklen_t len2)740 sockaddr_cmp_scopeid(struct sockaddr_storage* addr1, socklen_t len1,
741 struct sockaddr_storage* addr2, socklen_t len2)
742 {
743 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
744 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
745 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
746 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
747 if(len1 < len2)
748 return -1;
749 if(len1 > len2)
750 return 1;
751 log_assert(len1 == len2);
752 if( p1_in->sin_family < p2_in->sin_family)
753 return -1;
754 if( p1_in->sin_family > p2_in->sin_family)
755 return 1;
756 log_assert( p1_in->sin_family == p2_in->sin_family );
757 /* compare ip4 */
758 if( p1_in->sin_family == AF_INET ) {
759 /* just order it, ntohs not required */
760 if(p1_in->sin_port < p2_in->sin_port)
761 return -1;
762 if(p1_in->sin_port > p2_in->sin_port)
763 return 1;
764 log_assert(p1_in->sin_port == p2_in->sin_port);
765 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
766 } else if (p1_in6->sin6_family == AF_INET6) {
767 /* just order it, ntohs not required */
768 if(p1_in6->sin6_port < p2_in6->sin6_port)
769 return -1;
770 if(p1_in6->sin6_port > p2_in6->sin6_port)
771 return 1;
772 if(p1_in6->sin6_scope_id < p2_in6->sin6_scope_id)
773 return -1;
774 if(p1_in6->sin6_scope_id > p2_in6->sin6_scope_id)
775 return 1;
776 log_assert(p1_in6->sin6_port == p2_in6->sin6_port);
777 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
778 INET6_SIZE);
779 } else {
780 /* eek unknown type, perform this comparison for sanity. */
781 return memcmp(addr1, addr2, len1);
782 }
783 }
784
785 int
addr_is_ip6(struct sockaddr_storage * addr,socklen_t len)786 addr_is_ip6(struct sockaddr_storage* addr, socklen_t len)
787 {
788 if(len == (socklen_t)sizeof(struct sockaddr_in6) &&
789 ((struct sockaddr_in6*)addr)->sin6_family == AF_INET6)
790 return 1;
791 else return 0;
792 }
793
794 void
addr_mask(struct sockaddr_storage * addr,socklen_t len,int net)795 addr_mask(struct sockaddr_storage* addr, socklen_t len, int net)
796 {
797 uint8_t mask[8] = {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe};
798 int i, max;
799 uint8_t* s;
800 if(addr_is_ip6(addr, len)) {
801 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr;
802 max = 128;
803 } else {
804 s = (uint8_t*)&((struct sockaddr_in*)addr)->sin_addr;
805 max = 32;
806 }
807 if(net >= max || net < 0)
808 return;
809 for(i=net/8+1; i<max/8; i++) {
810 s[i] = 0;
811 }
812 s[net/8] &= mask[net&0x7];
813 }
814
815 int
addr_in_common(struct sockaddr_storage * addr1,int net1,struct sockaddr_storage * addr2,int net2,socklen_t addrlen)816 addr_in_common(struct sockaddr_storage* addr1, int net1,
817 struct sockaddr_storage* addr2, int net2, socklen_t addrlen)
818 {
819 int min = (net1<net2)?net1:net2;
820 int i, to;
821 int match = 0;
822 uint8_t* s1, *s2;
823 if(addr_is_ip6(addr1, addrlen)) {
824 s1 = (uint8_t*)&((struct sockaddr_in6*)addr1)->sin6_addr;
825 s2 = (uint8_t*)&((struct sockaddr_in6*)addr2)->sin6_addr;
826 to = 16;
827 } else {
828 s1 = (uint8_t*)&((struct sockaddr_in*)addr1)->sin_addr;
829 s2 = (uint8_t*)&((struct sockaddr_in*)addr2)->sin_addr;
830 to = 4;
831 }
832 /* match = bits_in_common(s1, s2, to); */
833 for(i=0; i<to; i++) {
834 if(s1[i] == s2[i]) {
835 match += 8;
836 } else {
837 uint8_t z = s1[i]^s2[i];
838 log_assert(z);
839 while(!(z&0x80)) {
840 match++;
841 z<<=1;
842 }
843 break;
844 }
845 }
846 if(match > min) match = min;
847 return match;
848 }
849
850 void
addr_to_str(struct sockaddr_storage * addr,socklen_t addrlen,char * buf,size_t len)851 addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen,
852 char* buf, size_t len)
853 {
854 int af = (int)((struct sockaddr_in*)addr)->sin_family;
855 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
856 if(addr_is_ip6(addr, addrlen))
857 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
858 if(inet_ntop(af, sinaddr, buf, (socklen_t)len) == 0) {
859 snprintf(buf, len, "(inet_ntop_error)");
860 }
861 }
862
863 int
prefixnet_is_nat64(int prefixnet)864 prefixnet_is_nat64(int prefixnet)
865 {
866 return (prefixnet == 32 || prefixnet == 40 ||
867 prefixnet == 48 || prefixnet == 56 ||
868 prefixnet == 64 || prefixnet == 96);
869 }
870
871 void
addr_to_nat64(const struct sockaddr_storage * addr,const struct sockaddr_storage * nat64_prefix,socklen_t nat64_prefixlen,int nat64_prefixnet,struct sockaddr_storage * nat64_addr,socklen_t * nat64_addrlen)872 addr_to_nat64(const struct sockaddr_storage* addr,
873 const struct sockaddr_storage* nat64_prefix,
874 socklen_t nat64_prefixlen, int nat64_prefixnet,
875 struct sockaddr_storage* nat64_addr, socklen_t* nat64_addrlen)
876 {
877 struct sockaddr_in *sin = (struct sockaddr_in *)addr;
878 struct sockaddr_in6 *sin6;
879 uint8_t *v4_byte;
880 int i;
881
882 /* This needs to be checked by the caller */
883 log_assert(addr->ss_family == AF_INET);
884 /* Current usage is only from config values; prefix lengths enforced
885 * during config validation */
886 log_assert(prefixnet_is_nat64(nat64_prefixnet));
887
888 *nat64_addr = *nat64_prefix;
889 *nat64_addrlen = nat64_prefixlen;
890
891 sin6 = (struct sockaddr_in6 *)nat64_addr;
892 sin6->sin6_flowinfo = 0;
893 sin6->sin6_port = sin->sin_port;
894
895 nat64_prefixnet = nat64_prefixnet / 8;
896
897 v4_byte = (uint8_t *)&sin->sin_addr.s_addr;
898 for(i = 0; i < 4; i++) {
899 if(nat64_prefixnet == 8) {
900 /* bits 64...71 are MBZ */
901 sin6->sin6_addr.s6_addr[nat64_prefixnet++] = 0;
902 }
903 sin6->sin6_addr.s6_addr[nat64_prefixnet++] = *v4_byte++;
904 }
905 }
906
907 int
addr_is_ip4mapped(struct sockaddr_storage * addr,socklen_t addrlen)908 addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen)
909 {
910 /* prefix for ipv4 into ipv6 mapping is ::ffff:x.x.x.x */
911 const uint8_t map_prefix[16] =
912 {0,0,0,0, 0,0,0,0, 0,0,0xff,0xff, 0,0,0,0};
913 uint8_t* s;
914 if(!addr_is_ip6(addr, addrlen))
915 return 0;
916 /* s is 16 octet ipv6 address string */
917 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr;
918 return (memcmp(s, map_prefix, 12) == 0);
919 }
920
addr_is_ip6linklocal(struct sockaddr_storage * addr,socklen_t addrlen)921 int addr_is_ip6linklocal(struct sockaddr_storage* addr, socklen_t addrlen)
922 {
923 const uint8_t prefix[2] = {0xfe, 0x80};
924 int af = (int)((struct sockaddr_in6*)addr)->sin6_family;
925 void* sin6addr = &((struct sockaddr_in6*)addr)->sin6_addr;
926 uint8_t start[2];
927 if(af != AF_INET6 || addrlen<(socklen_t)sizeof(struct sockaddr_in6))
928 return 0;
929 /* Put the first 10 bits of sin6addr in start, match fe80::/10. */
930 memmove(start, sin6addr, 2);
931 start[1] &= 0xc0;
932 return memcmp(start, prefix, 2) == 0;
933 }
934
addr_is_broadcast(struct sockaddr_storage * addr,socklen_t addrlen)935 int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen)
936 {
937 int af = (int)((struct sockaddr_in*)addr)->sin_family;
938 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
939 return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
940 && memcmp(sinaddr, "\377\377\377\377", 4) == 0;
941 }
942
addr_is_any(struct sockaddr_storage * addr,socklen_t addrlen)943 int addr_is_any(struct sockaddr_storage* addr, socklen_t addrlen)
944 {
945 int af = (int)((struct sockaddr_in*)addr)->sin_family;
946 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
947 void* sin6addr = &((struct sockaddr_in6*)addr)->sin6_addr;
948 if(af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
949 && memcmp(sinaddr, "\000\000\000\000", 4) == 0)
950 return 1;
951 else if(af==AF_INET6 && addrlen>=(socklen_t)sizeof(struct sockaddr_in6)
952 && memcmp(sin6addr, "\000\000\000\000\000\000\000\000"
953 "\000\000\000\000\000\000\000\000", 16) == 0)
954 return 1;
955 return 0;
956 }
957
sock_list_insert(struct sock_list ** list,struct sockaddr_storage * addr,socklen_t len,struct regional * region)958 void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr,
959 socklen_t len, struct regional* region)
960 {
961 struct sock_list* add = (struct sock_list*)regional_alloc(region,
962 sizeof(*add) - sizeof(add->addr) + (size_t)len);
963 if(!add) {
964 log_err("out of memory in socketlist insert");
965 return;
966 }
967 log_assert(list);
968 add->next = *list;
969 add->len = len;
970 *list = add;
971 if(len) memmove(&add->addr, addr, len);
972 }
973
sock_list_prepend(struct sock_list ** list,struct sock_list * add)974 void sock_list_prepend(struct sock_list** list, struct sock_list* add)
975 {
976 struct sock_list* last = add;
977 if(!last)
978 return;
979 while(last->next)
980 last = last->next;
981 last->next = *list;
982 *list = add;
983 }
984
sock_list_find(struct sock_list * list,struct sockaddr_storage * addr,socklen_t len)985 int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr,
986 socklen_t len)
987 {
988 while(list) {
989 if(len == list->len) {
990 if(len == 0 || sockaddr_cmp_addr(addr, len,
991 &list->addr, list->len) == 0)
992 return 1;
993 }
994 list = list->next;
995 }
996 return 0;
997 }
998
sock_list_merge(struct sock_list ** list,struct regional * region,struct sock_list * add)999 void sock_list_merge(struct sock_list** list, struct regional* region,
1000 struct sock_list* add)
1001 {
1002 struct sock_list* p;
1003 for(p=add; p; p=p->next) {
1004 if(!sock_list_find(*list, &p->addr, p->len))
1005 sock_list_insert(list, &p->addr, p->len, region);
1006 }
1007 }
1008
1009 void
log_crypto_err(const char * str)1010 log_crypto_err(const char* str)
1011 {
1012 #ifdef HAVE_SSL
1013 log_crypto_err_code(str, ERR_get_error());
1014 #else
1015 (void)str;
1016 #endif /* HAVE_SSL */
1017 }
1018
log_crypto_err_code(const char * str,unsigned long err)1019 void log_crypto_err_code(const char* str, unsigned long err)
1020 {
1021 #ifdef HAVE_SSL
1022 /* error:[error code]:[library name]:[function name]:[reason string] */
1023 char buf[128];
1024 unsigned long e;
1025 ERR_error_string_n(err, buf, sizeof(buf));
1026 log_err("%s crypto %s", str, buf);
1027 while( (e=ERR_get_error()) ) {
1028 ERR_error_string_n(e, buf, sizeof(buf));
1029 log_err("and additionally crypto %s", buf);
1030 }
1031 #else
1032 (void)str;
1033 (void)err;
1034 #endif /* HAVE_SSL */
1035 }
1036
1037 #ifdef HAVE_SSL
1038 /** Print crypt error with SSL_get_error want code and err_get_error code */
log_crypto_err_io_code_arg(const char * str,int r,unsigned long err,int err_present)1039 static void log_crypto_err_io_code_arg(const char* str, int r,
1040 unsigned long err, int err_present)
1041 {
1042 int print_errno = 0, print_crypto_err = 0;
1043 const char* inf = NULL;
1044
1045 switch(r) {
1046 case SSL_ERROR_NONE:
1047 inf = "no error";
1048 break;
1049 case SSL_ERROR_ZERO_RETURN:
1050 inf = "channel closed";
1051 break;
1052 case SSL_ERROR_WANT_READ:
1053 inf = "want read";
1054 break;
1055 case SSL_ERROR_WANT_WRITE:
1056 inf = "want write";
1057 break;
1058 case SSL_ERROR_WANT_CONNECT:
1059 inf = "want connect";
1060 break;
1061 case SSL_ERROR_WANT_ACCEPT:
1062 inf = "want accept";
1063 break;
1064 case SSL_ERROR_WANT_X509_LOOKUP:
1065 inf = "want X509 lookup";
1066 break;
1067 #ifdef SSL_ERROR_WANT_ASYNC
1068 case SSL_ERROR_WANT_ASYNC:
1069 inf = "want async";
1070 break;
1071 #endif
1072 #ifdef SSL_ERROR_WANT_ASYNC_JOB
1073 case SSL_ERROR_WANT_ASYNC_JOB:
1074 inf = "want async job";
1075 break;
1076 #endif
1077 #ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB
1078 case SSL_ERROR_WANT_CLIENT_HELLO_CB:
1079 inf = "want client hello cb";
1080 break;
1081 #endif
1082 case SSL_ERROR_SYSCALL:
1083 print_errno = 1;
1084 inf = "syscall";
1085 break;
1086 case SSL_ERROR_SSL:
1087 print_crypto_err = 1;
1088 inf = "SSL, usually protocol, error";
1089 break;
1090 default:
1091 inf = "unknown SSL_get_error result code";
1092 print_errno = 1;
1093 print_crypto_err = 1;
1094 }
1095 if(print_crypto_err) {
1096 if(print_errno) {
1097 char buf[1024];
1098 snprintf(buf, sizeof(buf), "%s with errno %s",
1099 str, strerror(errno));
1100 if(err_present)
1101 log_crypto_err_code(buf, err);
1102 else log_crypto_err(buf);
1103 } else {
1104 if(err_present)
1105 log_crypto_err_code(str, err);
1106 else log_crypto_err(str);
1107 }
1108 } else {
1109 if(print_errno) {
1110 if(errno == 0)
1111 log_err("%s: syscall error with errno %s",
1112 str, strerror(errno));
1113 else log_err("%s: %s", str, strerror(errno));
1114 } else {
1115 log_err("%s: %s", str, inf);
1116 }
1117 }
1118 }
1119 #endif /* HAVE_SSL */
1120
log_crypto_err_io(const char * str,int r)1121 void log_crypto_err_io(const char* str, int r)
1122 {
1123 #ifdef HAVE_SSL
1124 log_crypto_err_io_code_arg(str, r, 0, 0);
1125 #else
1126 (void)str;
1127 (void)r;
1128 #endif /* HAVE_SSL */
1129 }
1130
log_crypto_err_io_code(const char * str,int r,unsigned long err)1131 void log_crypto_err_io_code(const char* str, int r, unsigned long err)
1132 {
1133 #ifdef HAVE_SSL
1134 log_crypto_err_io_code_arg(str, r, err, 1);
1135 #else
1136 (void)str;
1137 (void)r;
1138 (void)err;
1139 #endif /* HAVE_SSL */
1140 }
1141
1142 #ifdef HAVE_SSL
1143 /** log certificate details */
1144 void
log_cert(unsigned level,const char * str,void * cert)1145 log_cert(unsigned level, const char* str, void* cert)
1146 {
1147 BIO* bio;
1148 char nul = 0;
1149 char* pp = NULL;
1150 long len;
1151 if(verbosity < level) return;
1152 bio = BIO_new(BIO_s_mem());
1153 if(!bio) return;
1154 X509_print_ex(bio, (X509*)cert, 0, (unsigned long)-1
1155 ^(X509_FLAG_NO_SUBJECT
1156 |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY
1157 |X509_FLAG_NO_EXTENSIONS|X509_FLAG_NO_AUX
1158 |X509_FLAG_NO_ATTRIBUTES));
1159 BIO_write(bio, &nul, (int)sizeof(nul));
1160 len = BIO_get_mem_data(bio, &pp);
1161 if(len != 0 && pp) {
1162 /* reduce size of cert printout */
1163 char* s;
1164 while((s=strstr(pp, " "))!=NULL)
1165 memmove(s, s+1, strlen(s+1)+1);
1166 while((s=strstr(pp, "\t\t"))!=NULL)
1167 memmove(s, s+1, strlen(s+1)+1);
1168 verbose(level, "%s: \n%s", str, pp);
1169 }
1170 BIO_free(bio);
1171 }
1172 #endif /* HAVE_SSL */
1173
1174 #if defined(HAVE_SSL) && defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
1175 static int
dot_alpn_select_cb(SSL * ATTR_UNUSED (ssl),const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * ATTR_UNUSED (arg))1176 dot_alpn_select_cb(SSL* ATTR_UNUSED(ssl), const unsigned char** out,
1177 unsigned char* outlen, const unsigned char* in, unsigned int inlen,
1178 void* ATTR_UNUSED(arg))
1179 {
1180 static const unsigned char alpns[] = { 3, 'd', 'o', 't' };
1181 unsigned char* tmp_out;
1182 int ret;
1183 ret = SSL_select_next_proto(&tmp_out, outlen, alpns, sizeof(alpns), in, inlen);
1184 if(ret == OPENSSL_NPN_NO_OVERLAP) {
1185 /* Client sent ALPN but no overlap. Should have been error,
1186 * but for privacy we continue without ALPN (e.g., if certain
1187 * ALPNs are blocked) */
1188 return SSL_TLSEXT_ERR_NOACK;
1189 }
1190 *out = tmp_out;
1191 return SSL_TLSEXT_ERR_OK;
1192 }
1193 #endif
1194
1195 #if defined(HAVE_SSL) && defined(HAVE_NGHTTP2) && defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
doh_alpn_select_cb(SSL * ATTR_UNUSED (ssl),const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * ATTR_UNUSED (arg))1196 static int doh_alpn_select_cb(SSL* ATTR_UNUSED(ssl), const unsigned char** out,
1197 unsigned char* outlen, const unsigned char* in, unsigned int inlen,
1198 void* ATTR_UNUSED(arg))
1199 {
1200 int rv = nghttp2_select_next_protocol((unsigned char **)out, outlen, in,
1201 inlen);
1202 if(rv == -1) {
1203 return SSL_TLSEXT_ERR_NOACK;
1204 }
1205 /* either http/1.1 or h2 selected */
1206 return SSL_TLSEXT_ERR_OK;
1207 }
1208 #endif
1209
1210 #ifdef HAVE_SSL
1211 /* setup the callback for ticket keys */
1212 static int
setup_ticket_keys_cb(void * sslctx)1213 setup_ticket_keys_cb(void* sslctx)
1214 {
1215 # ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1216 if(SSL_CTX_set_tlsext_ticket_key_evp_cb(sslctx, tls_session_ticket_key_cb) == 0) {
1217 return 0;
1218 }
1219 # else
1220 if(SSL_CTX_set_tlsext_ticket_key_cb(sslctx, tls_session_ticket_key_cb) == 0) {
1221 return 0;
1222 }
1223 # endif
1224 return 1;
1225 }
1226 #endif /* HAVE_SSL */
1227
1228 int
listen_sslctx_setup(void * ctxt)1229 listen_sslctx_setup(void* ctxt)
1230 {
1231 #ifdef HAVE_SSL
1232 SSL_CTX* ctx = (SSL_CTX*)ctxt;
1233 /* no SSLv2, SSLv3 because has defects */
1234 #if SSL_OP_NO_SSLv2 != 0
1235 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
1236 != SSL_OP_NO_SSLv2){
1237 log_crypto_err("could not set SSL_OP_NO_SSLv2");
1238 return 0;
1239 }
1240 #endif
1241 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
1242 != SSL_OP_NO_SSLv3){
1243 log_crypto_err("could not set SSL_OP_NO_SSLv3");
1244 return 0;
1245 }
1246 #if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
1247 /* if we have tls 1.1 disable 1.0 */
1248 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
1249 != SSL_OP_NO_TLSv1){
1250 log_crypto_err("could not set SSL_OP_NO_TLSv1");
1251 return 0;
1252 }
1253 #endif
1254 #if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
1255 /* if we have tls 1.2 disable 1.1 */
1256 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
1257 != SSL_OP_NO_TLSv1_1){
1258 log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
1259 return 0;
1260 }
1261 #endif
1262 #if defined(SSL_OP_NO_TLSv1_2) && defined(SSL_OP_NO_TLSv1_3)
1263 /* if we have tls 1.3 disable 1.2 */
1264 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2) & SSL_OP_NO_TLSv1_2)
1265 != SSL_OP_NO_TLSv1_2){
1266 log_crypto_err("could not set SSL_OP_NO_TLSv1_2");
1267 return 0;
1268 }
1269 #endif
1270 #if defined(SSL_OP_NO_RENEGOTIATION)
1271 /* disable client renegotiation */
1272 if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
1273 SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
1274 log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
1275 return 0;
1276 }
1277 #endif
1278 #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
1279 /* if we detect system-wide crypto policies, use those */
1280 if (access( "/etc/crypto-policies/config", F_OK ) != 0 ) {
1281 /* if we have sha256, set the cipher list to have no known vulns */
1282 if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
1283 log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
1284 }
1285 #endif
1286 #if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
1287 /* ignore errors when peers do not send the mandatory close_notify
1288 * alert on shutdown.
1289 * Relevant for openssl >= 3 */
1290 if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) &
1291 SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) {
1292 log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF");
1293 return 0;
1294 }
1295 #endif
1296
1297 if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) &
1298 SSL_OP_CIPHER_SERVER_PREFERENCE) !=
1299 SSL_OP_CIPHER_SERVER_PREFERENCE) {
1300 log_crypto_err("could not set SSL_OP_CIPHER_SERVER_PREFERENCE");
1301 return 0;
1302 }
1303
1304 #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
1305 SSL_CTX_set_security_level(ctx, 0);
1306 #endif
1307 #else
1308 (void)ctxt;
1309 #endif /* HAVE_SSL */
1310 return 1;
1311 }
1312
1313 void
listen_sslctx_setup_2(void * ctxt)1314 listen_sslctx_setup_2(void* ctxt)
1315 {
1316 #ifdef HAVE_SSL
1317 SSL_CTX* ctx = (SSL_CTX*)ctxt;
1318 (void)ctx;
1319 #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
1320 if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
1321 log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
1322 }
1323 #elif defined(USE_ECDSA) && HAVE_DECL_SSL_CTX_SET_TMP_ECDH
1324 if(1) {
1325 EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
1326 if (!ecdh) {
1327 log_crypto_err("could not find p256, not enabling ECDHE");
1328 } else {
1329 if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
1330 log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
1331 }
1332 EC_KEY_free (ecdh);
1333 }
1334 }
1335 #endif
1336 #else
1337 (void)ctxt;
1338 #endif /* HAVE_SSL */
1339 }
1340
listen_sslctx_create(const char * key,const char * pem,const char * verifypem,const char * tls_ciphers,const char * tls_ciphersuites,int set_ticket_keys_cb,int is_dot,int is_doh)1341 void* listen_sslctx_create(const char* key, const char* pem,
1342 const char* verifypem, const char* tls_ciphers,
1343 const char* tls_ciphersuites, int set_ticket_keys_cb,
1344 int is_dot, int is_doh)
1345 {
1346 #ifdef HAVE_SSL
1347 SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
1348 if(!ctx) {
1349 log_crypto_err("could not SSL_CTX_new");
1350 return NULL;
1351 }
1352 if(!key || key[0] == 0) {
1353 log_err("error: no tls-service-key file specified");
1354 SSL_CTX_free(ctx);
1355 return NULL;
1356 }
1357 if(!pem || pem[0] == 0) {
1358 log_err("error: no tls-service-pem file specified");
1359 SSL_CTX_free(ctx);
1360 return NULL;
1361 }
1362 if(!listen_sslctx_setup(ctx)) {
1363 SSL_CTX_free(ctx);
1364 return NULL;
1365 }
1366 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
1367 log_err("error for cert file: %s", pem);
1368 log_crypto_err("error in SSL_CTX use_certificate_chain_file");
1369 SSL_CTX_free(ctx);
1370 return NULL;
1371 }
1372 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
1373 log_err("error for private key file: %s", key);
1374 log_crypto_err("Error in SSL_CTX use_PrivateKey_file");
1375 SSL_CTX_free(ctx);
1376 return NULL;
1377 }
1378 if(!SSL_CTX_check_private_key(ctx)) {
1379 log_err("error for key file: %s", key);
1380 log_crypto_err("Error in SSL_CTX check_private_key");
1381 SSL_CTX_free(ctx);
1382 return NULL;
1383 }
1384 listen_sslctx_setup_2(ctx);
1385 if(verifypem && verifypem[0]) {
1386 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
1387 log_crypto_err("Error in SSL_CTX verify locations");
1388 SSL_CTX_free(ctx);
1389 return NULL;
1390 }
1391 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(
1392 verifypem));
1393 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
1394 }
1395 if(tls_ciphers && tls_ciphers[0]) {
1396 if (!SSL_CTX_set_cipher_list(ctx, tls_ciphers)) {
1397 log_err("failed to set tls-cipher %s",
1398 tls_ciphers);
1399 log_crypto_err("Error in SSL_CTX_set_cipher_list");
1400 SSL_CTX_free(ctx);
1401 return NULL;
1402 }
1403 }
1404 #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
1405 if(tls_ciphersuites && tls_ciphersuites[0]) {
1406 if (!SSL_CTX_set_ciphersuites(ctx, tls_ciphersuites)) {
1407 log_err("failed to set tls-ciphersuites %s",
1408 tls_ciphersuites);
1409 log_crypto_err("Error in SSL_CTX_set_ciphersuites");
1410 SSL_CTX_free(ctx);
1411 return NULL;
1412 }
1413 }
1414 #else
1415 (void)tls_ciphersuites; /* variable unused. */
1416 #endif /* HAVE_SSL_CTX_SET_CIPHERSUITES */
1417 if(set_ticket_keys_cb) {
1418 if(!setup_ticket_keys_cb(ctx)) {
1419 log_crypto_err("no support for TLS session ticket");
1420 SSL_CTX_free(ctx);
1421 return NULL;
1422 }
1423 }
1424 /* setup ALPN */
1425 #if defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
1426 if(is_dot) {
1427 SSL_CTX_set_alpn_select_cb(ctx, dot_alpn_select_cb, NULL);
1428 } else if(is_doh) {
1429 #if defined(HAVE_NGHTTP2)
1430 SSL_CTX_set_alpn_select_cb(ctx, doh_alpn_select_cb, NULL);
1431 #endif
1432 }
1433 #endif /* HAVE_SSL_CTX_SET_ALPN_SELECT_CB */
1434 return ctx;
1435 #else
1436 (void)key; (void)pem; (void)verifypem;
1437 (void)tls_ciphers; (void)tls_ciphersuites;
1438 (void)set_ticket_keys_cb; (void)is_dot; (void)is_doh;
1439 return NULL;
1440 #endif /* HAVE_SSL */
1441 }
1442
1443 #ifdef USE_WINSOCK
1444 /* For windows, the CA trust store is not read by openssl.
1445 Add code to open the trust store using wincrypt API and add
1446 the root certs into openssl trust store */
1447 static int
add_WIN_cacerts_to_openssl_store(SSL_CTX * tls_ctx)1448 add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
1449 {
1450 HCERTSTORE hSystemStore;
1451 PCCERT_CONTEXT pTargetCert = NULL;
1452 X509_STORE* store;
1453
1454 verbose(VERB_ALGO, "Adding Windows certificates from system root store to CA store");
1455
1456 /* load just once per context lifetime for this version
1457 TODO: dynamically update CA trust changes as they are available */
1458 if (!tls_ctx)
1459 return 0;
1460
1461 /* Call wincrypt's CertOpenStore to open the CA root store. */
1462
1463 if ((hSystemStore = CertOpenStore(
1464 CERT_STORE_PROV_SYSTEM,
1465 0,
1466 0,
1467 /* NOTE: mingw does not have this const: replace with 1 << 16 from code
1468 CERT_SYSTEM_STORE_CURRENT_USER, */
1469 1 << 16,
1470 L"root")) == 0)
1471 {
1472 return 0;
1473 }
1474
1475 store = SSL_CTX_get_cert_store(tls_ctx);
1476 if (!store)
1477 return 0;
1478
1479 /* failure if the CA store is empty or the call fails */
1480 if ((pTargetCert = CertEnumCertificatesInStore(
1481 hSystemStore, pTargetCert)) == 0) {
1482 verbose(VERB_ALGO, "CA certificate store for Windows is empty.");
1483 return 0;
1484 }
1485 /* iterate over the windows cert store and add to openssl store */
1486 do
1487 {
1488 X509 *cert1 = d2i_X509(NULL,
1489 (const unsigned char **)&pTargetCert->pbCertEncoded,
1490 pTargetCert->cbCertEncoded);
1491 if (!cert1) {
1492 unsigned long error = ERR_get_error();
1493 /* return error if a cert fails */
1494 verbose(VERB_ALGO, "%s %d:%s",
1495 "Unable to parse certificate in memory",
1496 (int)error, ERR_error_string(error, NULL));
1497 return 0;
1498 }
1499 else {
1500 /* return error if a cert add to store fails */
1501 if (X509_STORE_add_cert(store, cert1) == 0) {
1502 unsigned long error = ERR_peek_last_error();
1503
1504 /* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the
1505 * certificate is already in the store. */
1506 if(ERR_GET_LIB(error) != ERR_LIB_X509 ||
1507 ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
1508 error = ERR_get_error();
1509 verbose(VERB_ALGO, "%s %d:%s\n",
1510 "Error adding certificate", (int)error,
1511 ERR_error_string(error, NULL));
1512 X509_free(cert1);
1513 return 0;
1514 }
1515 }
1516 X509_free(cert1);
1517 }
1518 } while ((pTargetCert = CertEnumCertificatesInStore(
1519 hSystemStore, pTargetCert)) != 0);
1520
1521 /* Clean up memory and quit. */
1522 if (pTargetCert)
1523 CertFreeCertificateContext(pTargetCert);
1524 if (hSystemStore)
1525 {
1526 if (!CertCloseStore(
1527 hSystemStore, 0))
1528 return 0;
1529 }
1530 verbose(VERB_ALGO, "Completed adding Windows certificates to CA store successfully");
1531 return 1;
1532 }
1533 #endif /* USE_WINSOCK */
1534
connect_sslctx_create(char * key,char * pem,char * verifypem,int wincert)1535 void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
1536 {
1537 #ifdef HAVE_SSL
1538 SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());
1539 if(!ctx) {
1540 log_crypto_err("could not allocate SSL_CTX pointer");
1541 return NULL;
1542 }
1543 #if SSL_OP_NO_SSLv2 != 0
1544 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
1545 != SSL_OP_NO_SSLv2) {
1546 log_crypto_err("could not set SSL_OP_NO_SSLv2");
1547 SSL_CTX_free(ctx);
1548 return NULL;
1549 }
1550 #endif
1551 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
1552 != SSL_OP_NO_SSLv3) {
1553 log_crypto_err("could not set SSL_OP_NO_SSLv3");
1554 SSL_CTX_free(ctx);
1555 return NULL;
1556 }
1557 #if defined(SSL_OP_NO_RENEGOTIATION)
1558 /* disable client renegotiation */
1559 if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
1560 SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
1561 log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
1562 SSL_CTX_free(ctx);
1563 return 0;
1564 }
1565 #endif
1566 #if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
1567 /* ignore errors when peers do not send the mandatory close_notify
1568 * alert on shutdown.
1569 * Relevant for openssl >= 3 */
1570 if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) &
1571 SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) {
1572 log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF");
1573 SSL_CTX_free(ctx);
1574 return 0;
1575 }
1576 #endif
1577 if(key && key[0]) {
1578 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
1579 log_err("error in client certificate %s", pem);
1580 log_crypto_err("error in certificate file");
1581 SSL_CTX_free(ctx);
1582 return NULL;
1583 }
1584 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
1585 log_err("error in client private key %s", key);
1586 log_crypto_err("error in key file");
1587 SSL_CTX_free(ctx);
1588 return NULL;
1589 }
1590 if(!SSL_CTX_check_private_key(ctx)) {
1591 log_err("error in client key %s", key);
1592 log_crypto_err("error in SSL_CTX_check_private_key");
1593 SSL_CTX_free(ctx);
1594 return NULL;
1595 }
1596 }
1597 if((verifypem && verifypem[0]) || wincert) {
1598 if(verifypem && verifypem[0]) {
1599 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
1600 log_crypto_err("error in SSL_CTX verify");
1601 SSL_CTX_free(ctx);
1602 return NULL;
1603 }
1604 }
1605 #ifdef USE_WINSOCK
1606 if(wincert) {
1607 if(!add_WIN_cacerts_to_openssl_store(ctx)) {
1608 log_crypto_err("error in add_WIN_cacerts_to_openssl_store");
1609 SSL_CTX_free(ctx);
1610 return NULL;
1611 }
1612 }
1613 #else
1614 if(wincert) {
1615 if(!SSL_CTX_set_default_verify_paths(ctx)) {
1616 log_crypto_err("error in default_verify_paths");
1617 SSL_CTX_free(ctx);
1618 return NULL;
1619 }
1620 }
1621 #endif
1622 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
1623 }
1624 return ctx;
1625 #else
1626 (void)key; (void)pem; (void)verifypem; (void)wincert;
1627 return NULL;
1628 #endif
1629 }
1630
incoming_ssl_fd(void * sslctx,int fd)1631 void* incoming_ssl_fd(void* sslctx, int fd)
1632 {
1633 #ifdef HAVE_SSL
1634 SSL* ssl = SSL_new((SSL_CTX*)sslctx);
1635 if(!ssl) {
1636 log_crypto_err("could not SSL_new");
1637 return NULL;
1638 }
1639 SSL_set_accept_state(ssl);
1640 (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY);
1641 if(!SSL_set_fd(ssl, fd)) {
1642 log_crypto_err("could not SSL_set_fd");
1643 SSL_free(ssl);
1644 return NULL;
1645 }
1646 return ssl;
1647 #else
1648 (void)sslctx; (void)fd;
1649 return NULL;
1650 #endif
1651 }
1652
outgoing_ssl_fd(void * sslctx,int fd)1653 void* outgoing_ssl_fd(void* sslctx, int fd)
1654 {
1655 #ifdef HAVE_SSL
1656 SSL* ssl = SSL_new((SSL_CTX*)sslctx);
1657 if(!ssl) {
1658 log_crypto_err("could not SSL_new");
1659 return NULL;
1660 }
1661 SSL_set_connect_state(ssl);
1662 (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY);
1663 if(!SSL_set_fd(ssl, fd)) {
1664 log_crypto_err("could not SSL_set_fd");
1665 SSL_free(ssl);
1666 return NULL;
1667 }
1668 return ssl;
1669 #else
1670 (void)sslctx; (void)fd;
1671 return NULL;
1672 #endif
1673 }
1674
check_auth_name_for_ssl(char * auth_name)1675 int check_auth_name_for_ssl(char* auth_name)
1676 {
1677 if(!auth_name) return 1;
1678 #if defined(HAVE_SSL) && !defined(HAVE_SSL_SET1_HOST) && !defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
1679 log_err("the query has an auth_name %s, but libssl has no call to "
1680 "perform TLS authentication. Remove that name from config "
1681 "or upgrade the ssl crypto library.", auth_name);
1682 return 0;
1683 #else
1684 return 1;
1685 #endif
1686 }
1687
1688 /** set the authname on an SSL structure, SSL* ssl */
set_auth_name_on_ssl(void * ssl,char * auth_name,int use_sni)1689 int set_auth_name_on_ssl(void* ssl, char* auth_name, int use_sni)
1690 {
1691 if(!auth_name) return 1;
1692 #ifdef HAVE_SSL
1693 if(use_sni) {
1694 (void)SSL_set_tlsext_host_name(ssl, auth_name);
1695 }
1696 #else
1697 (void)ssl;
1698 (void)use_sni;
1699 #endif
1700 #ifdef HAVE_SSL_SET1_HOST
1701 SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
1702 /* setting the hostname makes openssl verify the
1703 * host name in the x509 certificate in the
1704 * SSL connection*/
1705 if(!SSL_set1_host(ssl, auth_name)) {
1706 log_err("SSL_set1_host failed");
1707 return 0;
1708 }
1709 #elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
1710 /* openssl 1.0.2 has this function that can be used for
1711 * set1_host like verification */
1712 if(auth_name) {
1713 X509_VERIFY_PARAM* param = SSL_get0_param(ssl);
1714 # ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
1715 X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
1716 # endif
1717 if(!X509_VERIFY_PARAM_set1_host(param, auth_name, strlen(auth_name))) {
1718 log_err("X509_VERIFY_PARAM_set1_host failed");
1719 return 0;
1720 }
1721 SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
1722 }
1723 #else
1724 verbose(VERB_ALGO, "the query has an auth_name, but libssl has no call to perform TLS authentication");
1725 #endif /* HAVE_SSL_SET1_HOST */
1726 return 1;
1727 }
1728
1729 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
1730 /** global lock list for openssl locks */
1731 static lock_basic_type *ub_openssl_locks = NULL;
1732
1733 /** callback that gets thread id for openssl */
1734 #ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK
1735 static void
ub_crypto_id_cb(CRYPTO_THREADID * id)1736 ub_crypto_id_cb(CRYPTO_THREADID *id)
1737 {
1738 CRYPTO_THREADID_set_numeric(id, (unsigned long)log_thread_get());
1739 }
1740 #else
1741 static unsigned long
ub_crypto_id_cb(void)1742 ub_crypto_id_cb(void)
1743 {
1744 return (unsigned long)log_thread_get();
1745 }
1746 #endif
1747
1748 static void
ub_crypto_lock_cb(int mode,int type,const char * ATTR_UNUSED (file),int ATTR_UNUSED (line))1749 ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
1750 int ATTR_UNUSED(line))
1751 {
1752 if((mode&CRYPTO_LOCK)) {
1753 lock_basic_lock(&ub_openssl_locks[type]);
1754 } else {
1755 lock_basic_unlock(&ub_openssl_locks[type]);
1756 }
1757 }
1758 #endif /* OPENSSL_THREADS */
1759
ub_openssl_lock_init(void)1760 int ub_openssl_lock_init(void)
1761 {
1762 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
1763 int i;
1764 ub_openssl_locks = (lock_basic_type*)reallocarray(
1765 NULL, (size_t)CRYPTO_num_locks(), sizeof(lock_basic_type));
1766 if(!ub_openssl_locks)
1767 return 0;
1768 for(i=0; i<CRYPTO_num_locks(); i++) {
1769 lock_basic_init(&ub_openssl_locks[i]);
1770 }
1771 # ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK
1772 CRYPTO_THREADID_set_callback(&ub_crypto_id_cb);
1773 # else
1774 CRYPTO_set_id_callback(&ub_crypto_id_cb);
1775 # endif
1776 CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
1777 #endif /* OPENSSL_THREADS */
1778 return 1;
1779 }
1780
ub_openssl_lock_delete(void)1781 void ub_openssl_lock_delete(void)
1782 {
1783 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
1784 int i;
1785 if(!ub_openssl_locks)
1786 return;
1787 # ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK
1788 CRYPTO_THREADID_set_callback(NULL);
1789 # else
1790 CRYPTO_set_id_callback(NULL);
1791 # endif
1792 CRYPTO_set_locking_callback(NULL);
1793 for(i=0; i<CRYPTO_num_locks(); i++) {
1794 lock_basic_destroy(&ub_openssl_locks[i]);
1795 }
1796 free(ub_openssl_locks);
1797 #endif /* OPENSSL_THREADS */
1798 }
1799
listen_sslctx_setup_ticket_keys(struct config_strlist * tls_session_ticket_keys)1800 int listen_sslctx_setup_ticket_keys(struct config_strlist* tls_session_ticket_keys) {
1801 #ifdef HAVE_SSL
1802 size_t s = 1;
1803 struct config_strlist* p;
1804 struct tls_session_ticket_key *keys;
1805 for(p = tls_session_ticket_keys; p; p = p->next) {
1806 s++;
1807 }
1808 keys = calloc(s, sizeof(struct tls_session_ticket_key));
1809 if(!keys)
1810 return 0;
1811 memset(keys, 0, s*sizeof(*keys));
1812 ticket_keys = keys;
1813
1814 for(p = tls_session_ticket_keys; p; p = p->next) {
1815 size_t n;
1816 unsigned char *data;
1817 FILE *f;
1818
1819 data = (unsigned char *)malloc(80);
1820 if(!data)
1821 return 0;
1822
1823 f = fopen(p->str, "rb");
1824 if(!f) {
1825 log_err("could not read tls-session-ticket-key %s: %s", p->str, strerror(errno));
1826 free(data);
1827 return 0;
1828 }
1829 n = fread(data, 1, 80, f);
1830 fclose(f);
1831
1832 if(n != 80) {
1833 log_err("tls-session-ticket-key %s is %d bytes, must be 80 bytes", p->str, (int)n);
1834 free(data);
1835 return 0;
1836 }
1837 verbose(VERB_OPS, "read tls-session-ticket-key: %s", p->str);
1838
1839 keys->key_name = data;
1840 keys->aes_key = data + 16;
1841 keys->hmac_key = data + 48;
1842 keys++;
1843 }
1844 /* terminate array with NULL key name entry */
1845 keys->key_name = NULL;
1846 return 1;
1847 #else
1848 (void)tls_session_ticket_keys;
1849 return 0;
1850 #endif
1851 }
1852
1853 #ifdef HAVE_SSL
tls_session_ticket_key_cb(SSL * ATTR_UNUSED (sslctx),unsigned char * key_name,unsigned char * iv,EVP_CIPHER_CTX * evp_sctx,EVP_MAC_CTX * hmac_ctx,int enc)1854 int tls_session_ticket_key_cb(SSL *ATTR_UNUSED(sslctx), unsigned char* key_name,
1855 unsigned char* iv, EVP_CIPHER_CTX *evp_sctx,
1856 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1857 EVP_MAC_CTX *hmac_ctx,
1858 #else
1859 HMAC_CTX* hmac_ctx,
1860 #endif
1861 int enc)
1862 {
1863 #ifdef HAVE_SSL
1864 # ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1865 OSSL_PARAM params[3];
1866 # else
1867 const EVP_MD *digest;
1868 # endif
1869 const EVP_CIPHER *cipher;
1870 int evp_cipher_length;
1871 # ifndef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1872 digest = EVP_sha256();
1873 # endif
1874 cipher = EVP_aes_256_cbc();
1875 evp_cipher_length = EVP_CIPHER_iv_length(cipher);
1876 if( enc == 1 ) {
1877 /* encrypt */
1878 verbose(VERB_CLIENT, "start session encrypt");
1879 memcpy(key_name, ticket_keys->key_name, 16);
1880 if (RAND_bytes(iv, evp_cipher_length) != 1) {
1881 verbose(VERB_CLIENT, "RAND_bytes failed");
1882 return -1;
1883 }
1884 if (EVP_EncryptInit_ex(evp_sctx, cipher, NULL, ticket_keys->aes_key, iv) != 1) {
1885 verbose(VERB_CLIENT, "EVP_EncryptInit_ex failed");
1886 return -1;
1887 }
1888 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1889 params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
1890 ticket_keys->hmac_key, 32);
1891 params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
1892 "sha256", 0);
1893 params[2] = OSSL_PARAM_construct_end();
1894 #ifdef HAVE_EVP_MAC_CTX_SET_PARAMS
1895 EVP_MAC_CTX_set_params(hmac_ctx, params);
1896 #else
1897 EVP_MAC_set_ctx_params(hmac_ctx, params);
1898 #endif
1899 #elif !defined(HMAC_INIT_EX_RETURNS_VOID)
1900 if (HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL) != 1) {
1901 verbose(VERB_CLIENT, "HMAC_Init_ex failed");
1902 return -1;
1903 }
1904 #else
1905 HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL);
1906 #endif
1907 return 1;
1908 } else if (enc == 0) {
1909 /* decrypt */
1910 struct tls_session_ticket_key *key;
1911 verbose(VERB_CLIENT, "start session decrypt");
1912 for(key = ticket_keys; key->key_name != NULL; key++) {
1913 if (!memcmp(key_name, key->key_name, 16)) {
1914 verbose(VERB_CLIENT, "Found session_key");
1915 break;
1916 }
1917 }
1918 if(key->key_name == NULL) {
1919 verbose(VERB_CLIENT, "Not found session_key");
1920 return 0;
1921 }
1922
1923 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1924 params[0] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
1925 key->hmac_key, 32);
1926 params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
1927 "sha256", 0);
1928 params[2] = OSSL_PARAM_construct_end();
1929 #ifdef HAVE_EVP_MAC_CTX_SET_PARAMS
1930 EVP_MAC_CTX_set_params(hmac_ctx, params);
1931 #else
1932 EVP_MAC_set_ctx_params(hmac_ctx, params);
1933 #endif
1934 #elif !defined(HMAC_INIT_EX_RETURNS_VOID)
1935 if (HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL) != 1) {
1936 verbose(VERB_CLIENT, "HMAC_Init_ex failed");
1937 return -1;
1938 }
1939 #else
1940 HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL);
1941 #endif
1942 if (EVP_DecryptInit_ex(evp_sctx, cipher, NULL, key->aes_key, iv) != 1) {
1943 log_err("EVP_DecryptInit_ex failed");
1944 return -1;
1945 }
1946
1947 return (key == ticket_keys) ? 1 : 2;
1948 }
1949 return -1;
1950 #else
1951 (void)key_name;
1952 (void)iv;
1953 (void)evp_sctx;
1954 (void)hmac_ctx;
1955 (void)enc;
1956 return 0;
1957 #endif
1958 }
1959 #endif /* HAVE_SSL */
1960
1961 #ifdef HAVE_SSL
1962 void
listen_sslctx_delete_ticket_keys(void)1963 listen_sslctx_delete_ticket_keys(void)
1964 {
1965 struct tls_session_ticket_key *key;
1966 if(!ticket_keys) return;
1967 for(key = ticket_keys; key->key_name != NULL; key++) {
1968 /* wipe key data from memory*/
1969 #ifdef HAVE_EXPLICIT_BZERO
1970 explicit_bzero(key->key_name, 80);
1971 #else
1972 memset(key->key_name, 0xdd, 80);
1973 #endif
1974 free(key->key_name);
1975 }
1976 free(ticket_keys);
1977 ticket_keys = NULL;
1978 }
1979 #endif /* HAVE_SSL */
1980
1981 # ifndef USE_WINSOCK
1982 char*
sock_strerror(int errn)1983 sock_strerror(int errn)
1984 {
1985 return strerror(errn);
1986 }
1987
1988 void
sock_close(int socket)1989 sock_close(int socket)
1990 {
1991 close(socket);
1992 }
1993
1994 # else
1995 char*
sock_strerror(int ATTR_UNUSED (errn))1996 sock_strerror(int ATTR_UNUSED(errn))
1997 {
1998 return wsa_strerror(WSAGetLastError());
1999 }
2000
2001 void
sock_close(int socket)2002 sock_close(int socket)
2003 {
2004 closesocket(socket);
2005 }
2006 # endif /* USE_WINSOCK */
2007
2008 ssize_t
hex_ntop(uint8_t const * src,size_t srclength,char * target,size_t targsize)2009 hex_ntop(uint8_t const *src, size_t srclength, char *target, size_t targsize)
2010 {
2011 static char hexdigits[] = {
2012 '0', '1', '2', '3', '4', '5', '6', '7',
2013 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
2014 };
2015 size_t i;
2016
2017 if (targsize < srclength * 2 + 1) {
2018 return -1;
2019 }
2020
2021 for (i = 0; i < srclength; ++i) {
2022 *target++ = hexdigits[src[i] >> 4U];
2023 *target++ = hexdigits[src[i] & 0xfU];
2024 }
2025 *target = '\0';
2026 return 2 * srclength;
2027 }
2028
2029 ssize_t
hex_pton(const char * src,uint8_t * target,size_t targsize)2030 hex_pton(const char* src, uint8_t* target, size_t targsize)
2031 {
2032 uint8_t *t = target;
2033 if(strlen(src) % 2 != 0 || strlen(src)/2 > targsize) {
2034 return -1;
2035 }
2036 while(*src) {
2037 if(!isxdigit((unsigned char)src[0]) ||
2038 !isxdigit((unsigned char)src[1]))
2039 return -1;
2040 *t++ = sldns_hexdigit_to_int(src[0]) * 16 +
2041 sldns_hexdigit_to_int(src[1]) ;
2042 src += 2;
2043 }
2044 return t-target;
2045 }
2046