1 /* 2 * util/net_help.c - implementation of the network helper code 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 /** 36 * \file 37 * Implementation of net_help.h. 38 */ 39 40 #include "config.h" 41 #ifdef HAVE_SYS_TYPES_H 42 # include <sys/types.h> 43 #endif 44 #ifdef HAVE_NET_IF_H 45 #include <net/if.h> 46 #endif 47 #ifdef HAVE_NETIOAPI_H 48 #include <netioapi.h> 49 #endif 50 #include <ctype.h> 51 #include "util/net_help.h" 52 #include "util/log.h" 53 #include "util/data/dname.h" 54 #include "util/module.h" 55 #include "util/regional.h" 56 #include "util/config_file.h" 57 #include "sldns/parseutil.h" 58 #include "sldns/wire2str.h" 59 #include "sldns/str2wire.h" 60 #include <fcntl.h> 61 #ifdef HAVE_OPENSSL_SSL_H 62 #include <openssl/ssl.h> 63 #include <openssl/evp.h> 64 #include <openssl/rand.h> 65 #endif 66 #ifdef HAVE_OPENSSL_ERR_H 67 #include <openssl/err.h> 68 #endif 69 #ifdef HAVE_OPENSSL_CORE_NAMES_H 70 #include <openssl/core_names.h> 71 #endif 72 #ifdef USE_WINSOCK 73 #include <wincrypt.h> 74 #endif 75 #ifdef HAVE_NGHTTP2_NGHTTP2_H 76 #include <nghttp2/nghttp2.h> 77 #endif 78 79 /** max length of an IP address (the address portion) that we allow */ 80 #define MAX_ADDR_STRLEN 128 /* characters */ 81 /** max length of a hostname (with port and tls name) that we allow */ 82 #define MAX_HOST_STRLEN (LDNS_MAX_DOMAINLEN * 3) /* characters */ 83 /** default value for EDNS ADVERTISED size */ 84 uint16_t EDNS_ADVERTISED_SIZE = 4096; 85 86 /** minimal responses when positive answer: default is no */ 87 int MINIMAL_RESPONSES = 0; 88 89 /** rrset order roundrobin: default is yes */ 90 int RRSET_ROUNDROBIN = 1; 91 92 /** log tag queries with name instead of 'info' for filtering */ 93 int LOG_TAG_QUERYREPLY = 0; 94 95 #ifdef HAVE_SSL 96 static struct tls_session_ticket_key { 97 unsigned char *key_name; 98 unsigned char *aes_key; 99 unsigned char *hmac_key; 100 } *ticket_keys; 101 #endif /* HAVE_SSL */ 102 103 #ifdef HAVE_SSL 104 /** 105 * callback TLS session ticket encrypt and decrypt 106 * For use with SSL_CTX_set_tlsext_ticket_key_cb or 107 * SSL_CTX_set_tlsext_ticket_key_evp_cb 108 * @param s: the SSL_CTX to use (from connect_sslctx_create()) 109 * @param key_name: secret name, 16 bytes 110 * @param iv: up to EVP_MAX_IV_LENGTH. 111 * @param evp_ctx: the evp cipher context, function sets this. 112 * @param hmac_ctx: the hmac context, function sets this. 113 * with ..key_cb it is of type HMAC_CTX* 114 * with ..key_evp_cb it is of type EVP_MAC_CTX* 115 * @param enc: 1 is encrypt, 0 is decrypt 116 * @return 0 on no ticket, 1 for okay, and 2 for okay but renew the ticket 117 * (the ticket is decrypt only). and <0 for failures. 118 */ 119 int tls_session_ticket_key_cb(SSL *s, unsigned char* key_name, 120 unsigned char* iv, EVP_CIPHER_CTX *evp_ctx, 121 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 122 EVP_MAC_CTX *hmac_ctx, 123 #else 124 HMAC_CTX* hmac_ctx, 125 #endif 126 int enc); 127 #endif /* HAVE_SSL */ 128 129 /* returns true is string addr is an ip6 specced address */ 130 int 131 str_is_ip6(const char* str) 132 { 133 if(strchr(str, ':')) 134 return 1; 135 else return 0; 136 } 137 138 int 139 fd_set_nonblock(int s) 140 { 141 #ifdef HAVE_FCNTL 142 int flag; 143 if((flag = fcntl(s, F_GETFL)) == -1) { 144 log_err("can't fcntl F_GETFL: %s", strerror(errno)); 145 flag = 0; 146 } 147 flag |= O_NONBLOCK; 148 if(fcntl(s, F_SETFL, flag) == -1) { 149 log_err("can't fcntl F_SETFL: %s", strerror(errno)); 150 return 0; 151 } 152 #elif defined(HAVE_IOCTLSOCKET) 153 unsigned long on = 1; 154 if(ioctlsocket(s, FIONBIO, &on) != 0) { 155 log_err("can't ioctlsocket FIONBIO on: %s", 156 wsa_strerror(WSAGetLastError())); 157 } 158 #endif 159 return 1; 160 } 161 162 int 163 fd_set_block(int s) 164 { 165 #ifdef HAVE_FCNTL 166 int flag; 167 if((flag = fcntl(s, F_GETFL)) == -1) { 168 log_err("cannot fcntl F_GETFL: %s", strerror(errno)); 169 flag = 0; 170 } 171 flag &= ~O_NONBLOCK; 172 if(fcntl(s, F_SETFL, flag) == -1) { 173 log_err("cannot fcntl F_SETFL: %s", strerror(errno)); 174 return 0; 175 } 176 #elif defined(HAVE_IOCTLSOCKET) 177 unsigned long off = 0; 178 if(ioctlsocket(s, FIONBIO, &off) != 0) { 179 if(WSAGetLastError() != WSAEINVAL || verbosity >= 4) 180 log_err("can't ioctlsocket FIONBIO off: %s", 181 wsa_strerror(WSAGetLastError())); 182 } 183 #endif 184 return 1; 185 } 186 187 int 188 is_pow2(size_t num) 189 { 190 if(num == 0) return 1; 191 return (num & (num-1)) == 0; 192 } 193 194 void* 195 memdup(void* data, size_t len) 196 { 197 void* d; 198 if(!data) return NULL; 199 if(len == 0) return NULL; 200 d = malloc(len); 201 if(!d) return NULL; 202 memcpy(d, data, len); 203 return d; 204 } 205 206 void 207 log_addr(enum verbosity_value v, const char* str, 208 struct sockaddr_storage* addr, socklen_t addrlen) 209 { 210 uint16_t port; 211 const char* family = "unknown"; 212 char dest[100]; 213 int af = (int)((struct sockaddr_in*)addr)->sin_family; 214 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 215 if(verbosity < v) 216 return; 217 switch(af) { 218 case AF_INET: family="ip4"; break; 219 case AF_INET6: family="ip6"; 220 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; 221 break; 222 case AF_LOCAL: 223 dest[0]=0; 224 (void)inet_ntop(af, sinaddr, dest, 225 (socklen_t)sizeof(dest)); 226 verbose(v, "%s local %s", str, dest); 227 return; /* do not continue and try to get port */ 228 default: break; 229 } 230 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { 231 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); 232 } 233 dest[sizeof(dest)-1] = 0; 234 port = ntohs(((struct sockaddr_in*)addr)->sin_port); 235 if(verbosity >= 4) 236 verbose(v, "%s %s %s port %d (len %d)", str, family, dest, 237 (int)port, (int)addrlen); 238 else verbose(v, "%s %s port %d", str, dest, (int)port); 239 } 240 241 int 242 extstrtoaddr(const char* str, struct sockaddr_storage* addr, 243 socklen_t* addrlen, int port) 244 { 245 char* s; 246 if((s=strchr(str, '@'))) { 247 char buf[MAX_ADDR_STRLEN]; 248 if(s-str >= MAX_ADDR_STRLEN) { 249 return 0; 250 } 251 (void)strlcpy(buf, str, sizeof(buf)); 252 buf[s-str] = 0; 253 port = atoi(s+1); 254 if(port == 0 && strcmp(s+1,"0")!=0) { 255 return 0; 256 } 257 return ipstrtoaddr(buf, port, addr, addrlen); 258 } 259 return ipstrtoaddr(str, port, addr, addrlen); 260 } 261 262 int 263 ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr, 264 socklen_t* addrlen) 265 { 266 uint16_t p; 267 if(!ip) return 0; 268 p = (uint16_t) port; 269 if(str_is_ip6(ip)) { 270 char buf[MAX_ADDR_STRLEN]; 271 char* s; 272 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr; 273 *addrlen = (socklen_t)sizeof(struct sockaddr_in6); 274 memset(sa, 0, *addrlen); 275 sa->sin6_family = AF_INET6; 276 sa->sin6_port = (in_port_t)htons(p); 277 if((s=strchr(ip, '%'))) { /* ip6%interface, rfc 4007 */ 278 if(s-ip >= MAX_ADDR_STRLEN) 279 return 0; 280 (void)strlcpy(buf, ip, sizeof(buf)); 281 buf[s-ip]=0; 282 #ifdef HAVE_IF_NAMETOINDEX 283 if (!(sa->sin6_scope_id = if_nametoindex(s+1))) 284 #endif /* HAVE_IF_NAMETOINDEX */ 285 sa->sin6_scope_id = (uint32_t)atoi(s+1); 286 ip = buf; 287 } 288 if(inet_pton((int)sa->sin6_family, ip, &sa->sin6_addr) <= 0) { 289 return 0; 290 } 291 } else { /* ip4 */ 292 struct sockaddr_in* sa = (struct sockaddr_in*)addr; 293 *addrlen = (socklen_t)sizeof(struct sockaddr_in); 294 memset(sa, 0, *addrlen); 295 sa->sin_family = AF_INET; 296 sa->sin_port = (in_port_t)htons(p); 297 if(inet_pton((int)sa->sin_family, ip, &sa->sin_addr) <= 0) { 298 return 0; 299 } 300 } 301 return 1; 302 } 303 304 int netblockstrtoaddr(const char* str, int port, struct sockaddr_storage* addr, 305 socklen_t* addrlen, int* net) 306 { 307 char buf[64]; 308 char* s; 309 *net = (str_is_ip6(str)?128:32); 310 if((s=strchr(str, '/'))) { 311 if(atoi(s+1) > *net) { 312 log_err("netblock too large: %s", str); 313 return 0; 314 } 315 *net = atoi(s+1); 316 if(*net == 0 && strcmp(s+1, "0") != 0) { 317 log_err("cannot parse netblock: '%s'", str); 318 return 0; 319 } 320 strlcpy(buf, str, sizeof(buf)); 321 s = strchr(buf, '/'); 322 if(s) *s = 0; 323 s = buf; 324 } 325 if(!ipstrtoaddr(s?s:str, port, addr, addrlen)) { 326 log_err("cannot parse ip address: '%s'", str); 327 return 0; 328 } 329 if(s) { 330 addr_mask(addr, *addrlen, *net); 331 } 332 return 1; 333 } 334 335 /* RPZ format address dname to network byte order address */ 336 static int ipdnametoaddr(uint8_t* dname, size_t dnamelen, 337 struct sockaddr_storage* addr, socklen_t* addrlen, int* af) 338 { 339 uint8_t* ia; 340 int dnamelabs = dname_count_labels(dname); 341 uint8_t lablen; 342 char* e = NULL; 343 int z = 0; 344 size_t len = 0; 345 int i; 346 *af = AF_INET; 347 348 /* need 1 byte for label length */ 349 if(dnamelen < 1) 350 return 0; 351 352 if(dnamelabs > 6 || 353 dname_has_label(dname, dnamelen, (uint8_t*)"\002zz")) { 354 *af = AF_INET6; 355 } 356 len = *dname; 357 lablen = *dname++; 358 i = (*af == AF_INET) ? 3 : 15; 359 if(*af == AF_INET6) { 360 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr; 361 *addrlen = (socklen_t)sizeof(struct sockaddr_in6); 362 memset(sa, 0, *addrlen); 363 sa->sin6_family = AF_INET6; 364 ia = (uint8_t*)&sa->sin6_addr; 365 } else { /* ip4 */ 366 struct sockaddr_in* sa = (struct sockaddr_in*)addr; 367 *addrlen = (socklen_t)sizeof(struct sockaddr_in); 368 memset(sa, 0, *addrlen); 369 sa->sin_family = AF_INET; 370 ia = (uint8_t*)&sa->sin_addr; 371 } 372 while(lablen && i >= 0 && len <= dnamelen) { 373 char buff[LDNS_MAX_LABELLEN+1]; 374 uint16_t chunk; /* big enough to not overflow on IPv6 hextet */ 375 if((*af == AF_INET && (lablen > 3 || dnamelabs > 6)) || 376 (*af == AF_INET6 && (lablen > 4 || dnamelabs > 10))) { 377 return 0; 378 } 379 if(memcmp(dname, "zz", 2) == 0 && *af == AF_INET6) { 380 /* Add one or more 0 labels. Address is initialised at 381 * 0, so just skip the zero part. */ 382 int zl = 11 - dnamelabs; 383 if(z || zl < 0) 384 return 0; 385 z = 1; 386 i -= (zl*2); 387 } else { 388 memcpy(buff, dname, lablen); 389 buff[lablen] = '\0'; 390 chunk = strtol(buff, &e, (*af == AF_INET) ? 10 : 16); 391 if(!e || *e != '\0' || (*af == AF_INET && chunk > 255)) 392 return 0; 393 if(*af == AF_INET) { 394 log_assert(i < 4 && i >= 0); 395 ia[i] = (uint8_t)chunk; 396 i--; 397 } else { 398 log_assert(i < 16 && i >= 1); 399 /* ia in network byte order */ 400 ia[i-1] = (uint8_t)(chunk >> 8); 401 ia[i] = (uint8_t)(chunk & 0x00FF); 402 i -= 2; 403 } 404 } 405 dname += lablen; 406 lablen = *dname++; 407 len += lablen; 408 } 409 if(i != -1) 410 /* input too short */ 411 return 0; 412 return 1; 413 } 414 415 int netblockdnametoaddr(uint8_t* dname, size_t dnamelen, 416 struct sockaddr_storage* addr, socklen_t* addrlen, int* net, int* af) 417 { 418 char buff[3 /* 3 digit netblock */ + 1]; 419 size_t nlablen; 420 if(dnamelen < 1 || *dname > 3) 421 /* netblock invalid */ 422 return 0; 423 nlablen = *dname; 424 425 if(dnamelen < 1 + nlablen) 426 return 0; 427 428 memcpy(buff, dname+1, nlablen); 429 buff[nlablen] = '\0'; 430 *net = atoi(buff); 431 if(*net == 0 && strcmp(buff, "0") != 0) 432 return 0; 433 dname += nlablen; 434 dname++; 435 if(!ipdnametoaddr(dname, dnamelen-1-nlablen, addr, addrlen, af)) 436 return 0; 437 if((*af == AF_INET6 && *net > 128) || (*af == AF_INET && *net > 32)) 438 return 0; 439 return 1; 440 } 441 442 int authextstrtoaddr(char* str, struct sockaddr_storage* addr, 443 socklen_t* addrlen, char** auth_name) 444 { 445 char* s; 446 int port = UNBOUND_DNS_PORT; 447 if((s=strchr(str, '@'))) { 448 char buf[MAX_ADDR_STRLEN]; 449 size_t len = (size_t)(s-str); 450 char* hash = strchr(s+1, '#'); 451 if(hash) { 452 *auth_name = hash+1; 453 } else { 454 *auth_name = NULL; 455 } 456 if(len >= MAX_ADDR_STRLEN) { 457 return 0; 458 } 459 (void)strlcpy(buf, str, sizeof(buf)); 460 buf[len] = 0; 461 port = atoi(s+1); 462 if(port == 0) { 463 if(!hash && strcmp(s+1,"0")!=0) 464 return 0; 465 if(hash && strncmp(s+1,"0#",2)!=0) 466 return 0; 467 } 468 return ipstrtoaddr(buf, port, addr, addrlen); 469 } 470 if((s=strchr(str, '#'))) { 471 char buf[MAX_ADDR_STRLEN]; 472 size_t len = (size_t)(s-str); 473 if(len >= MAX_ADDR_STRLEN) { 474 return 0; 475 } 476 (void)strlcpy(buf, str, sizeof(buf)); 477 buf[len] = 0; 478 port = UNBOUND_DNS_OVER_TLS_PORT; 479 *auth_name = s+1; 480 return ipstrtoaddr(buf, port, addr, addrlen); 481 } 482 *auth_name = NULL; 483 return ipstrtoaddr(str, port, addr, addrlen); 484 } 485 486 uint8_t* authextstrtodname(char* str, int* port, char** auth_name) 487 { 488 char* s; 489 uint8_t* dname; 490 size_t dname_len; 491 *port = UNBOUND_DNS_PORT; 492 *auth_name = NULL; 493 if((s=strchr(str, '@'))) { 494 char buf[MAX_HOST_STRLEN]; 495 size_t len = (size_t)(s-str); 496 char* hash = strchr(s+1, '#'); 497 if(hash) { 498 *auth_name = hash+1; 499 } else { 500 *auth_name = NULL; 501 } 502 if(len >= MAX_HOST_STRLEN) { 503 return NULL; 504 } 505 (void)strlcpy(buf, str, sizeof(buf)); 506 buf[len] = 0; 507 *port = atoi(s+1); 508 if(*port == 0) { 509 if(!hash && strcmp(s+1,"0")!=0) 510 return NULL; 511 if(hash && strncmp(s+1,"0#",2)!=0) 512 return NULL; 513 } 514 dname = sldns_str2wire_dname(buf, &dname_len); 515 } else if((s=strchr(str, '#'))) { 516 char buf[MAX_HOST_STRLEN]; 517 size_t len = (size_t)(s-str); 518 if(len >= MAX_HOST_STRLEN) { 519 return NULL; 520 } 521 (void)strlcpy(buf, str, sizeof(buf)); 522 buf[len] = 0; 523 *port = UNBOUND_DNS_OVER_TLS_PORT; 524 *auth_name = s+1; 525 dname = sldns_str2wire_dname(buf, &dname_len); 526 } else { 527 dname = sldns_str2wire_dname(str, &dname_len); 528 } 529 return dname; 530 } 531 532 /** store port number into sockaddr structure */ 533 void 534 sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen, int port) 535 { 536 if(addr_is_ip6(addr, addrlen)) { 537 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr; 538 sa->sin6_port = (in_port_t)htons((uint16_t)port); 539 } else { 540 struct sockaddr_in* sa = (struct sockaddr_in*)addr; 541 sa->sin_port = (in_port_t)htons((uint16_t)port); 542 } 543 } 544 545 void 546 log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name, 547 uint16_t type, uint16_t dclass) 548 { 549 char buf[LDNS_MAX_DOMAINLEN]; 550 char t[12], c[12]; 551 const char *ts, *cs; 552 if(verbosity < v) 553 return; 554 dname_str(name, buf); 555 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG"; 556 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR"; 557 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR"; 558 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB"; 559 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA"; 560 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY"; 561 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name) 562 ts = sldns_rr_descript(type)->_name; 563 else { 564 snprintf(t, sizeof(t), "TYPE%d", (int)type); 565 ts = t; 566 } 567 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) && 568 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name) 569 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name; 570 else { 571 snprintf(c, sizeof(c), "CLASS%d", (int)dclass); 572 cs = c; 573 } 574 log_info("%s %s %s %s", str, buf, ts, cs); 575 } 576 577 void 578 log_query_in(const char* str, uint8_t* name, uint16_t type, uint16_t dclass) 579 { 580 char buf[LDNS_MAX_DOMAINLEN]; 581 char t[12], c[12]; 582 const char *ts, *cs; 583 dname_str(name, buf); 584 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG"; 585 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR"; 586 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR"; 587 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB"; 588 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA"; 589 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY"; 590 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name) 591 ts = sldns_rr_descript(type)->_name; 592 else { 593 snprintf(t, sizeof(t), "TYPE%d", (int)type); 594 ts = t; 595 } 596 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) && 597 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name) 598 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name; 599 else { 600 snprintf(c, sizeof(c), "CLASS%d", (int)dclass); 601 cs = c; 602 } 603 if(LOG_TAG_QUERYREPLY) 604 log_query("%s %s %s %s", str, buf, ts, cs); 605 else log_info("%s %s %s %s", str, buf, ts, cs); 606 } 607 608 void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone, 609 struct sockaddr_storage* addr, socklen_t addrlen) 610 { 611 uint16_t port; 612 const char* family = "unknown_family "; 613 char namebuf[LDNS_MAX_DOMAINLEN]; 614 char dest[100]; 615 int af = (int)((struct sockaddr_in*)addr)->sin_family; 616 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 617 if(verbosity < v) 618 return; 619 switch(af) { 620 case AF_INET: family=""; break; 621 case AF_INET6: family=""; 622 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; 623 break; 624 case AF_LOCAL: family="local "; break; 625 default: break; 626 } 627 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { 628 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); 629 } 630 dest[sizeof(dest)-1] = 0; 631 port = ntohs(((struct sockaddr_in*)addr)->sin_port); 632 dname_str(zone, namebuf); 633 if(af != AF_INET && af != AF_INET6) 634 verbose(v, "%s <%s> %s%s#%d (addrlen %d)", 635 str, namebuf, family, dest, (int)port, (int)addrlen); 636 else verbose(v, "%s <%s> %s%s#%d", 637 str, namebuf, family, dest, (int)port); 638 } 639 640 void log_err_addr(const char* str, const char* err, 641 struct sockaddr_storage* addr, socklen_t addrlen) 642 { 643 uint16_t port; 644 char dest[100]; 645 int af = (int)((struct sockaddr_in*)addr)->sin_family; 646 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 647 if(af == AF_INET6) 648 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; 649 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { 650 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); 651 } 652 dest[sizeof(dest)-1] = 0; 653 port = ntohs(((struct sockaddr_in*)addr)->sin_port); 654 if(verbosity >= 4) 655 log_err("%s: %s for %s port %d (len %d)", str, err, dest, 656 (int)port, (int)addrlen); 657 else log_err("%s: %s for %s port %d", str, err, dest, (int)port); 658 } 659 660 int 661 sockaddr_cmp(struct sockaddr_storage* addr1, socklen_t len1, 662 struct sockaddr_storage* addr2, socklen_t len2) 663 { 664 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; 665 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; 666 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; 667 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; 668 if(len1 < len2) 669 return -1; 670 if(len1 > len2) 671 return 1; 672 log_assert(len1 == len2); 673 if( p1_in->sin_family < p2_in->sin_family) 674 return -1; 675 if( p1_in->sin_family > p2_in->sin_family) 676 return 1; 677 log_assert( p1_in->sin_family == p2_in->sin_family ); 678 /* compare ip4 */ 679 if( p1_in->sin_family == AF_INET ) { 680 /* just order it, ntohs not required */ 681 if(p1_in->sin_port < p2_in->sin_port) 682 return -1; 683 if(p1_in->sin_port > p2_in->sin_port) 684 return 1; 685 log_assert(p1_in->sin_port == p2_in->sin_port); 686 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE); 687 } else if (p1_in6->sin6_family == AF_INET6) { 688 /* just order it, ntohs not required */ 689 if(p1_in6->sin6_port < p2_in6->sin6_port) 690 return -1; 691 if(p1_in6->sin6_port > p2_in6->sin6_port) 692 return 1; 693 log_assert(p1_in6->sin6_port == p2_in6->sin6_port); 694 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, 695 INET6_SIZE); 696 } else { 697 /* eek unknown type, perform this comparison for sanity. */ 698 return memcmp(addr1, addr2, len1); 699 } 700 } 701 702 int 703 sockaddr_cmp_addr(struct sockaddr_storage* addr1, socklen_t len1, 704 struct sockaddr_storage* addr2, socklen_t len2) 705 { 706 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; 707 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; 708 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; 709 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; 710 if(len1 < len2) 711 return -1; 712 if(len1 > len2) 713 return 1; 714 log_assert(len1 == len2); 715 if( p1_in->sin_family < p2_in->sin_family) 716 return -1; 717 if( p1_in->sin_family > p2_in->sin_family) 718 return 1; 719 log_assert( p1_in->sin_family == p2_in->sin_family ); 720 /* compare ip4 */ 721 if( p1_in->sin_family == AF_INET ) { 722 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE); 723 } else if (p1_in6->sin6_family == AF_INET6) { 724 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, 725 INET6_SIZE); 726 } else { 727 /* eek unknown type, perform this comparison for sanity. */ 728 return memcmp(addr1, addr2, len1); 729 } 730 } 731 732 int 733 sockaddr_cmp_scopeid(struct sockaddr_storage* addr1, socklen_t len1, 734 struct sockaddr_storage* addr2, socklen_t len2) 735 { 736 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; 737 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; 738 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; 739 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; 740 if(len1 < len2) 741 return -1; 742 if(len1 > len2) 743 return 1; 744 log_assert(len1 == len2); 745 if( p1_in->sin_family < p2_in->sin_family) 746 return -1; 747 if( p1_in->sin_family > p2_in->sin_family) 748 return 1; 749 log_assert( p1_in->sin_family == p2_in->sin_family ); 750 /* compare ip4 */ 751 if( p1_in->sin_family == AF_INET ) { 752 /* just order it, ntohs not required */ 753 if(p1_in->sin_port < p2_in->sin_port) 754 return -1; 755 if(p1_in->sin_port > p2_in->sin_port) 756 return 1; 757 log_assert(p1_in->sin_port == p2_in->sin_port); 758 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE); 759 } else if (p1_in6->sin6_family == AF_INET6) { 760 /* just order it, ntohs not required */ 761 if(p1_in6->sin6_port < p2_in6->sin6_port) 762 return -1; 763 if(p1_in6->sin6_port > p2_in6->sin6_port) 764 return 1; 765 if(p1_in6->sin6_scope_id < p2_in6->sin6_scope_id) 766 return -1; 767 if(p1_in6->sin6_scope_id > p2_in6->sin6_scope_id) 768 return 1; 769 log_assert(p1_in6->sin6_port == p2_in6->sin6_port); 770 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, 771 INET6_SIZE); 772 } else { 773 /* eek unknown type, perform this comparison for sanity. */ 774 return memcmp(addr1, addr2, len1); 775 } 776 } 777 778 int 779 addr_is_ip6(struct sockaddr_storage* addr, socklen_t len) 780 { 781 if(len == (socklen_t)sizeof(struct sockaddr_in6) && 782 ((struct sockaddr_in6*)addr)->sin6_family == AF_INET6) 783 return 1; 784 else return 0; 785 } 786 787 void 788 addr_mask(struct sockaddr_storage* addr, socklen_t len, int net) 789 { 790 uint8_t mask[8] = {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe}; 791 int i, max; 792 uint8_t* s; 793 if(addr_is_ip6(addr, len)) { 794 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr; 795 max = 128; 796 } else { 797 s = (uint8_t*)&((struct sockaddr_in*)addr)->sin_addr; 798 max = 32; 799 } 800 if(net >= max) 801 return; 802 for(i=net/8+1; i<max/8; i++) { 803 s[i] = 0; 804 } 805 s[net/8] &= mask[net&0x7]; 806 } 807 808 int 809 addr_in_common(struct sockaddr_storage* addr1, int net1, 810 struct sockaddr_storage* addr2, int net2, socklen_t addrlen) 811 { 812 int min = (net1<net2)?net1:net2; 813 int i, to; 814 int match = 0; 815 uint8_t* s1, *s2; 816 if(addr_is_ip6(addr1, addrlen)) { 817 s1 = (uint8_t*)&((struct sockaddr_in6*)addr1)->sin6_addr; 818 s2 = (uint8_t*)&((struct sockaddr_in6*)addr2)->sin6_addr; 819 to = 16; 820 } else { 821 s1 = (uint8_t*)&((struct sockaddr_in*)addr1)->sin_addr; 822 s2 = (uint8_t*)&((struct sockaddr_in*)addr2)->sin_addr; 823 to = 4; 824 } 825 /* match = bits_in_common(s1, s2, to); */ 826 for(i=0; i<to; i++) { 827 if(s1[i] == s2[i]) { 828 match += 8; 829 } else { 830 uint8_t z = s1[i]^s2[i]; 831 log_assert(z); 832 while(!(z&0x80)) { 833 match++; 834 z<<=1; 835 } 836 break; 837 } 838 } 839 if(match > min) match = min; 840 return match; 841 } 842 843 void 844 addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen, 845 char* buf, size_t len) 846 { 847 int af = (int)((struct sockaddr_in*)addr)->sin_family; 848 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 849 if(addr_is_ip6(addr, addrlen)) 850 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; 851 if(inet_ntop(af, sinaddr, buf, (socklen_t)len) == 0) { 852 snprintf(buf, len, "(inet_ntop_error)"); 853 } 854 } 855 856 int 857 prefixnet_is_nat64(int prefixnet) 858 { 859 return (prefixnet == 32 || prefixnet == 40 || 860 prefixnet == 48 || prefixnet == 56 || 861 prefixnet == 64 || prefixnet == 96); 862 } 863 864 void 865 addr_to_nat64(const struct sockaddr_storage* addr, 866 const struct sockaddr_storage* nat64_prefix, 867 socklen_t nat64_prefixlen, int nat64_prefixnet, 868 struct sockaddr_storage* nat64_addr, socklen_t* nat64_addrlen) 869 { 870 struct sockaddr_in *sin = (struct sockaddr_in *)addr; 871 struct sockaddr_in6 *sin6; 872 uint8_t *v4_byte; 873 int i; 874 875 /* This needs to be checked by the caller */ 876 log_assert(addr->ss_family == AF_INET); 877 /* Current usage is only from config values; prefix lengths enforced 878 * during config validation */ 879 log_assert(prefixnet_is_nat64(nat64_prefixnet)); 880 881 *nat64_addr = *nat64_prefix; 882 *nat64_addrlen = nat64_prefixlen; 883 884 sin6 = (struct sockaddr_in6 *)nat64_addr; 885 sin6->sin6_flowinfo = 0; 886 sin6->sin6_port = sin->sin_port; 887 888 nat64_prefixnet = nat64_prefixnet / 8; 889 890 v4_byte = (uint8_t *)&sin->sin_addr.s_addr; 891 for(i = 0; i < 4; i++) { 892 if(nat64_prefixnet == 8) { 893 /* bits 64...71 are MBZ */ 894 sin6->sin6_addr.s6_addr[nat64_prefixnet++] = 0; 895 } 896 sin6->sin6_addr.s6_addr[nat64_prefixnet++] = *v4_byte++; 897 } 898 } 899 900 int 901 addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen) 902 { 903 /* prefix for ipv4 into ipv6 mapping is ::ffff:x.x.x.x */ 904 const uint8_t map_prefix[16] = 905 {0,0,0,0, 0,0,0,0, 0,0,0xff,0xff, 0,0,0,0}; 906 uint8_t* s; 907 if(!addr_is_ip6(addr, addrlen)) 908 return 0; 909 /* s is 16 octet ipv6 address string */ 910 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr; 911 return (memcmp(s, map_prefix, 12) == 0); 912 } 913 914 int addr_is_ip6linklocal(struct sockaddr_storage* addr, socklen_t addrlen) 915 { 916 const uint8_t prefix[2] = {0xfe, 0x80}; 917 int af = (int)((struct sockaddr_in6*)addr)->sin6_family; 918 void* sin6addr = &((struct sockaddr_in6*)addr)->sin6_addr; 919 uint8_t start[2]; 920 if(af != AF_INET6 || addrlen<(socklen_t)sizeof(struct sockaddr_in6)) 921 return 0; 922 /* Put the first 10 bits of sin6addr in start, match fe80::/10. */ 923 memmove(start, sin6addr, 2); 924 start[1] &= 0xc0; 925 return memcmp(start, prefix, 2) == 0; 926 } 927 928 int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen) 929 { 930 int af = (int)((struct sockaddr_in*)addr)->sin_family; 931 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 932 return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in) 933 && memcmp(sinaddr, "\377\377\377\377", 4) == 0; 934 } 935 936 int addr_is_any(struct sockaddr_storage* addr, socklen_t addrlen) 937 { 938 int af = (int)((struct sockaddr_in*)addr)->sin_family; 939 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 940 void* sin6addr = &((struct sockaddr_in6*)addr)->sin6_addr; 941 if(af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in) 942 && memcmp(sinaddr, "\000\000\000\000", 4) == 0) 943 return 1; 944 else if(af==AF_INET6 && addrlen>=(socklen_t)sizeof(struct sockaddr_in6) 945 && memcmp(sin6addr, "\000\000\000\000\000\000\000\000" 946 "\000\000\000\000\000\000\000\000", 16) == 0) 947 return 1; 948 return 0; 949 } 950 951 void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr, 952 socklen_t len, struct regional* region) 953 { 954 struct sock_list* add = (struct sock_list*)regional_alloc(region, 955 sizeof(*add) - sizeof(add->addr) + (size_t)len); 956 if(!add) { 957 log_err("out of memory in socketlist insert"); 958 return; 959 } 960 log_assert(list); 961 add->next = *list; 962 add->len = len; 963 *list = add; 964 if(len) memmove(&add->addr, addr, len); 965 } 966 967 void sock_list_prepend(struct sock_list** list, struct sock_list* add) 968 { 969 struct sock_list* last = add; 970 if(!last) 971 return; 972 while(last->next) 973 last = last->next; 974 last->next = *list; 975 *list = add; 976 } 977 978 int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr, 979 socklen_t len) 980 { 981 while(list) { 982 if(len == list->len) { 983 if(len == 0 || sockaddr_cmp_addr(addr, len, 984 &list->addr, list->len) == 0) 985 return 1; 986 } 987 list = list->next; 988 } 989 return 0; 990 } 991 992 void sock_list_merge(struct sock_list** list, struct regional* region, 993 struct sock_list* add) 994 { 995 struct sock_list* p; 996 for(p=add; p; p=p->next) { 997 if(!sock_list_find(*list, &p->addr, p->len)) 998 sock_list_insert(list, &p->addr, p->len, region); 999 } 1000 } 1001 1002 void 1003 log_crypto_err(const char* str) 1004 { 1005 #ifdef HAVE_SSL 1006 log_crypto_err_code(str, ERR_get_error()); 1007 #else 1008 (void)str; 1009 #endif /* HAVE_SSL */ 1010 } 1011 1012 void log_crypto_err_code(const char* str, unsigned long err) 1013 { 1014 #ifdef HAVE_SSL 1015 /* error:[error code]:[library name]:[function name]:[reason string] */ 1016 char buf[128]; 1017 unsigned long e; 1018 ERR_error_string_n(err, buf, sizeof(buf)); 1019 log_err("%s crypto %s", str, buf); 1020 while( (e=ERR_get_error()) ) { 1021 ERR_error_string_n(e, buf, sizeof(buf)); 1022 log_err("and additionally crypto %s", buf); 1023 } 1024 #else 1025 (void)str; 1026 (void)err; 1027 #endif /* HAVE_SSL */ 1028 } 1029 1030 #ifdef HAVE_SSL 1031 /** Print crypt erro with SSL_get_error want code and err_get_error code */ 1032 static void log_crypto_err_io_code_arg(const char* str, int r, 1033 unsigned long err, int err_present) 1034 { 1035 int print_errno = 0, print_crypto_err = 0; 1036 const char* inf = NULL; 1037 1038 switch(r) { 1039 case SSL_ERROR_NONE: 1040 inf = "no error"; 1041 break; 1042 case SSL_ERROR_ZERO_RETURN: 1043 inf = "channel closed"; 1044 break; 1045 case SSL_ERROR_WANT_READ: 1046 inf = "want read"; 1047 break; 1048 case SSL_ERROR_WANT_WRITE: 1049 inf = "want write"; 1050 break; 1051 case SSL_ERROR_WANT_CONNECT: 1052 inf = "want connect"; 1053 break; 1054 case SSL_ERROR_WANT_ACCEPT: 1055 inf = "want accept"; 1056 break; 1057 case SSL_ERROR_WANT_X509_LOOKUP: 1058 inf = "want X509 lookup"; 1059 break; 1060 #ifdef SSL_ERROR_WANT_ASYNC 1061 case SSL_ERROR_WANT_ASYNC: 1062 inf = "want async"; 1063 break; 1064 #endif 1065 #ifdef SSL_ERROR_WANT_ASYNC_JOB 1066 case SSL_ERROR_WANT_ASYNC_JOB: 1067 inf = "want async job"; 1068 break; 1069 #endif 1070 #ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB 1071 case SSL_ERROR_WANT_CLIENT_HELLO_CB: 1072 inf = "want client hello cb"; 1073 break; 1074 #endif 1075 case SSL_ERROR_SYSCALL: 1076 print_errno = 1; 1077 inf = "syscall"; 1078 break; 1079 case SSL_ERROR_SSL: 1080 print_crypto_err = 1; 1081 inf = "SSL, usually protocol, error"; 1082 break; 1083 default: 1084 inf = "unknown SSL_get_error result code"; 1085 print_errno = 1; 1086 print_crypto_err = 1; 1087 } 1088 if(print_crypto_err) { 1089 if(print_errno) { 1090 char buf[1024]; 1091 snprintf(buf, sizeof(buf), "%s with errno %s", 1092 str, strerror(errno)); 1093 if(err_present) 1094 log_crypto_err_code(buf, err); 1095 else log_crypto_err(buf); 1096 } else { 1097 if(err_present) 1098 log_crypto_err_code(str, err); 1099 else log_crypto_err(str); 1100 } 1101 } else { 1102 if(print_errno) { 1103 if(errno == 0) 1104 log_err("%s: syscall error with errno %s", 1105 str, strerror(errno)); 1106 else log_err("%s: %s", str, strerror(errno)); 1107 } else { 1108 log_err("%s: %s", str, inf); 1109 } 1110 } 1111 } 1112 #endif /* HAVE_SSL */ 1113 1114 void log_crypto_err_io(const char* str, int r) 1115 { 1116 #ifdef HAVE_SSL 1117 log_crypto_err_io_code_arg(str, r, 0, 0); 1118 #else 1119 (void)str; 1120 (void)r; 1121 #endif /* HAVE_SSL */ 1122 } 1123 1124 void log_crypto_err_io_code(const char* str, int r, unsigned long err) 1125 { 1126 #ifdef HAVE_SSL 1127 log_crypto_err_io_code_arg(str, r, err, 1); 1128 #else 1129 (void)str; 1130 (void)r; 1131 (void)err; 1132 #endif /* HAVE_SSL */ 1133 } 1134 1135 #ifdef HAVE_SSL 1136 /** log certificate details */ 1137 void 1138 log_cert(unsigned level, const char* str, void* cert) 1139 { 1140 BIO* bio; 1141 char nul = 0; 1142 char* pp = NULL; 1143 long len; 1144 if(verbosity < level) return; 1145 bio = BIO_new(BIO_s_mem()); 1146 if(!bio) return; 1147 X509_print_ex(bio, (X509*)cert, 0, (unsigned long)-1 1148 ^(X509_FLAG_NO_SUBJECT 1149 |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY 1150 |X509_FLAG_NO_EXTENSIONS|X509_FLAG_NO_AUX 1151 |X509_FLAG_NO_ATTRIBUTES)); 1152 BIO_write(bio, &nul, (int)sizeof(nul)); 1153 len = BIO_get_mem_data(bio, &pp); 1154 if(len != 0 && pp) { 1155 /* reduce size of cert printout */ 1156 char* s; 1157 while((s=strstr(pp, " "))!=NULL) 1158 memmove(s, s+1, strlen(s+1)+1); 1159 while((s=strstr(pp, "\t\t"))!=NULL) 1160 memmove(s, s+1, strlen(s+1)+1); 1161 verbose(level, "%s: \n%s", str, pp); 1162 } 1163 BIO_free(bio); 1164 } 1165 #endif /* HAVE_SSL */ 1166 1167 #if defined(HAVE_SSL) && defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB) 1168 static int 1169 dot_alpn_select_cb(SSL* ATTR_UNUSED(ssl), const unsigned char** out, 1170 unsigned char* outlen, const unsigned char* in, unsigned int inlen, 1171 void* ATTR_UNUSED(arg)) 1172 { 1173 static const unsigned char alpns[] = { 3, 'd', 'o', 't' }; 1174 unsigned char* tmp_out; 1175 int ret; 1176 ret = SSL_select_next_proto(&tmp_out, outlen, alpns, sizeof(alpns), in, inlen); 1177 if(ret == OPENSSL_NPN_NO_OVERLAP) { 1178 /* Client sent ALPN but no overlap. Should have been error, 1179 * but for privacy we continue without ALPN (e.g., if certain 1180 * ALPNs are blocked) */ 1181 return SSL_TLSEXT_ERR_NOACK; 1182 } 1183 *out = tmp_out; 1184 return SSL_TLSEXT_ERR_OK; 1185 } 1186 #endif 1187 1188 #if defined(HAVE_SSL) && defined(HAVE_NGHTTP2) && defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB) 1189 static int doh_alpn_select_cb(SSL* ATTR_UNUSED(ssl), const unsigned char** out, 1190 unsigned char* outlen, const unsigned char* in, unsigned int inlen, 1191 void* ATTR_UNUSED(arg)) 1192 { 1193 int rv = nghttp2_select_next_protocol((unsigned char **)out, outlen, in, 1194 inlen); 1195 if(rv == -1) { 1196 return SSL_TLSEXT_ERR_NOACK; 1197 } 1198 /* either http/1.1 or h2 selected */ 1199 return SSL_TLSEXT_ERR_OK; 1200 } 1201 #endif 1202 1203 #ifdef HAVE_SSL 1204 /* setup the callback for ticket keys */ 1205 static int 1206 setup_ticket_keys_cb(void* sslctx) 1207 { 1208 # ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1209 if(SSL_CTX_set_tlsext_ticket_key_evp_cb(sslctx, tls_session_ticket_key_cb) == 0) { 1210 return 0; 1211 } 1212 # else 1213 if(SSL_CTX_set_tlsext_ticket_key_cb(sslctx, tls_session_ticket_key_cb) == 0) { 1214 return 0; 1215 } 1216 # endif 1217 return 1; 1218 } 1219 #endif /* HAVE_SSL */ 1220 1221 int 1222 listen_sslctx_setup(void* ctxt) 1223 { 1224 #ifdef HAVE_SSL 1225 SSL_CTX* ctx = (SSL_CTX*)ctxt; 1226 /* no SSLv2, SSLv3 because has defects */ 1227 #if SSL_OP_NO_SSLv2 != 0 1228 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) 1229 != SSL_OP_NO_SSLv2){ 1230 log_crypto_err("could not set SSL_OP_NO_SSLv2"); 1231 return 0; 1232 } 1233 #endif 1234 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) 1235 != SSL_OP_NO_SSLv3){ 1236 log_crypto_err("could not set SSL_OP_NO_SSLv3"); 1237 return 0; 1238 } 1239 #if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1) 1240 /* if we have tls 1.1 disable 1.0 */ 1241 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1) 1242 != SSL_OP_NO_TLSv1){ 1243 log_crypto_err("could not set SSL_OP_NO_TLSv1"); 1244 return 0; 1245 } 1246 #endif 1247 #if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2) 1248 /* if we have tls 1.2 disable 1.1 */ 1249 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1) 1250 != SSL_OP_NO_TLSv1_1){ 1251 log_crypto_err("could not set SSL_OP_NO_TLSv1_1"); 1252 return 0; 1253 } 1254 #endif 1255 #if defined(SSL_OP_NO_RENEGOTIATION) 1256 /* disable client renegotiation */ 1257 if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) & 1258 SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) { 1259 log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION"); 1260 return 0; 1261 } 1262 #endif 1263 #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA) 1264 /* if we detect system-wide crypto policies, use those */ 1265 if (access( "/etc/crypto-policies/config", F_OK ) != 0 ) { 1266 /* if we have sha256, set the cipher list to have no known vulns */ 1267 if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256")) 1268 log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list"); 1269 } 1270 #endif 1271 #if defined(SSL_OP_IGNORE_UNEXPECTED_EOF) 1272 /* ignore errors when peers do not send the mandatory close_notify 1273 * alert on shutdown. 1274 * Relevant for openssl >= 3 */ 1275 if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) & 1276 SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) { 1277 log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF"); 1278 return 0; 1279 } 1280 #endif 1281 1282 if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) & 1283 SSL_OP_CIPHER_SERVER_PREFERENCE) != 1284 SSL_OP_CIPHER_SERVER_PREFERENCE) { 1285 log_crypto_err("could not set SSL_OP_CIPHER_SERVER_PREFERENCE"); 1286 return 0; 1287 } 1288 1289 #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL 1290 SSL_CTX_set_security_level(ctx, 0); 1291 #endif 1292 #else 1293 (void)ctxt; 1294 #endif /* HAVE_SSL */ 1295 return 1; 1296 } 1297 1298 void 1299 listen_sslctx_setup_2(void* ctxt) 1300 { 1301 #ifdef HAVE_SSL 1302 SSL_CTX* ctx = (SSL_CTX*)ctxt; 1303 (void)ctx; 1304 #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO 1305 if(!SSL_CTX_set_ecdh_auto(ctx,1)) { 1306 log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE"); 1307 } 1308 #elif defined(USE_ECDSA) && defined(HAVE_SSL_CTX_SET_TMP_ECDH) 1309 if(1) { 1310 EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1); 1311 if (!ecdh) { 1312 log_crypto_err("could not find p256, not enabling ECDHE"); 1313 } else { 1314 if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) { 1315 log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE"); 1316 } 1317 EC_KEY_free (ecdh); 1318 } 1319 } 1320 #endif 1321 #else 1322 (void)ctxt; 1323 #endif /* HAVE_SSL */ 1324 } 1325 1326 void* listen_sslctx_create(const char* key, const char* pem, 1327 const char* verifypem, const char* tls_ciphers, 1328 const char* tls_ciphersuites, int set_ticket_keys_cb, 1329 int is_dot, int is_doh) 1330 { 1331 #ifdef HAVE_SSL 1332 SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method()); 1333 if(!ctx) { 1334 log_crypto_err("could not SSL_CTX_new"); 1335 return NULL; 1336 } 1337 if(!key || key[0] == 0) { 1338 log_err("error: no tls-service-key file specified"); 1339 SSL_CTX_free(ctx); 1340 return NULL; 1341 } 1342 if(!pem || pem[0] == 0) { 1343 log_err("error: no tls-service-pem file specified"); 1344 SSL_CTX_free(ctx); 1345 return NULL; 1346 } 1347 if(!listen_sslctx_setup(ctx)) { 1348 SSL_CTX_free(ctx); 1349 return NULL; 1350 } 1351 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { 1352 log_err("error for cert file: %s", pem); 1353 log_crypto_err("error in SSL_CTX use_certificate_chain_file"); 1354 SSL_CTX_free(ctx); 1355 return NULL; 1356 } 1357 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) { 1358 log_err("error for private key file: %s", key); 1359 log_crypto_err("Error in SSL_CTX use_PrivateKey_file"); 1360 SSL_CTX_free(ctx); 1361 return NULL; 1362 } 1363 if(!SSL_CTX_check_private_key(ctx)) { 1364 log_err("error for key file: %s", key); 1365 log_crypto_err("Error in SSL_CTX check_private_key"); 1366 SSL_CTX_free(ctx); 1367 return NULL; 1368 } 1369 listen_sslctx_setup_2(ctx); 1370 if(verifypem && verifypem[0]) { 1371 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) { 1372 log_crypto_err("Error in SSL_CTX verify locations"); 1373 SSL_CTX_free(ctx); 1374 return NULL; 1375 } 1376 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file( 1377 verifypem)); 1378 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); 1379 } 1380 if(tls_ciphers && tls_ciphers[0]) { 1381 if (!SSL_CTX_set_cipher_list(ctx, tls_ciphers)) { 1382 log_err("failed to set tls-cipher %s", 1383 tls_ciphers); 1384 log_crypto_err("Error in SSL_CTX_set_cipher_list"); 1385 SSL_CTX_free(ctx); 1386 return NULL; 1387 } 1388 } 1389 #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES 1390 if(tls_ciphersuites && tls_ciphersuites[0]) { 1391 if (!SSL_CTX_set_ciphersuites(ctx, tls_ciphersuites)) { 1392 log_err("failed to set tls-ciphersuites %s", 1393 tls_ciphersuites); 1394 log_crypto_err("Error in SSL_CTX_set_ciphersuites"); 1395 SSL_CTX_free(ctx); 1396 return NULL; 1397 } 1398 } 1399 #else 1400 (void)tls_ciphersuites; /* variable unused. */ 1401 #endif /* HAVE_SSL_CTX_SET_CIPHERSUITES */ 1402 if(set_ticket_keys_cb) { 1403 if(!setup_ticket_keys_cb(ctx)) { 1404 log_crypto_err("no support for TLS session ticket"); 1405 SSL_CTX_free(ctx); 1406 return NULL; 1407 } 1408 } 1409 /* setup ALPN */ 1410 #if defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB) 1411 if(is_dot) { 1412 SSL_CTX_set_alpn_select_cb(ctx, dot_alpn_select_cb, NULL); 1413 } else if(is_doh) { 1414 #if defined(HAVE_NGHTTP2) 1415 SSL_CTX_set_alpn_select_cb(ctx, doh_alpn_select_cb, NULL); 1416 #endif 1417 } 1418 #endif /* HAVE_SSL_CTX_SET_ALPN_SELECT_CB */ 1419 return ctx; 1420 #else 1421 (void)key; (void)pem; (void)verifypem; 1422 (void)tls_ciphers; (void)tls_ciphersuites; 1423 (void)set_ticket_keys_cb; (void)is_dot; (void)is_doh; 1424 return NULL; 1425 #endif /* HAVE_SSL */ 1426 } 1427 1428 #ifdef USE_WINSOCK 1429 /* For windows, the CA trust store is not read by openssl. 1430 Add code to open the trust store using wincrypt API and add 1431 the root certs into openssl trust store */ 1432 static int 1433 add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx) 1434 { 1435 HCERTSTORE hSystemStore; 1436 PCCERT_CONTEXT pTargetCert = NULL; 1437 X509_STORE* store; 1438 1439 verbose(VERB_ALGO, "Adding Windows certificates from system root store to CA store"); 1440 1441 /* load just once per context lifetime for this version 1442 TODO: dynamically update CA trust changes as they are available */ 1443 if (!tls_ctx) 1444 return 0; 1445 1446 /* Call wincrypt's CertOpenStore to open the CA root store. */ 1447 1448 if ((hSystemStore = CertOpenStore( 1449 CERT_STORE_PROV_SYSTEM, 1450 0, 1451 0, 1452 /* NOTE: mingw does not have this const: replace with 1 << 16 from code 1453 CERT_SYSTEM_STORE_CURRENT_USER, */ 1454 1 << 16, 1455 L"root")) == 0) 1456 { 1457 return 0; 1458 } 1459 1460 store = SSL_CTX_get_cert_store(tls_ctx); 1461 if (!store) 1462 return 0; 1463 1464 /* failure if the CA store is empty or the call fails */ 1465 if ((pTargetCert = CertEnumCertificatesInStore( 1466 hSystemStore, pTargetCert)) == 0) { 1467 verbose(VERB_ALGO, "CA certificate store for Windows is empty."); 1468 return 0; 1469 } 1470 /* iterate over the windows cert store and add to openssl store */ 1471 do 1472 { 1473 X509 *cert1 = d2i_X509(NULL, 1474 (const unsigned char **)&pTargetCert->pbCertEncoded, 1475 pTargetCert->cbCertEncoded); 1476 if (!cert1) { 1477 unsigned long error = ERR_get_error(); 1478 /* return error if a cert fails */ 1479 verbose(VERB_ALGO, "%s %d:%s", 1480 "Unable to parse certificate in memory", 1481 (int)error, ERR_error_string(error, NULL)); 1482 return 0; 1483 } 1484 else { 1485 /* return error if a cert add to store fails */ 1486 if (X509_STORE_add_cert(store, cert1) == 0) { 1487 unsigned long error = ERR_peek_last_error(); 1488 1489 /* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the 1490 * certificate is already in the store. */ 1491 if(ERR_GET_LIB(error) != ERR_LIB_X509 || 1492 ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) { 1493 error = ERR_get_error(); 1494 verbose(VERB_ALGO, "%s %d:%s\n", 1495 "Error adding certificate", (int)error, 1496 ERR_error_string(error, NULL)); 1497 X509_free(cert1); 1498 return 0; 1499 } 1500 } 1501 X509_free(cert1); 1502 } 1503 } while ((pTargetCert = CertEnumCertificatesInStore( 1504 hSystemStore, pTargetCert)) != 0); 1505 1506 /* Clean up memory and quit. */ 1507 if (pTargetCert) 1508 CertFreeCertificateContext(pTargetCert); 1509 if (hSystemStore) 1510 { 1511 if (!CertCloseStore( 1512 hSystemStore, 0)) 1513 return 0; 1514 } 1515 verbose(VERB_ALGO, "Completed adding Windows certificates to CA store successfully"); 1516 return 1; 1517 } 1518 #endif /* USE_WINSOCK */ 1519 1520 void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert) 1521 { 1522 #ifdef HAVE_SSL 1523 SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method()); 1524 if(!ctx) { 1525 log_crypto_err("could not allocate SSL_CTX pointer"); 1526 return NULL; 1527 } 1528 #if SSL_OP_NO_SSLv2 != 0 1529 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) 1530 != SSL_OP_NO_SSLv2) { 1531 log_crypto_err("could not set SSL_OP_NO_SSLv2"); 1532 SSL_CTX_free(ctx); 1533 return NULL; 1534 } 1535 #endif 1536 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) 1537 != SSL_OP_NO_SSLv3) { 1538 log_crypto_err("could not set SSL_OP_NO_SSLv3"); 1539 SSL_CTX_free(ctx); 1540 return NULL; 1541 } 1542 #if defined(SSL_OP_NO_RENEGOTIATION) 1543 /* disable client renegotiation */ 1544 if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) & 1545 SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) { 1546 log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION"); 1547 SSL_CTX_free(ctx); 1548 return 0; 1549 } 1550 #endif 1551 #if defined(SSL_OP_IGNORE_UNEXPECTED_EOF) 1552 /* ignore errors when peers do not send the mandatory close_notify 1553 * alert on shutdown. 1554 * Relevant for openssl >= 3 */ 1555 if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) & 1556 SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) { 1557 log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF"); 1558 SSL_CTX_free(ctx); 1559 return 0; 1560 } 1561 #endif 1562 if(key && key[0]) { 1563 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { 1564 log_err("error in client certificate %s", pem); 1565 log_crypto_err("error in certificate file"); 1566 SSL_CTX_free(ctx); 1567 return NULL; 1568 } 1569 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) { 1570 log_err("error in client private key %s", key); 1571 log_crypto_err("error in key file"); 1572 SSL_CTX_free(ctx); 1573 return NULL; 1574 } 1575 if(!SSL_CTX_check_private_key(ctx)) { 1576 log_err("error in client key %s", key); 1577 log_crypto_err("error in SSL_CTX_check_private_key"); 1578 SSL_CTX_free(ctx); 1579 return NULL; 1580 } 1581 } 1582 if((verifypem && verifypem[0]) || wincert) { 1583 if(verifypem && verifypem[0]) { 1584 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) { 1585 log_crypto_err("error in SSL_CTX verify"); 1586 SSL_CTX_free(ctx); 1587 return NULL; 1588 } 1589 } 1590 #ifdef USE_WINSOCK 1591 if(wincert) { 1592 if(!add_WIN_cacerts_to_openssl_store(ctx)) { 1593 log_crypto_err("error in add_WIN_cacerts_to_openssl_store"); 1594 SSL_CTX_free(ctx); 1595 return NULL; 1596 } 1597 } 1598 #else 1599 if(wincert) { 1600 if(!SSL_CTX_set_default_verify_paths(ctx)) { 1601 log_crypto_err("error in default_verify_paths"); 1602 SSL_CTX_free(ctx); 1603 return NULL; 1604 } 1605 } 1606 #endif 1607 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); 1608 } 1609 return ctx; 1610 #else 1611 (void)key; (void)pem; (void)verifypem; (void)wincert; 1612 return NULL; 1613 #endif 1614 } 1615 1616 void* incoming_ssl_fd(void* sslctx, int fd) 1617 { 1618 #ifdef HAVE_SSL 1619 SSL* ssl = SSL_new((SSL_CTX*)sslctx); 1620 if(!ssl) { 1621 log_crypto_err("could not SSL_new"); 1622 return NULL; 1623 } 1624 SSL_set_accept_state(ssl); 1625 (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY); 1626 if(!SSL_set_fd(ssl, fd)) { 1627 log_crypto_err("could not SSL_set_fd"); 1628 SSL_free(ssl); 1629 return NULL; 1630 } 1631 return ssl; 1632 #else 1633 (void)sslctx; (void)fd; 1634 return NULL; 1635 #endif 1636 } 1637 1638 void* outgoing_ssl_fd(void* sslctx, int fd) 1639 { 1640 #ifdef HAVE_SSL 1641 SSL* ssl = SSL_new((SSL_CTX*)sslctx); 1642 if(!ssl) { 1643 log_crypto_err("could not SSL_new"); 1644 return NULL; 1645 } 1646 SSL_set_connect_state(ssl); 1647 (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY); 1648 if(!SSL_set_fd(ssl, fd)) { 1649 log_crypto_err("could not SSL_set_fd"); 1650 SSL_free(ssl); 1651 return NULL; 1652 } 1653 return ssl; 1654 #else 1655 (void)sslctx; (void)fd; 1656 return NULL; 1657 #endif 1658 } 1659 1660 int check_auth_name_for_ssl(char* auth_name) 1661 { 1662 if(!auth_name) return 1; 1663 #if defined(HAVE_SSL) && !defined(HAVE_SSL_SET1_HOST) && !defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) 1664 log_err("the query has an auth_name %s, but libssl has no call to " 1665 "perform TLS authentication. Remove that name from config " 1666 "or upgrade the ssl crypto library.", auth_name); 1667 return 0; 1668 #else 1669 return 1; 1670 #endif 1671 } 1672 1673 /** set the authname on an SSL structure, SSL* ssl */ 1674 int set_auth_name_on_ssl(void* ssl, char* auth_name, int use_sni) 1675 { 1676 if(!auth_name) return 1; 1677 #ifdef HAVE_SSL 1678 if(use_sni) { 1679 (void)SSL_set_tlsext_host_name(ssl, auth_name); 1680 } 1681 #else 1682 (void)ssl; 1683 (void)use_sni; 1684 #endif 1685 #ifdef HAVE_SSL_SET1_HOST 1686 SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL); 1687 /* setting the hostname makes openssl verify the 1688 * host name in the x509 certificate in the 1689 * SSL connection*/ 1690 if(!SSL_set1_host(ssl, auth_name)) { 1691 log_err("SSL_set1_host failed"); 1692 return 0; 1693 } 1694 #elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) 1695 /* openssl 1.0.2 has this function that can be used for 1696 * set1_host like verification */ 1697 if(auth_name) { 1698 X509_VERIFY_PARAM* param = SSL_get0_param(ssl); 1699 # ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 1700 X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); 1701 # endif 1702 if(!X509_VERIFY_PARAM_set1_host(param, auth_name, strlen(auth_name))) { 1703 log_err("X509_VERIFY_PARAM_set1_host failed"); 1704 return 0; 1705 } 1706 SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL); 1707 } 1708 #else 1709 verbose(VERB_ALGO, "the query has an auth_name, but libssl has no call to perform TLS authentication"); 1710 #endif /* HAVE_SSL_SET1_HOST */ 1711 return 1; 1712 } 1713 1714 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L 1715 /** global lock list for openssl locks */ 1716 static lock_basic_type *ub_openssl_locks = NULL; 1717 1718 /** callback that gets thread id for openssl */ 1719 #ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK 1720 static void 1721 ub_crypto_id_cb(CRYPTO_THREADID *id) 1722 { 1723 CRYPTO_THREADID_set_numeric(id, (unsigned long)log_thread_get()); 1724 } 1725 #else 1726 static unsigned long 1727 ub_crypto_id_cb(void) 1728 { 1729 return (unsigned long)log_thread_get(); 1730 } 1731 #endif 1732 1733 static void 1734 ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file), 1735 int ATTR_UNUSED(line)) 1736 { 1737 if((mode&CRYPTO_LOCK)) { 1738 lock_basic_lock(&ub_openssl_locks[type]); 1739 } else { 1740 lock_basic_unlock(&ub_openssl_locks[type]); 1741 } 1742 } 1743 #endif /* OPENSSL_THREADS */ 1744 1745 int ub_openssl_lock_init(void) 1746 { 1747 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L 1748 int i; 1749 ub_openssl_locks = (lock_basic_type*)reallocarray( 1750 NULL, (size_t)CRYPTO_num_locks(), sizeof(lock_basic_type)); 1751 if(!ub_openssl_locks) 1752 return 0; 1753 for(i=0; i<CRYPTO_num_locks(); i++) { 1754 lock_basic_init(&ub_openssl_locks[i]); 1755 } 1756 # ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK 1757 CRYPTO_THREADID_set_callback(&ub_crypto_id_cb); 1758 # else 1759 CRYPTO_set_id_callback(&ub_crypto_id_cb); 1760 # endif 1761 CRYPTO_set_locking_callback(&ub_crypto_lock_cb); 1762 #endif /* OPENSSL_THREADS */ 1763 return 1; 1764 } 1765 1766 void ub_openssl_lock_delete(void) 1767 { 1768 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L 1769 int i; 1770 if(!ub_openssl_locks) 1771 return; 1772 # ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK 1773 CRYPTO_THREADID_set_callback(NULL); 1774 # else 1775 CRYPTO_set_id_callback(NULL); 1776 # endif 1777 CRYPTO_set_locking_callback(NULL); 1778 for(i=0; i<CRYPTO_num_locks(); i++) { 1779 lock_basic_destroy(&ub_openssl_locks[i]); 1780 } 1781 free(ub_openssl_locks); 1782 #endif /* OPENSSL_THREADS */ 1783 } 1784 1785 int listen_sslctx_setup_ticket_keys(struct config_strlist* tls_session_ticket_keys) { 1786 #ifdef HAVE_SSL 1787 size_t s = 1; 1788 struct config_strlist* p; 1789 struct tls_session_ticket_key *keys; 1790 for(p = tls_session_ticket_keys; p; p = p->next) { 1791 s++; 1792 } 1793 keys = calloc(s, sizeof(struct tls_session_ticket_key)); 1794 if(!keys) 1795 return 0; 1796 memset(keys, 0, s*sizeof(*keys)); 1797 ticket_keys = keys; 1798 1799 for(p = tls_session_ticket_keys; p; p = p->next) { 1800 size_t n; 1801 unsigned char *data; 1802 FILE *f; 1803 1804 data = (unsigned char *)malloc(80); 1805 if(!data) 1806 return 0; 1807 1808 f = fopen(p->str, "rb"); 1809 if(!f) { 1810 log_err("could not read tls-session-ticket-key %s: %s", p->str, strerror(errno)); 1811 free(data); 1812 return 0; 1813 } 1814 n = fread(data, 1, 80, f); 1815 fclose(f); 1816 1817 if(n != 80) { 1818 log_err("tls-session-ticket-key %s is %d bytes, must be 80 bytes", p->str, (int)n); 1819 free(data); 1820 return 0; 1821 } 1822 verbose(VERB_OPS, "read tls-session-ticket-key: %s", p->str); 1823 1824 keys->key_name = data; 1825 keys->aes_key = data + 16; 1826 keys->hmac_key = data + 48; 1827 keys++; 1828 } 1829 /* terminate array with NULL key name entry */ 1830 keys->key_name = NULL; 1831 return 1; 1832 #else 1833 (void)tls_session_ticket_keys; 1834 return 0; 1835 #endif 1836 } 1837 1838 #ifdef HAVE_SSL 1839 int tls_session_ticket_key_cb(SSL *ATTR_UNUSED(sslctx), unsigned char* key_name, 1840 unsigned char* iv, EVP_CIPHER_CTX *evp_sctx, 1841 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1842 EVP_MAC_CTX *hmac_ctx, 1843 #else 1844 HMAC_CTX* hmac_ctx, 1845 #endif 1846 int enc) 1847 { 1848 #ifdef HAVE_SSL 1849 # ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1850 OSSL_PARAM params[3]; 1851 # else 1852 const EVP_MD *digest; 1853 # endif 1854 const EVP_CIPHER *cipher; 1855 int evp_cipher_length; 1856 # ifndef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1857 digest = EVP_sha256(); 1858 # endif 1859 cipher = EVP_aes_256_cbc(); 1860 evp_cipher_length = EVP_CIPHER_iv_length(cipher); 1861 if( enc == 1 ) { 1862 /* encrypt */ 1863 verbose(VERB_CLIENT, "start session encrypt"); 1864 memcpy(key_name, ticket_keys->key_name, 16); 1865 if (RAND_bytes(iv, evp_cipher_length) != 1) { 1866 verbose(VERB_CLIENT, "RAND_bytes failed"); 1867 return -1; 1868 } 1869 if (EVP_EncryptInit_ex(evp_sctx, cipher, NULL, ticket_keys->aes_key, iv) != 1) { 1870 verbose(VERB_CLIENT, "EVP_EncryptInit_ex failed"); 1871 return -1; 1872 } 1873 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1874 params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, 1875 ticket_keys->hmac_key, 32); 1876 params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, 1877 "sha256", 0); 1878 params[2] = OSSL_PARAM_construct_end(); 1879 #ifdef HAVE_EVP_MAC_CTX_SET_PARAMS 1880 EVP_MAC_CTX_set_params(hmac_ctx, params); 1881 #else 1882 EVP_MAC_set_ctx_params(hmac_ctx, params); 1883 #endif 1884 #elif !defined(HMAC_INIT_EX_RETURNS_VOID) 1885 if (HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL) != 1) { 1886 verbose(VERB_CLIENT, "HMAC_Init_ex failed"); 1887 return -1; 1888 } 1889 #else 1890 HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL); 1891 #endif 1892 return 1; 1893 } else if (enc == 0) { 1894 /* decrypt */ 1895 struct tls_session_ticket_key *key; 1896 verbose(VERB_CLIENT, "start session decrypt"); 1897 for(key = ticket_keys; key->key_name != NULL; key++) { 1898 if (!memcmp(key_name, key->key_name, 16)) { 1899 verbose(VERB_CLIENT, "Found session_key"); 1900 break; 1901 } 1902 } 1903 if(key->key_name == NULL) { 1904 verbose(VERB_CLIENT, "Not found session_key"); 1905 return 0; 1906 } 1907 1908 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1909 params[0] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, 1910 key->hmac_key, 32); 1911 params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, 1912 "sha256", 0); 1913 params[2] = OSSL_PARAM_construct_end(); 1914 #ifdef HAVE_EVP_MAC_CTX_SET_PARAMS 1915 EVP_MAC_CTX_set_params(hmac_ctx, params); 1916 #else 1917 EVP_MAC_set_ctx_params(hmac_ctx, params); 1918 #endif 1919 #elif !defined(HMAC_INIT_EX_RETURNS_VOID) 1920 if (HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL) != 1) { 1921 verbose(VERB_CLIENT, "HMAC_Init_ex failed"); 1922 return -1; 1923 } 1924 #else 1925 HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL); 1926 #endif 1927 if (EVP_DecryptInit_ex(evp_sctx, cipher, NULL, key->aes_key, iv) != 1) { 1928 log_err("EVP_DecryptInit_ex failed"); 1929 return -1; 1930 } 1931 1932 return (key == ticket_keys) ? 1 : 2; 1933 } 1934 return -1; 1935 #else 1936 (void)key_name; 1937 (void)iv; 1938 (void)evp_sctx; 1939 (void)hmac_ctx; 1940 (void)enc; 1941 return 0; 1942 #endif 1943 } 1944 #endif /* HAVE_SSL */ 1945 1946 #ifdef HAVE_SSL 1947 void 1948 listen_sslctx_delete_ticket_keys(void) 1949 { 1950 struct tls_session_ticket_key *key; 1951 if(!ticket_keys) return; 1952 for(key = ticket_keys; key->key_name != NULL; key++) { 1953 /* wipe key data from memory*/ 1954 #ifdef HAVE_EXPLICIT_BZERO 1955 explicit_bzero(key->key_name, 80); 1956 #else 1957 memset(key->key_name, 0xdd, 80); 1958 #endif 1959 free(key->key_name); 1960 } 1961 free(ticket_keys); 1962 ticket_keys = NULL; 1963 } 1964 #endif /* HAVE_SSL */ 1965 1966 # ifndef USE_WINSOCK 1967 char* 1968 sock_strerror(int errn) 1969 { 1970 return strerror(errn); 1971 } 1972 1973 void 1974 sock_close(int socket) 1975 { 1976 close(socket); 1977 } 1978 1979 # else 1980 char* 1981 sock_strerror(int ATTR_UNUSED(errn)) 1982 { 1983 return wsa_strerror(WSAGetLastError()); 1984 } 1985 1986 void 1987 sock_close(int socket) 1988 { 1989 closesocket(socket); 1990 } 1991 # endif /* USE_WINSOCK */ 1992 1993 ssize_t 1994 hex_ntop(uint8_t const *src, size_t srclength, char *target, size_t targsize) 1995 { 1996 static char hexdigits[] = { 1997 '0', '1', '2', '3', '4', '5', '6', '7', 1998 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' 1999 }; 2000 size_t i; 2001 2002 if (targsize < srclength * 2 + 1) { 2003 return -1; 2004 } 2005 2006 for (i = 0; i < srclength; ++i) { 2007 *target++ = hexdigits[src[i] >> 4U]; 2008 *target++ = hexdigits[src[i] & 0xfU]; 2009 } 2010 *target = '\0'; 2011 return 2 * srclength; 2012 } 2013 2014 ssize_t 2015 hex_pton(const char* src, uint8_t* target, size_t targsize) 2016 { 2017 uint8_t *t = target; 2018 if(strlen(src) % 2 != 0 || strlen(src)/2 > targsize) { 2019 return -1; 2020 } 2021 while(*src) { 2022 if(!isxdigit((unsigned char)src[0]) || 2023 !isxdigit((unsigned char)src[1])) 2024 return -1; 2025 *t++ = sldns_hexdigit_to_int(src[0]) * 16 + 2026 sldns_hexdigit_to_int(src[1]) ; 2027 src += 2; 2028 } 2029 return t-target; 2030 } 2031