1 /*
2 * util/net_help.c - implementation of the network helper code
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35 /**
36 * \file
37 * Implementation of net_help.h.
38 */
39
40 #include "config.h"
41 #ifdef HAVE_SYS_TYPES_H
42 # include <sys/types.h>
43 #endif
44 #ifdef HAVE_NET_IF_H
45 #include <net/if.h>
46 #endif
47 #ifdef HAVE_NETIOAPI_H
48 #include <netioapi.h>
49 #endif
50 #include <ctype.h>
51 #include "util/net_help.h"
52 #include "util/log.h"
53 #include "util/data/dname.h"
54 #include "util/module.h"
55 #include "util/regional.h"
56 #include "util/config_file.h"
57 #include "sldns/parseutil.h"
58 #include "sldns/wire2str.h"
59 #include "sldns/str2wire.h"
60 #include <fcntl.h>
61 #ifdef HAVE_OPENSSL_SSL_H
62 #include <openssl/ssl.h>
63 #include <openssl/evp.h>
64 #include <openssl/rand.h>
65 #endif
66 #ifdef HAVE_OPENSSL_ERR_H
67 #include <openssl/err.h>
68 #endif
69 #ifdef HAVE_OPENSSL_CORE_NAMES_H
70 #include <openssl/core_names.h>
71 #endif
72 #ifdef USE_WINSOCK
73 #include <wincrypt.h>
74 #endif
75 #ifdef HAVE_NGHTTP2_NGHTTP2_H
76 #include <nghttp2/nghttp2.h>
77 #endif
78
79 /** max length of an IP address (the address portion) that we allow */
80 #define MAX_ADDR_STRLEN 128 /* characters */
81 /** max length of a hostname (with port and tls name) that we allow */
82 #define MAX_HOST_STRLEN (LDNS_MAX_DOMAINLEN * 3) /* characters */
83 /** default value for EDNS ADVERTISED size */
84 uint16_t EDNS_ADVERTISED_SIZE = 4096;
85
86 /** minimal responses when positive answer: default is no */
87 int MINIMAL_RESPONSES = 0;
88
89 /** rrset order roundrobin: default is yes */
90 int RRSET_ROUNDROBIN = 1;
91
92 /** log tag queries with name instead of 'info' for filtering */
93 int LOG_TAG_QUERYREPLY = 0;
94
95 #ifdef HAVE_SSL
96 static struct tls_session_ticket_key {
97 unsigned char *key_name;
98 unsigned char *aes_key;
99 unsigned char *hmac_key;
100 } *ticket_keys;
101 #endif /* HAVE_SSL */
102
103 #ifdef HAVE_SSL
104 /**
105 * callback TLS session ticket encrypt and decrypt
106 * For use with SSL_CTX_set_tlsext_ticket_key_cb or
107 * SSL_CTX_set_tlsext_ticket_key_evp_cb
108 * @param s: the SSL_CTX to use (from connect_sslctx_create())
109 * @param key_name: secret name, 16 bytes
110 * @param iv: up to EVP_MAX_IV_LENGTH.
111 * @param evp_ctx: the evp cipher context, function sets this.
112 * @param hmac_ctx: the hmac context, function sets this.
113 * with ..key_cb it is of type HMAC_CTX*
114 * with ..key_evp_cb it is of type EVP_MAC_CTX*
115 * @param enc: 1 is encrypt, 0 is decrypt
116 * @return 0 on no ticket, 1 for okay, and 2 for okay but renew the ticket
117 * (the ticket is decrypt only). and <0 for failures.
118 */
119 int tls_session_ticket_key_cb(SSL *s, unsigned char* key_name,
120 unsigned char* iv, EVP_CIPHER_CTX *evp_ctx,
121 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
122 EVP_MAC_CTX *hmac_ctx,
123 #else
124 HMAC_CTX* hmac_ctx,
125 #endif
126 int enc);
127 #endif /* HAVE_SSL */
128
129 /* returns true is string addr is an ip6 specced address */
130 int
str_is_ip6(const char * str)131 str_is_ip6(const char* str)
132 {
133 if(strchr(str, ':'))
134 return 1;
135 else return 0;
136 }
137
138 int
fd_set_nonblock(int s)139 fd_set_nonblock(int s)
140 {
141 #ifdef HAVE_FCNTL
142 int flag;
143 if((flag = fcntl(s, F_GETFL)) == -1) {
144 log_err("can't fcntl F_GETFL: %s", strerror(errno));
145 flag = 0;
146 }
147 flag |= O_NONBLOCK;
148 if(fcntl(s, F_SETFL, flag) == -1) {
149 log_err("can't fcntl F_SETFL: %s", strerror(errno));
150 return 0;
151 }
152 #elif defined(HAVE_IOCTLSOCKET)
153 unsigned long on = 1;
154 if(ioctlsocket(s, FIONBIO, &on) != 0) {
155 log_err("can't ioctlsocket FIONBIO on: %s",
156 wsa_strerror(WSAGetLastError()));
157 }
158 #endif
159 return 1;
160 }
161
162 int
fd_set_block(int s)163 fd_set_block(int s)
164 {
165 #ifdef HAVE_FCNTL
166 int flag;
167 if((flag = fcntl(s, F_GETFL)) == -1) {
168 log_err("cannot fcntl F_GETFL: %s", strerror(errno));
169 flag = 0;
170 }
171 flag &= ~O_NONBLOCK;
172 if(fcntl(s, F_SETFL, flag) == -1) {
173 log_err("cannot fcntl F_SETFL: %s", strerror(errno));
174 return 0;
175 }
176 #elif defined(HAVE_IOCTLSOCKET)
177 unsigned long off = 0;
178 if(ioctlsocket(s, FIONBIO, &off) != 0) {
179 if(WSAGetLastError() != WSAEINVAL || verbosity >= 4)
180 log_err("can't ioctlsocket FIONBIO off: %s",
181 wsa_strerror(WSAGetLastError()));
182 }
183 #endif
184 return 1;
185 }
186
187 int
is_pow2(size_t num)188 is_pow2(size_t num)
189 {
190 if(num == 0) return 1;
191 return (num & (num-1)) == 0;
192 }
193
194 void*
memdup(void * data,size_t len)195 memdup(void* data, size_t len)
196 {
197 void* d;
198 if(!data) return NULL;
199 if(len == 0) return NULL;
200 d = malloc(len);
201 if(!d) return NULL;
202 memcpy(d, data, len);
203 return d;
204 }
205
206 void
log_addr(enum verbosity_value v,const char * str,struct sockaddr_storage * addr,socklen_t addrlen)207 log_addr(enum verbosity_value v, const char* str,
208 struct sockaddr_storage* addr, socklen_t addrlen)
209 {
210 uint16_t port;
211 const char* family = "unknown";
212 char dest[100];
213 int af = (int)((struct sockaddr_in*)addr)->sin_family;
214 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
215 if(verbosity < v)
216 return;
217 switch(af) {
218 case AF_INET: family="ip4"; break;
219 case AF_INET6: family="ip6";
220 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
221 break;
222 case AF_LOCAL:
223 dest[0]=0;
224 (void)inet_ntop(af, sinaddr, dest,
225 (socklen_t)sizeof(dest));
226 verbose(v, "%s local %s", str, dest);
227 return; /* do not continue and try to get port */
228 default: break;
229 }
230 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
231 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
232 }
233 dest[sizeof(dest)-1] = 0;
234 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
235 if(verbosity >= 4)
236 verbose(v, "%s %s %s port %d (len %d)", str, family, dest,
237 (int)port, (int)addrlen);
238 else verbose(v, "%s %s port %d", str, dest, (int)port);
239 }
240
241 int
extstrtoaddr(const char * str,struct sockaddr_storage * addr,socklen_t * addrlen,int port)242 extstrtoaddr(const char* str, struct sockaddr_storage* addr,
243 socklen_t* addrlen, int port)
244 {
245 char* s;
246 if((s=strchr(str, '@'))) {
247 char buf[MAX_ADDR_STRLEN];
248 if(s-str >= MAX_ADDR_STRLEN) {
249 return 0;
250 }
251 (void)strlcpy(buf, str, sizeof(buf));
252 buf[s-str] = 0;
253 port = atoi(s+1);
254 if(port == 0 && strcmp(s+1,"0")!=0) {
255 return 0;
256 }
257 return ipstrtoaddr(buf, port, addr, addrlen);
258 }
259 return ipstrtoaddr(str, port, addr, addrlen);
260 }
261
262 int
ipstrtoaddr(const char * ip,int port,struct sockaddr_storage * addr,socklen_t * addrlen)263 ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr,
264 socklen_t* addrlen)
265 {
266 uint16_t p;
267 if(!ip) return 0;
268 p = (uint16_t) port;
269 if(str_is_ip6(ip)) {
270 char buf[MAX_ADDR_STRLEN];
271 char* s;
272 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
273 *addrlen = (socklen_t)sizeof(struct sockaddr_in6);
274 memset(sa, 0, *addrlen);
275 sa->sin6_family = AF_INET6;
276 sa->sin6_port = (in_port_t)htons(p);
277 if((s=strchr(ip, '%'))) { /* ip6%interface, rfc 4007 */
278 if(s-ip >= MAX_ADDR_STRLEN)
279 return 0;
280 (void)strlcpy(buf, ip, sizeof(buf));
281 buf[s-ip]=0;
282 #ifdef HAVE_IF_NAMETOINDEX
283 if (!(sa->sin6_scope_id = if_nametoindex(s+1)))
284 #endif /* HAVE_IF_NAMETOINDEX */
285 sa->sin6_scope_id = (uint32_t)atoi(s+1);
286 ip = buf;
287 }
288 if(inet_pton((int)sa->sin6_family, ip, &sa->sin6_addr) <= 0) {
289 return 0;
290 }
291 } else { /* ip4 */
292 struct sockaddr_in* sa = (struct sockaddr_in*)addr;
293 *addrlen = (socklen_t)sizeof(struct sockaddr_in);
294 memset(sa, 0, *addrlen);
295 sa->sin_family = AF_INET;
296 sa->sin_port = (in_port_t)htons(p);
297 if(inet_pton((int)sa->sin_family, ip, &sa->sin_addr) <= 0) {
298 return 0;
299 }
300 }
301 return 1;
302 }
303
netblockstrtoaddr(const char * str,int port,struct sockaddr_storage * addr,socklen_t * addrlen,int * net)304 int netblockstrtoaddr(const char* str, int port, struct sockaddr_storage* addr,
305 socklen_t* addrlen, int* net)
306 {
307 char buf[64];
308 char* s;
309 *net = (str_is_ip6(str)?128:32);
310 if((s=strchr(str, '/'))) {
311 if(atoi(s+1) > *net) {
312 log_err("netblock too large: %s", str);
313 return 0;
314 }
315 *net = atoi(s+1);
316 if(*net == 0 && strcmp(s+1, "0") != 0) {
317 log_err("cannot parse netblock: '%s'", str);
318 return 0;
319 }
320 if(*net < 0) {
321 log_err("netblock value %d is negative in: '%s'",
322 *net, str);
323 return 0;
324 }
325 strlcpy(buf, str, sizeof(buf));
326 s = strchr(buf, '/');
327 if(s) *s = 0;
328 s = buf;
329 }
330 if(!ipstrtoaddr(s?s:str, port, addr, addrlen)) {
331 log_err("cannot parse ip address: '%s'", str);
332 return 0;
333 }
334 if(s) {
335 addr_mask(addr, *addrlen, *net);
336 }
337 return 1;
338 }
339
340 /* RPZ format address dname to network byte order address */
ipdnametoaddr(uint8_t * dname,size_t dnamelen,struct sockaddr_storage * addr,socklen_t * addrlen,int * af)341 static int ipdnametoaddr(uint8_t* dname, size_t dnamelen,
342 struct sockaddr_storage* addr, socklen_t* addrlen, int* af)
343 {
344 uint8_t* ia;
345 int dnamelabs = dname_count_labels(dname);
346 uint8_t lablen;
347 char* e = NULL;
348 int z = 0;
349 size_t len = 0;
350 int i;
351 *af = AF_INET;
352
353 /* need 1 byte for label length */
354 if(dnamelen < 1)
355 return 0;
356
357 if(dnamelabs > 6 ||
358 dname_has_label(dname, dnamelen, (uint8_t*)"\002zz")) {
359 *af = AF_INET6;
360 }
361 len = *dname;
362 lablen = *dname++;
363 i = (*af == AF_INET) ? 3 : 15;
364 if(*af == AF_INET6) {
365 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
366 *addrlen = (socklen_t)sizeof(struct sockaddr_in6);
367 memset(sa, 0, *addrlen);
368 sa->sin6_family = AF_INET6;
369 ia = (uint8_t*)&sa->sin6_addr;
370 } else { /* ip4 */
371 struct sockaddr_in* sa = (struct sockaddr_in*)addr;
372 *addrlen = (socklen_t)sizeof(struct sockaddr_in);
373 memset(sa, 0, *addrlen);
374 sa->sin_family = AF_INET;
375 ia = (uint8_t*)&sa->sin_addr;
376 }
377 while(lablen && i >= 0 && len <= dnamelen) {
378 char buff[LDNS_MAX_LABELLEN+1];
379 uint16_t chunk; /* big enough to not overflow on IPv6 hextet */
380 if((*af == AF_INET && (lablen > 3 || dnamelabs > 6)) ||
381 (*af == AF_INET6 && (lablen > 4 || dnamelabs > 10))) {
382 return 0;
383 }
384 if(memcmp(dname, "zz", 2) == 0 && *af == AF_INET6) {
385 /* Add one or more 0 labels. Address is initialised at
386 * 0, so just skip the zero part. */
387 int zl = 11 - dnamelabs;
388 if(z || zl < 0)
389 return 0;
390 z = 1;
391 i -= (zl*2);
392 } else {
393 memcpy(buff, dname, lablen);
394 buff[lablen] = '\0';
395 chunk = strtol(buff, &e, (*af == AF_INET) ? 10 : 16);
396 if(!e || *e != '\0' || (*af == AF_INET && chunk > 255))
397 return 0;
398 if(*af == AF_INET) {
399 log_assert(i < 4 && i >= 0);
400 ia[i] = (uint8_t)chunk;
401 i--;
402 } else {
403 log_assert(i < 16 && i >= 1);
404 /* ia in network byte order */
405 ia[i-1] = (uint8_t)(chunk >> 8);
406 ia[i] = (uint8_t)(chunk & 0x00FF);
407 i -= 2;
408 }
409 }
410 dname += lablen;
411 lablen = *dname++;
412 len += lablen;
413 }
414 if(i != -1)
415 /* input too short */
416 return 0;
417 return 1;
418 }
419
netblockdnametoaddr(uint8_t * dname,size_t dnamelen,struct sockaddr_storage * addr,socklen_t * addrlen,int * net,int * af)420 int netblockdnametoaddr(uint8_t* dname, size_t dnamelen,
421 struct sockaddr_storage* addr, socklen_t* addrlen, int* net, int* af)
422 {
423 char buff[3 /* 3 digit netblock */ + 1];
424 size_t nlablen;
425 if(dnamelen < 1 || *dname > 3)
426 /* netblock invalid */
427 return 0;
428 nlablen = *dname;
429
430 if(dnamelen < 1 + nlablen)
431 return 0;
432
433 memcpy(buff, dname+1, nlablen);
434 buff[nlablen] = '\0';
435 *net = atoi(buff);
436 if(*net == 0 && strcmp(buff, "0") != 0)
437 return 0;
438 if(*net < 0)
439 return 0;
440 dname += nlablen;
441 dname++;
442 if(!ipdnametoaddr(dname, dnamelen-1-nlablen, addr, addrlen, af))
443 return 0;
444 if((*af == AF_INET6 && *net > 128) || (*af == AF_INET && *net > 32))
445 return 0;
446 return 1;
447 }
448
authextstrtoaddr(char * str,struct sockaddr_storage * addr,socklen_t * addrlen,char ** auth_name)449 int authextstrtoaddr(char* str, struct sockaddr_storage* addr,
450 socklen_t* addrlen, char** auth_name)
451 {
452 char* s;
453 int port = UNBOUND_DNS_PORT;
454 if((s=strchr(str, '@'))) {
455 char buf[MAX_ADDR_STRLEN];
456 size_t len = (size_t)(s-str);
457 char* hash = strchr(s+1, '#');
458 if(hash) {
459 *auth_name = hash+1;
460 } else {
461 *auth_name = NULL;
462 }
463 if(len >= MAX_ADDR_STRLEN) {
464 return 0;
465 }
466 (void)strlcpy(buf, str, sizeof(buf));
467 buf[len] = 0;
468 port = atoi(s+1);
469 if(port == 0) {
470 if(!hash && strcmp(s+1,"0")!=0)
471 return 0;
472 if(hash && strncmp(s+1,"0#",2)!=0)
473 return 0;
474 }
475 return ipstrtoaddr(buf, port, addr, addrlen);
476 }
477 if((s=strchr(str, '#'))) {
478 char buf[MAX_ADDR_STRLEN];
479 size_t len = (size_t)(s-str);
480 if(len >= MAX_ADDR_STRLEN) {
481 return 0;
482 }
483 (void)strlcpy(buf, str, sizeof(buf));
484 buf[len] = 0;
485 port = UNBOUND_DNS_OVER_TLS_PORT;
486 *auth_name = s+1;
487 return ipstrtoaddr(buf, port, addr, addrlen);
488 }
489 *auth_name = NULL;
490 return ipstrtoaddr(str, port, addr, addrlen);
491 }
492
authextstrtodname(char * str,int * port,char ** auth_name)493 uint8_t* authextstrtodname(char* str, int* port, char** auth_name)
494 {
495 char* s;
496 uint8_t* dname;
497 size_t dname_len;
498 *port = UNBOUND_DNS_PORT;
499 *auth_name = NULL;
500 if((s=strchr(str, '@'))) {
501 char buf[MAX_HOST_STRLEN];
502 size_t len = (size_t)(s-str);
503 char* hash = strchr(s+1, '#');
504 if(hash) {
505 *auth_name = hash+1;
506 } else {
507 *auth_name = NULL;
508 }
509 if(len >= MAX_HOST_STRLEN) {
510 return NULL;
511 }
512 (void)strlcpy(buf, str, sizeof(buf));
513 buf[len] = 0;
514 *port = atoi(s+1);
515 if(*port == 0) {
516 if(!hash && strcmp(s+1,"0")!=0)
517 return NULL;
518 if(hash && strncmp(s+1,"0#",2)!=0)
519 return NULL;
520 }
521 dname = sldns_str2wire_dname(buf, &dname_len);
522 } else if((s=strchr(str, '#'))) {
523 char buf[MAX_HOST_STRLEN];
524 size_t len = (size_t)(s-str);
525 if(len >= MAX_HOST_STRLEN) {
526 return NULL;
527 }
528 (void)strlcpy(buf, str, sizeof(buf));
529 buf[len] = 0;
530 *port = UNBOUND_DNS_OVER_TLS_PORT;
531 *auth_name = s+1;
532 dname = sldns_str2wire_dname(buf, &dname_len);
533 } else {
534 dname = sldns_str2wire_dname(str, &dname_len);
535 }
536 return dname;
537 }
538
539 /** store port number into sockaddr structure */
540 void
sockaddr_store_port(struct sockaddr_storage * addr,socklen_t addrlen,int port)541 sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen, int port)
542 {
543 if(addr_is_ip6(addr, addrlen)) {
544 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
545 sa->sin6_port = (in_port_t)htons((uint16_t)port);
546 } else {
547 struct sockaddr_in* sa = (struct sockaddr_in*)addr;
548 sa->sin_port = (in_port_t)htons((uint16_t)port);
549 }
550 }
551
552 void
log_nametypeclass(enum verbosity_value v,const char * str,uint8_t * name,uint16_t type,uint16_t dclass)553 log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name,
554 uint16_t type, uint16_t dclass)
555 {
556 char buf[LDNS_MAX_DOMAINLEN];
557 char t[12], c[12];
558 const char *ts, *cs;
559 if(verbosity < v)
560 return;
561 dname_str(name, buf);
562 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG";
563 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR";
564 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR";
565 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB";
566 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA";
567 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY";
568 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name)
569 ts = sldns_rr_descript(type)->_name;
570 else {
571 snprintf(t, sizeof(t), "TYPE%d", (int)type);
572 ts = t;
573 }
574 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) &&
575 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name)
576 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name;
577 else {
578 snprintf(c, sizeof(c), "CLASS%d", (int)dclass);
579 cs = c;
580 }
581 log_info("%s %s %s %s", str, buf, ts, cs);
582 }
583
584 void
log_query_in(const char * str,uint8_t * name,uint16_t type,uint16_t dclass)585 log_query_in(const char* str, uint8_t* name, uint16_t type, uint16_t dclass)
586 {
587 char buf[LDNS_MAX_DOMAINLEN];
588 char t[12], c[12];
589 const char *ts, *cs;
590 dname_str(name, buf);
591 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG";
592 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR";
593 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR";
594 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB";
595 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA";
596 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY";
597 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name)
598 ts = sldns_rr_descript(type)->_name;
599 else {
600 snprintf(t, sizeof(t), "TYPE%d", (int)type);
601 ts = t;
602 }
603 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) &&
604 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name)
605 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name;
606 else {
607 snprintf(c, sizeof(c), "CLASS%d", (int)dclass);
608 cs = c;
609 }
610 if(LOG_TAG_QUERYREPLY)
611 log_query("%s %s %s %s", str, buf, ts, cs);
612 else log_info("%s %s %s %s", str, buf, ts, cs);
613 }
614
log_name_addr(enum verbosity_value v,const char * str,uint8_t * zone,struct sockaddr_storage * addr,socklen_t addrlen)615 void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone,
616 struct sockaddr_storage* addr, socklen_t addrlen)
617 {
618 uint16_t port;
619 const char* family = "unknown_family ";
620 char namebuf[LDNS_MAX_DOMAINLEN];
621 char dest[100];
622 int af = (int)((struct sockaddr_in*)addr)->sin_family;
623 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
624 if(verbosity < v)
625 return;
626 switch(af) {
627 case AF_INET: family=""; break;
628 case AF_INET6: family="";
629 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
630 break;
631 case AF_LOCAL: family="local "; break;
632 default: break;
633 }
634 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
635 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
636 }
637 dest[sizeof(dest)-1] = 0;
638 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
639 dname_str(zone, namebuf);
640 if(af != AF_INET && af != AF_INET6)
641 verbose(v, "%s <%s> %s%s#%d (addrlen %d)",
642 str, namebuf, family, dest, (int)port, (int)addrlen);
643 else verbose(v, "%s <%s> %s%s#%d",
644 str, namebuf, family, dest, (int)port);
645 }
646
log_err_addr(const char * str,const char * err,struct sockaddr_storage * addr,socklen_t addrlen)647 void log_err_addr(const char* str, const char* err,
648 struct sockaddr_storage* addr, socklen_t addrlen)
649 {
650 uint16_t port;
651 char dest[100];
652 int af = (int)((struct sockaddr_in*)addr)->sin_family;
653 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
654 if(af == AF_INET6)
655 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
656 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
657 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
658 }
659 dest[sizeof(dest)-1] = 0;
660 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
661 if(verbosity >= 4)
662 log_err("%s: %s for %s port %d (len %d)", str, err, dest,
663 (int)port, (int)addrlen);
664 else log_err("%s: %s for %s port %d", str, err, dest, (int)port);
665 }
666
667 int
sockaddr_cmp(struct sockaddr_storage * addr1,socklen_t len1,struct sockaddr_storage * addr2,socklen_t len2)668 sockaddr_cmp(struct sockaddr_storage* addr1, socklen_t len1,
669 struct sockaddr_storage* addr2, socklen_t len2)
670 {
671 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
672 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
673 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
674 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
675 if(len1 < len2)
676 return -1;
677 if(len1 > len2)
678 return 1;
679 log_assert(len1 == len2);
680 if( p1_in->sin_family < p2_in->sin_family)
681 return -1;
682 if( p1_in->sin_family > p2_in->sin_family)
683 return 1;
684 log_assert( p1_in->sin_family == p2_in->sin_family );
685 /* compare ip4 */
686 if( p1_in->sin_family == AF_INET ) {
687 /* just order it, ntohs not required */
688 if(p1_in->sin_port < p2_in->sin_port)
689 return -1;
690 if(p1_in->sin_port > p2_in->sin_port)
691 return 1;
692 log_assert(p1_in->sin_port == p2_in->sin_port);
693 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
694 } else if (p1_in6->sin6_family == AF_INET6) {
695 /* just order it, ntohs not required */
696 if(p1_in6->sin6_port < p2_in6->sin6_port)
697 return -1;
698 if(p1_in6->sin6_port > p2_in6->sin6_port)
699 return 1;
700 log_assert(p1_in6->sin6_port == p2_in6->sin6_port);
701 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
702 INET6_SIZE);
703 } else {
704 /* eek unknown type, perform this comparison for sanity. */
705 return memcmp(addr1, addr2, len1);
706 }
707 }
708
709 int
sockaddr_cmp_addr(struct sockaddr_storage * addr1,socklen_t len1,struct sockaddr_storage * addr2,socklen_t len2)710 sockaddr_cmp_addr(struct sockaddr_storage* addr1, socklen_t len1,
711 struct sockaddr_storage* addr2, socklen_t len2)
712 {
713 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
714 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
715 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
716 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
717 if(len1 < len2)
718 return -1;
719 if(len1 > len2)
720 return 1;
721 log_assert(len1 == len2);
722 if( p1_in->sin_family < p2_in->sin_family)
723 return -1;
724 if( p1_in->sin_family > p2_in->sin_family)
725 return 1;
726 log_assert( p1_in->sin_family == p2_in->sin_family );
727 /* compare ip4 */
728 if( p1_in->sin_family == AF_INET ) {
729 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
730 } else if (p1_in6->sin6_family == AF_INET6) {
731 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
732 INET6_SIZE);
733 } else {
734 /* eek unknown type, perform this comparison for sanity. */
735 return memcmp(addr1, addr2, len1);
736 }
737 }
738
739 int
sockaddr_cmp_scopeid(struct sockaddr_storage * addr1,socklen_t len1,struct sockaddr_storage * addr2,socklen_t len2)740 sockaddr_cmp_scopeid(struct sockaddr_storage* addr1, socklen_t len1,
741 struct sockaddr_storage* addr2, socklen_t len2)
742 {
743 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
744 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
745 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
746 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
747 if(len1 < len2)
748 return -1;
749 if(len1 > len2)
750 return 1;
751 log_assert(len1 == len2);
752 if( p1_in->sin_family < p2_in->sin_family)
753 return -1;
754 if( p1_in->sin_family > p2_in->sin_family)
755 return 1;
756 log_assert( p1_in->sin_family == p2_in->sin_family );
757 /* compare ip4 */
758 if( p1_in->sin_family == AF_INET ) {
759 /* just order it, ntohs not required */
760 if(p1_in->sin_port < p2_in->sin_port)
761 return -1;
762 if(p1_in->sin_port > p2_in->sin_port)
763 return 1;
764 log_assert(p1_in->sin_port == p2_in->sin_port);
765 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
766 } else if (p1_in6->sin6_family == AF_INET6) {
767 /* just order it, ntohs not required */
768 if(p1_in6->sin6_port < p2_in6->sin6_port)
769 return -1;
770 if(p1_in6->sin6_port > p2_in6->sin6_port)
771 return 1;
772 if(p1_in6->sin6_scope_id < p2_in6->sin6_scope_id)
773 return -1;
774 if(p1_in6->sin6_scope_id > p2_in6->sin6_scope_id)
775 return 1;
776 log_assert(p1_in6->sin6_port == p2_in6->sin6_port);
777 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
778 INET6_SIZE);
779 } else {
780 /* eek unknown type, perform this comparison for sanity. */
781 return memcmp(addr1, addr2, len1);
782 }
783 }
784
785 int
addr_is_ip6(const struct sockaddr_storage * addr,socklen_t len)786 addr_is_ip6(const struct sockaddr_storage* addr, socklen_t len)
787 {
788 if(len == (socklen_t)sizeof(struct sockaddr_in6) &&
789 ((struct sockaddr_in6*)addr)->sin6_family == AF_INET6)
790 return 1;
791 else return 0;
792 }
793
794 void
addr_mask(struct sockaddr_storage * addr,socklen_t len,int net)795 addr_mask(struct sockaddr_storage* addr, socklen_t len, int net)
796 {
797 uint8_t mask[8] = {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe};
798 int i, max;
799 uint8_t* s;
800 if(addr_is_ip6(addr, len)) {
801 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr;
802 max = 128;
803 } else {
804 s = (uint8_t*)&((struct sockaddr_in*)addr)->sin_addr;
805 max = 32;
806 }
807 if(net >= max || net < 0)
808 return;
809 for(i=net/8+1; i<max/8; i++) {
810 s[i] = 0;
811 }
812 s[net/8] &= mask[net&0x7];
813 }
814
815 int
addr_in_common(struct sockaddr_storage * addr1,int net1,struct sockaddr_storage * addr2,int net2,socklen_t addrlen)816 addr_in_common(struct sockaddr_storage* addr1, int net1,
817 struct sockaddr_storage* addr2, int net2, socklen_t addrlen)
818 {
819 int min = (net1<net2)?net1:net2;
820 int i, to;
821 int match = 0;
822 uint8_t* s1, *s2;
823 if(addr_is_ip6(addr1, addrlen)) {
824 s1 = (uint8_t*)&((struct sockaddr_in6*)addr1)->sin6_addr;
825 s2 = (uint8_t*)&((struct sockaddr_in6*)addr2)->sin6_addr;
826 to = 16;
827 } else {
828 s1 = (uint8_t*)&((struct sockaddr_in*)addr1)->sin_addr;
829 s2 = (uint8_t*)&((struct sockaddr_in*)addr2)->sin_addr;
830 to = 4;
831 }
832 /* match = bits_in_common(s1, s2, to); */
833 for(i=0; i<to; i++) {
834 if(s1[i] == s2[i]) {
835 match += 8;
836 } else {
837 uint8_t z = s1[i]^s2[i];
838 log_assert(z);
839 while(!(z&0x80)) {
840 match++;
841 z<<=1;
842 }
843 break;
844 }
845 }
846 if(match > min) match = min;
847 return match;
848 }
849
850 void
addr_to_str(struct sockaddr_storage * addr,socklen_t addrlen,char * buf,size_t len)851 addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen,
852 char* buf, size_t len)
853 {
854 int af = (int)((struct sockaddr_in*)addr)->sin_family;
855 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
856 if(addr_is_ip6(addr, addrlen))
857 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
858 if(inet_ntop(af, sinaddr, buf, (socklen_t)len) == 0) {
859 snprintf(buf, len, "(inet_ntop_error)");
860 }
861 }
862
863 int
prefixnet_is_nat64(int prefixnet)864 prefixnet_is_nat64(int prefixnet)
865 {
866 return (prefixnet == 32 || prefixnet == 40 ||
867 prefixnet == 48 || prefixnet == 56 ||
868 prefixnet == 64 || prefixnet == 96);
869 }
870
871 void
addr_to_nat64(const struct sockaddr_storage * addr,const struct sockaddr_storage * nat64_prefix,socklen_t nat64_prefixlen,int nat64_prefixnet,struct sockaddr_storage * nat64_addr,socklen_t * nat64_addrlen)872 addr_to_nat64(const struct sockaddr_storage* addr,
873 const struct sockaddr_storage* nat64_prefix,
874 socklen_t nat64_prefixlen, int nat64_prefixnet,
875 struct sockaddr_storage* nat64_addr, socklen_t* nat64_addrlen)
876 {
877 struct sockaddr_in *sin = (struct sockaddr_in *)addr;
878 struct sockaddr_in6 *sin6;
879 uint8_t *v4_byte;
880 int i;
881
882 /* This needs to be checked by the caller */
883 log_assert(addr->ss_family == AF_INET);
884 /* Current usage is only from config values; prefix lengths enforced
885 * during config validation */
886 log_assert(prefixnet_is_nat64(nat64_prefixnet));
887
888 *nat64_addr = *nat64_prefix;
889 *nat64_addrlen = nat64_prefixlen;
890
891 sin6 = (struct sockaddr_in6 *)nat64_addr;
892 sin6->sin6_flowinfo = 0;
893 sin6->sin6_port = sin->sin_port;
894
895 nat64_prefixnet = nat64_prefixnet / 8;
896
897 v4_byte = (uint8_t *)&sin->sin_addr.s_addr;
898 for(i = 0; i < 4; i++) {
899 if(nat64_prefixnet == 8) {
900 /* bits 64...71 are MBZ */
901 sin6->sin6_addr.s6_addr[nat64_prefixnet++] = 0;
902 }
903 sin6->sin6_addr.s6_addr[nat64_prefixnet++] = *v4_byte++;
904 }
905 }
906
907 int
addr_is_ip4mapped(struct sockaddr_storage * addr,socklen_t addrlen)908 addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen)
909 {
910 /* prefix for ipv4 into ipv6 mapping is ::ffff:x.x.x.x */
911 const uint8_t map_prefix[16] =
912 {0,0,0,0, 0,0,0,0, 0,0,0xff,0xff, 0,0,0,0};
913 uint8_t* s;
914 if(!addr_is_ip6(addr, addrlen))
915 return 0;
916 /* s is 16 octet ipv6 address string */
917 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr;
918 return (memcmp(s, map_prefix, 12) == 0);
919 }
920
addr_is_ip6linklocal(struct sockaddr_storage * addr,socklen_t addrlen)921 int addr_is_ip6linklocal(struct sockaddr_storage* addr, socklen_t addrlen)
922 {
923 const uint8_t prefix[2] = {0xfe, 0x80};
924 int af = (int)((struct sockaddr_in6*)addr)->sin6_family;
925 void* sin6addr = &((struct sockaddr_in6*)addr)->sin6_addr;
926 uint8_t start[2];
927 if(af != AF_INET6 || addrlen<(socklen_t)sizeof(struct sockaddr_in6))
928 return 0;
929 /* Put the first 10 bits of sin6addr in start, match fe80::/10. */
930 memmove(start, sin6addr, 2);
931 start[1] &= 0xc0;
932 return memcmp(start, prefix, 2) == 0;
933 }
934
addr_is_broadcast(struct sockaddr_storage * addr,socklen_t addrlen)935 int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen)
936 {
937 int af = (int)((struct sockaddr_in*)addr)->sin_family;
938 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
939 return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
940 && memcmp(sinaddr, "\377\377\377\377", 4) == 0;
941 }
942
addr_is_any(struct sockaddr_storage * addr,socklen_t addrlen)943 int addr_is_any(struct sockaddr_storage* addr, socklen_t addrlen)
944 {
945 int af = (int)((struct sockaddr_in*)addr)->sin_family;
946 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
947 void* sin6addr = &((struct sockaddr_in6*)addr)->sin6_addr;
948 if(af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
949 && memcmp(sinaddr, "\000\000\000\000", 4) == 0)
950 return 1;
951 else if(af==AF_INET6 && addrlen>=(socklen_t)sizeof(struct sockaddr_in6)
952 && memcmp(sin6addr, "\000\000\000\000\000\000\000\000"
953 "\000\000\000\000\000\000\000\000", 16) == 0)
954 return 1;
955 return 0;
956 }
957
sock_list_insert(struct sock_list ** list,struct sockaddr_storage * addr,socklen_t len,struct regional * region)958 void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr,
959 socklen_t len, struct regional* region)
960 {
961 struct sock_list* add = (struct sock_list*)regional_alloc(region,
962 sizeof(*add) - sizeof(add->addr) + (size_t)len);
963 if(!add) {
964 log_err("out of memory in socketlist insert");
965 return;
966 }
967 log_assert(list);
968 add->next = *list;
969 add->len = len;
970 *list = add;
971 if(len) memmove(&add->addr, addr, len);
972 }
973
sock_list_prepend(struct sock_list ** list,struct sock_list * add)974 void sock_list_prepend(struct sock_list** list, struct sock_list* add)
975 {
976 struct sock_list* last = add;
977 if(!last)
978 return;
979 while(last->next)
980 last = last->next;
981 last->next = *list;
982 *list = add;
983 }
984
sock_list_find(struct sock_list * list,struct sockaddr_storage * addr,socklen_t len)985 int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr,
986 socklen_t len)
987 {
988 while(list) {
989 if(len == list->len) {
990 if(len == 0 || sockaddr_cmp_addr(addr, len,
991 &list->addr, list->len) == 0)
992 return 1;
993 }
994 list = list->next;
995 }
996 return 0;
997 }
998
sock_list_merge(struct sock_list ** list,struct regional * region,struct sock_list * add)999 void sock_list_merge(struct sock_list** list, struct regional* region,
1000 struct sock_list* add)
1001 {
1002 struct sock_list* p;
1003 for(p=add; p; p=p->next) {
1004 if(!sock_list_find(*list, &p->addr, p->len))
1005 sock_list_insert(list, &p->addr, p->len, region);
1006 }
1007 }
1008
1009 void
log_crypto_err(const char * str)1010 log_crypto_err(const char* str)
1011 {
1012 #ifdef HAVE_SSL
1013 log_crypto_err_code(str, ERR_get_error());
1014 #else
1015 (void)str;
1016 #endif /* HAVE_SSL */
1017 }
1018
log_crypto_err_code(const char * str,unsigned long err)1019 void log_crypto_err_code(const char* str, unsigned long err)
1020 {
1021 #ifdef HAVE_SSL
1022 /* error:[error code]:[library name]:[function name]:[reason string] */
1023 char buf[128];
1024 unsigned long e;
1025 ERR_error_string_n(err, buf, sizeof(buf));
1026 log_err("%s crypto %s", str, buf);
1027 while( (e=ERR_get_error()) ) {
1028 ERR_error_string_n(e, buf, sizeof(buf));
1029 log_err("and additionally crypto %s", buf);
1030 }
1031 #else
1032 (void)str;
1033 (void)err;
1034 #endif /* HAVE_SSL */
1035 }
1036
1037 #ifdef HAVE_SSL
1038 /** Print crypt error with SSL_get_error want code and err_get_error code */
log_crypto_err_io_code_arg(const char * str,int r,unsigned long err,int err_present)1039 static void log_crypto_err_io_code_arg(const char* str, int r,
1040 unsigned long err, int err_present)
1041 {
1042 int print_errno = 0, print_crypto_err = 0;
1043 const char* inf = NULL;
1044
1045 switch(r) {
1046 case SSL_ERROR_NONE:
1047 inf = "no error";
1048 break;
1049 case SSL_ERROR_ZERO_RETURN:
1050 inf = "channel closed";
1051 break;
1052 case SSL_ERROR_WANT_READ:
1053 inf = "want read";
1054 break;
1055 case SSL_ERROR_WANT_WRITE:
1056 inf = "want write";
1057 break;
1058 case SSL_ERROR_WANT_CONNECT:
1059 inf = "want connect";
1060 break;
1061 case SSL_ERROR_WANT_ACCEPT:
1062 inf = "want accept";
1063 break;
1064 case SSL_ERROR_WANT_X509_LOOKUP:
1065 inf = "want X509 lookup";
1066 break;
1067 #ifdef SSL_ERROR_WANT_ASYNC
1068 case SSL_ERROR_WANT_ASYNC:
1069 inf = "want async";
1070 break;
1071 #endif
1072 #ifdef SSL_ERROR_WANT_ASYNC_JOB
1073 case SSL_ERROR_WANT_ASYNC_JOB:
1074 inf = "want async job";
1075 break;
1076 #endif
1077 #ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB
1078 case SSL_ERROR_WANT_CLIENT_HELLO_CB:
1079 inf = "want client hello cb";
1080 break;
1081 #endif
1082 case SSL_ERROR_SYSCALL:
1083 print_errno = 1;
1084 inf = "syscall";
1085 break;
1086 case SSL_ERROR_SSL:
1087 print_crypto_err = 1;
1088 inf = "SSL, usually protocol, error";
1089 break;
1090 default:
1091 inf = "unknown SSL_get_error result code";
1092 print_errno = 1;
1093 print_crypto_err = 1;
1094 }
1095 if(print_crypto_err) {
1096 if(print_errno) {
1097 char buf[1024];
1098 snprintf(buf, sizeof(buf), "%s with errno %s",
1099 str, strerror(errno));
1100 if(err_present)
1101 log_crypto_err_code(buf, err);
1102 else log_crypto_err(buf);
1103 } else {
1104 if(err_present)
1105 log_crypto_err_code(str, err);
1106 else log_crypto_err(str);
1107 }
1108 } else {
1109 if(print_errno) {
1110 if(errno == 0)
1111 log_err("%s: syscall error with errno %s",
1112 str, strerror(errno));
1113 else log_err("%s: %s", str, strerror(errno));
1114 } else {
1115 log_err("%s: %s", str, inf);
1116 }
1117 }
1118 }
1119 #endif /* HAVE_SSL */
1120
log_crypto_err_io(const char * str,int r)1121 void log_crypto_err_io(const char* str, int r)
1122 {
1123 #ifdef HAVE_SSL
1124 log_crypto_err_io_code_arg(str, r, 0, 0);
1125 #else
1126 (void)str;
1127 (void)r;
1128 #endif /* HAVE_SSL */
1129 }
1130
log_crypto_err_io_code(const char * str,int r,unsigned long err)1131 void log_crypto_err_io_code(const char* str, int r, unsigned long err)
1132 {
1133 #ifdef HAVE_SSL
1134 log_crypto_err_io_code_arg(str, r, err, 1);
1135 #else
1136 (void)str;
1137 (void)r;
1138 (void)err;
1139 #endif /* HAVE_SSL */
1140 }
1141
1142 #ifdef HAVE_SSL
1143 /** log certificate details */
1144 void
log_cert(unsigned level,const char * str,void * cert)1145 log_cert(unsigned level, const char* str, void* cert)
1146 {
1147 BIO* bio;
1148 char nul = 0;
1149 char* pp = NULL;
1150 long len;
1151 if(verbosity < level) return;
1152 bio = BIO_new(BIO_s_mem());
1153 if(!bio) return;
1154 X509_print_ex(bio, (X509*)cert, 0, (unsigned long)-1
1155 ^(X509_FLAG_NO_SUBJECT
1156 |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY
1157 |X509_FLAG_NO_EXTENSIONS|X509_FLAG_NO_AUX
1158 |X509_FLAG_NO_ATTRIBUTES));
1159 BIO_write(bio, &nul, (int)sizeof(nul));
1160 len = BIO_get_mem_data(bio, &pp);
1161 if(len != 0 && pp) {
1162 /* reduce size of cert printout */
1163 char* s;
1164 while((s=strstr(pp, " "))!=NULL)
1165 memmove(s, s+1, strlen(s+1)+1);
1166 while((s=strstr(pp, "\t\t"))!=NULL)
1167 memmove(s, s+1, strlen(s+1)+1);
1168 verbose(level, "%s: \n%s", str, pp);
1169 }
1170 BIO_free(bio);
1171 }
1172 #endif /* HAVE_SSL */
1173
1174 #if defined(HAVE_SSL) && defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
1175 static int
dot_alpn_select_cb(SSL * ATTR_UNUSED (ssl),const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * ATTR_UNUSED (arg))1176 dot_alpn_select_cb(SSL* ATTR_UNUSED(ssl), const unsigned char** out,
1177 unsigned char* outlen, const unsigned char* in, unsigned int inlen,
1178 void* ATTR_UNUSED(arg))
1179 {
1180 static const unsigned char alpns[] = { 3, 'd', 'o', 't' };
1181 unsigned char* tmp_out;
1182 int ret;
1183 ret = SSL_select_next_proto(&tmp_out, outlen, alpns, sizeof(alpns), in, inlen);
1184 if(ret == OPENSSL_NPN_NO_OVERLAP) {
1185 /* Client sent ALPN but no overlap. Should have been error,
1186 * but for privacy we continue without ALPN (e.g., if certain
1187 * ALPNs are blocked) */
1188 return SSL_TLSEXT_ERR_NOACK;
1189 }
1190 *out = tmp_out;
1191 return SSL_TLSEXT_ERR_OK;
1192 }
1193 #endif
1194
1195 #if defined(HAVE_SSL) && defined(HAVE_NGHTTP2) && defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
doh_alpn_select_cb(SSL * ATTR_UNUSED (ssl),const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * ATTR_UNUSED (arg))1196 static int doh_alpn_select_cb(SSL* ATTR_UNUSED(ssl), const unsigned char** out,
1197 unsigned char* outlen, const unsigned char* in, unsigned int inlen,
1198 void* ATTR_UNUSED(arg))
1199 {
1200 int rv = nghttp2_select_next_protocol((unsigned char **)out, outlen, in,
1201 inlen);
1202 if(rv == -1) {
1203 return SSL_TLSEXT_ERR_NOACK;
1204 }
1205 /* either http/1.1 or h2 selected */
1206 return SSL_TLSEXT_ERR_OK;
1207 }
1208 #endif
1209
1210 #ifdef HAVE_SSL
1211 /* setup the callback for ticket keys */
1212 static int
setup_ticket_keys_cb(void * sslctx)1213 setup_ticket_keys_cb(void* sslctx)
1214 {
1215 # ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1216 if(SSL_CTX_set_tlsext_ticket_key_evp_cb(sslctx, tls_session_ticket_key_cb) == 0) {
1217 return 0;
1218 }
1219 # else
1220 if(SSL_CTX_set_tlsext_ticket_key_cb(sslctx, tls_session_ticket_key_cb) == 0) {
1221 return 0;
1222 }
1223 # endif
1224 return 1;
1225 }
1226 #endif /* HAVE_SSL */
1227
1228 int
listen_sslctx_setup(void * ctxt,const char * tls_protocols)1229 listen_sslctx_setup(void* ctxt, const char* tls_protocols)
1230 {
1231 #ifdef HAVE_SSL
1232 int allow12, allow13;
1233 SSL_CTX* ctx = (SSL_CTX*)ctxt;
1234 cfg_tls_protocols_allowed(tls_protocols, &allow12, &allow13);
1235
1236 /* no SSLv2, SSLv3 because has defects */
1237 #if SSL_OP_NO_SSLv2 != 0
1238 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
1239 != SSL_OP_NO_SSLv2){
1240 log_crypto_err("could not set SSL_OP_NO_SSLv2");
1241 return 0;
1242 }
1243 #endif
1244 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
1245 != SSL_OP_NO_SSLv3){
1246 log_crypto_err("could not set SSL_OP_NO_SSLv3");
1247 return 0;
1248 }
1249 #if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
1250 /* if we have tls 1.1 disable 1.0 */
1251 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
1252 != SSL_OP_NO_TLSv1){
1253 log_crypto_err("could not set SSL_OP_NO_TLSv1");
1254 return 0;
1255 }
1256 #endif
1257 #if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
1258 /* if we have tls 1.2 disable 1.1 */
1259 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
1260 != SSL_OP_NO_TLSv1_1){
1261 log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
1262 return 0;
1263 }
1264 #endif
1265 #if defined(SSL_OP_NO_TLSv1_2)
1266 if(!allow12) {
1267 /* we are not allowed to use TLS1.2 */
1268 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2) & SSL_OP_NO_TLSv1_2)
1269 != SSL_OP_NO_TLSv1_2){
1270 log_crypto_err("could not set SSL_OP_NO_TLSv1_2");
1271 return 0;
1272 }
1273 }
1274 #endif
1275 #if defined(SSL_OP_NO_TLSv1_3)
1276 if(!allow13) {
1277 /* we are not allowed to use TLS1.3 */
1278 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3) & SSL_OP_NO_TLSv1_3)
1279 != SSL_OP_NO_TLSv1_3){
1280 log_crypto_err("could not set SSL_OP_NO_TLSv1_3");
1281 return 0;
1282 }
1283 }
1284 #endif
1285 #if defined(SSL_OP_NO_RENEGOTIATION)
1286 /* disable client renegotiation */
1287 if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
1288 SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
1289 log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
1290 return 0;
1291 }
1292 #endif
1293 #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
1294 /* if we detect system-wide crypto policies, use those */
1295 if (access( "/etc/crypto-policies/config", F_OK ) != 0 ) {
1296 /* if we have sha256, set the cipher list to have no known vulns */
1297 if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
1298 log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
1299 }
1300 #endif
1301 #if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
1302 /* ignore errors when peers do not send the mandatory close_notify
1303 * alert on shutdown.
1304 * Relevant for openssl >= 3 */
1305 if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) &
1306 SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) {
1307 log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF");
1308 return 0;
1309 }
1310 #endif
1311
1312 if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) &
1313 SSL_OP_CIPHER_SERVER_PREFERENCE) !=
1314 SSL_OP_CIPHER_SERVER_PREFERENCE) {
1315 log_crypto_err("could not set SSL_OP_CIPHER_SERVER_PREFERENCE");
1316 return 0;
1317 }
1318
1319 #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
1320 SSL_CTX_set_security_level(ctx, 0);
1321 #endif
1322 #else
1323 (void)ctxt; (void)tls_protocols;
1324 #endif /* HAVE_SSL */
1325 return 1;
1326 }
1327
1328 void
listen_sslctx_setup_2(void * ctxt)1329 listen_sslctx_setup_2(void* ctxt)
1330 {
1331 #ifdef HAVE_SSL
1332 SSL_CTX* ctx = (SSL_CTX*)ctxt;
1333 (void)ctx;
1334 #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
1335 if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
1336 log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
1337 }
1338 #elif defined(USE_ECDSA) && HAVE_DECL_SSL_CTX_SET_TMP_ECDH
1339 if(1) {
1340 EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
1341 if (!ecdh) {
1342 log_crypto_err("could not find p256, not enabling ECDHE");
1343 } else {
1344 if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
1345 log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
1346 }
1347 EC_KEY_free (ecdh);
1348 }
1349 }
1350 #endif
1351 #else
1352 (void)ctxt;
1353 #endif /* HAVE_SSL */
1354 }
1355
listen_sslctx_create(const char * key,const char * pem,const char * verifypem,const char * tls_ciphers,const char * tls_ciphersuites,int set_ticket_keys_cb,int is_dot,int is_doh,const char * tls_protocols)1356 void* listen_sslctx_create(const char* key, const char* pem,
1357 const char* verifypem, const char* tls_ciphers,
1358 const char* tls_ciphersuites, int set_ticket_keys_cb,
1359 int is_dot, int is_doh, const char* tls_protocols)
1360 {
1361 #ifdef HAVE_SSL
1362 SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
1363 if(!ctx) {
1364 log_crypto_err("could not SSL_CTX_new");
1365 return NULL;
1366 }
1367 if(!key || key[0] == 0) {
1368 log_err("error: no tls-service-key file specified");
1369 SSL_CTX_free(ctx);
1370 return NULL;
1371 }
1372 if(!pem || pem[0] == 0) {
1373 log_err("error: no tls-service-pem file specified");
1374 SSL_CTX_free(ctx);
1375 return NULL;
1376 }
1377 if(!listen_sslctx_setup(ctx, tls_protocols)) {
1378 SSL_CTX_free(ctx);
1379 return NULL;
1380 }
1381 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
1382 log_err("error for cert file: %s", pem);
1383 log_crypto_err("error in SSL_CTX use_certificate_chain_file");
1384 SSL_CTX_free(ctx);
1385 return NULL;
1386 }
1387 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
1388 log_err("error for private key file: %s", key);
1389 log_crypto_err("Error in SSL_CTX use_PrivateKey_file");
1390 SSL_CTX_free(ctx);
1391 return NULL;
1392 }
1393 if(!SSL_CTX_check_private_key(ctx)) {
1394 log_err("error for key file: %s", key);
1395 log_crypto_err("Error in SSL_CTX check_private_key");
1396 SSL_CTX_free(ctx);
1397 return NULL;
1398 }
1399 listen_sslctx_setup_2(ctx);
1400 if(verifypem && verifypem[0]) {
1401 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
1402 log_crypto_err("Error in SSL_CTX verify locations");
1403 SSL_CTX_free(ctx);
1404 return NULL;
1405 }
1406 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(
1407 verifypem));
1408 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
1409 }
1410 if(tls_ciphers && tls_ciphers[0]) {
1411 if (!SSL_CTX_set_cipher_list(ctx, tls_ciphers)) {
1412 log_err("failed to set tls-cipher %s",
1413 tls_ciphers);
1414 log_crypto_err("Error in SSL_CTX_set_cipher_list");
1415 SSL_CTX_free(ctx);
1416 return NULL;
1417 }
1418 }
1419 #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
1420 if(tls_ciphersuites && tls_ciphersuites[0]) {
1421 if (!SSL_CTX_set_ciphersuites(ctx, tls_ciphersuites)) {
1422 log_err("failed to set tls-ciphersuites %s",
1423 tls_ciphersuites);
1424 log_crypto_err("Error in SSL_CTX_set_ciphersuites");
1425 SSL_CTX_free(ctx);
1426 return NULL;
1427 }
1428 }
1429 #else
1430 (void)tls_ciphersuites; /* variable unused. */
1431 #endif /* HAVE_SSL_CTX_SET_CIPHERSUITES */
1432 if(set_ticket_keys_cb) {
1433 if(!setup_ticket_keys_cb(ctx)) {
1434 log_crypto_err("no support for TLS session ticket");
1435 SSL_CTX_free(ctx);
1436 return NULL;
1437 }
1438 }
1439 /* setup ALPN */
1440 #if defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
1441 if(is_dot) {
1442 SSL_CTX_set_alpn_select_cb(ctx, dot_alpn_select_cb, NULL);
1443 } else if(is_doh) {
1444 #if defined(HAVE_NGHTTP2)
1445 SSL_CTX_set_alpn_select_cb(ctx, doh_alpn_select_cb, NULL);
1446 #endif
1447 }
1448 #endif /* HAVE_SSL_CTX_SET_ALPN_SELECT_CB */
1449 return ctx;
1450 #else
1451 (void)key; (void)pem; (void)verifypem;
1452 (void)tls_ciphers; (void)tls_ciphersuites;
1453 (void)set_ticket_keys_cb; (void)is_dot; (void)is_doh;
1454 (void)tls_protocols;
1455 return NULL;
1456 #endif /* HAVE_SSL */
1457 }
1458
1459 #ifdef USE_WINSOCK
1460 /* For windows, the CA trust store is not read by openssl.
1461 Add code to open the trust store using wincrypt API and add
1462 the root certs into openssl trust store */
1463 static int
add_WIN_cacerts_to_openssl_store(SSL_CTX * tls_ctx)1464 add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
1465 {
1466 HCERTSTORE hSystemStore;
1467 PCCERT_CONTEXT pTargetCert = NULL;
1468 X509_STORE* store;
1469
1470 verbose(VERB_ALGO, "Adding Windows certificates from system root store to CA store");
1471
1472 /* load just once per context lifetime for this version
1473 TODO: dynamically update CA trust changes as they are available */
1474 if (!tls_ctx)
1475 return 0;
1476
1477 /* Call wincrypt's CertOpenStore to open the CA root store. */
1478
1479 if ((hSystemStore = CertOpenStore(
1480 CERT_STORE_PROV_SYSTEM,
1481 0,
1482 0,
1483 /* NOTE: mingw does not have this const: replace with 1 << 16 from code
1484 CERT_SYSTEM_STORE_CURRENT_USER, */
1485 1 << 16,
1486 L"root")) == 0)
1487 {
1488 return 0;
1489 }
1490
1491 store = SSL_CTX_get_cert_store(tls_ctx);
1492 if (!store)
1493 return 0;
1494
1495 /* failure if the CA store is empty or the call fails */
1496 if ((pTargetCert = CertEnumCertificatesInStore(
1497 hSystemStore, pTargetCert)) == 0) {
1498 verbose(VERB_ALGO, "CA certificate store for Windows is empty.");
1499 return 0;
1500 }
1501 /* iterate over the windows cert store and add to openssl store */
1502 do
1503 {
1504 X509 *cert1 = d2i_X509(NULL,
1505 (const unsigned char **)&pTargetCert->pbCertEncoded,
1506 pTargetCert->cbCertEncoded);
1507 if (!cert1) {
1508 unsigned long error = ERR_get_error();
1509 /* return error if a cert fails */
1510 verbose(VERB_ALGO, "%s %d:%s",
1511 "Unable to parse certificate in memory",
1512 (int)error, ERR_error_string(error, NULL));
1513 return 0;
1514 }
1515 else {
1516 /* return error if a cert add to store fails */
1517 if (X509_STORE_add_cert(store, cert1) == 0) {
1518 unsigned long error = ERR_peek_last_error();
1519
1520 /* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the
1521 * certificate is already in the store. */
1522 if(ERR_GET_LIB(error) != ERR_LIB_X509 ||
1523 ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
1524 error = ERR_get_error();
1525 verbose(VERB_ALGO, "%s %d:%s\n",
1526 "Error adding certificate", (int)error,
1527 ERR_error_string(error, NULL));
1528 X509_free(cert1);
1529 return 0;
1530 }
1531 }
1532 X509_free(cert1);
1533 }
1534 } while ((pTargetCert = CertEnumCertificatesInStore(
1535 hSystemStore, pTargetCert)) != 0);
1536
1537 /* Clean up memory and quit. */
1538 if (pTargetCert)
1539 CertFreeCertificateContext(pTargetCert);
1540 if (hSystemStore)
1541 {
1542 if (!CertCloseStore(
1543 hSystemStore, 0))
1544 return 0;
1545 }
1546 verbose(VERB_ALGO, "Completed adding Windows certificates to CA store successfully");
1547 return 1;
1548 }
1549 #endif /* USE_WINSOCK */
1550
connect_sslctx_create(char * key,char * pem,char * verifypem,int wincert)1551 void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
1552 {
1553 #ifdef HAVE_SSL
1554 SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());
1555 if(!ctx) {
1556 log_crypto_err("could not allocate SSL_CTX pointer");
1557 return NULL;
1558 }
1559 #if SSL_OP_NO_SSLv2 != 0
1560 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
1561 != SSL_OP_NO_SSLv2) {
1562 log_crypto_err("could not set SSL_OP_NO_SSLv2");
1563 SSL_CTX_free(ctx);
1564 return NULL;
1565 }
1566 #endif
1567 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
1568 != SSL_OP_NO_SSLv3) {
1569 log_crypto_err("could not set SSL_OP_NO_SSLv3");
1570 SSL_CTX_free(ctx);
1571 return NULL;
1572 }
1573 #if defined(SSL_OP_NO_RENEGOTIATION)
1574 /* disable client renegotiation */
1575 if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
1576 SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
1577 log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
1578 SSL_CTX_free(ctx);
1579 return 0;
1580 }
1581 #endif
1582 #if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
1583 /* ignore errors when peers do not send the mandatory close_notify
1584 * alert on shutdown.
1585 * Relevant for openssl >= 3 */
1586 if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) &
1587 SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) {
1588 log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF");
1589 SSL_CTX_free(ctx);
1590 return 0;
1591 }
1592 #endif
1593 if(key && key[0]) {
1594 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
1595 log_err("error in client certificate %s", pem);
1596 log_crypto_err("error in certificate file");
1597 SSL_CTX_free(ctx);
1598 return NULL;
1599 }
1600 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
1601 log_err("error in client private key %s", key);
1602 log_crypto_err("error in key file");
1603 SSL_CTX_free(ctx);
1604 return NULL;
1605 }
1606 if(!SSL_CTX_check_private_key(ctx)) {
1607 log_err("error in client key %s", key);
1608 log_crypto_err("error in SSL_CTX_check_private_key");
1609 SSL_CTX_free(ctx);
1610 return NULL;
1611 }
1612 }
1613 if((verifypem && verifypem[0]) || wincert) {
1614 if(verifypem && verifypem[0]) {
1615 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
1616 log_crypto_err("error in SSL_CTX verify");
1617 SSL_CTX_free(ctx);
1618 return NULL;
1619 }
1620 }
1621 #ifdef USE_WINSOCK
1622 if(wincert) {
1623 if(!add_WIN_cacerts_to_openssl_store(ctx)) {
1624 log_crypto_err("error in add_WIN_cacerts_to_openssl_store");
1625 SSL_CTX_free(ctx);
1626 return NULL;
1627 }
1628 }
1629 #else
1630 if(wincert) {
1631 if(!SSL_CTX_set_default_verify_paths(ctx)) {
1632 log_crypto_err("error in default_verify_paths");
1633 SSL_CTX_free(ctx);
1634 return NULL;
1635 }
1636 }
1637 #endif
1638 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
1639 }
1640 return ctx;
1641 #else
1642 (void)key; (void)pem; (void)verifypem; (void)wincert;
1643 return NULL;
1644 #endif
1645 }
1646
incoming_ssl_fd(void * sslctx,int fd)1647 void* incoming_ssl_fd(void* sslctx, int fd)
1648 {
1649 #ifdef HAVE_SSL
1650 SSL* ssl = SSL_new((SSL_CTX*)sslctx);
1651 if(!ssl) {
1652 log_crypto_err("could not SSL_new");
1653 return NULL;
1654 }
1655 SSL_set_accept_state(ssl);
1656 (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY);
1657 if(!SSL_set_fd(ssl, fd)) {
1658 log_crypto_err("could not SSL_set_fd");
1659 SSL_free(ssl);
1660 return NULL;
1661 }
1662 return ssl;
1663 #else
1664 (void)sslctx; (void)fd;
1665 return NULL;
1666 #endif
1667 }
1668
outgoing_ssl_fd(void * sslctx,int fd)1669 void* outgoing_ssl_fd(void* sslctx, int fd)
1670 {
1671 #ifdef HAVE_SSL
1672 SSL* ssl = SSL_new((SSL_CTX*)sslctx);
1673 if(!ssl) {
1674 log_crypto_err("could not SSL_new");
1675 return NULL;
1676 }
1677 SSL_set_connect_state(ssl);
1678 (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY);
1679 if(!SSL_set_fd(ssl, fd)) {
1680 log_crypto_err("could not SSL_set_fd");
1681 SSL_free(ssl);
1682 return NULL;
1683 }
1684 return ssl;
1685 #else
1686 (void)sslctx; (void)fd;
1687 return NULL;
1688 #endif
1689 }
1690
check_auth_name_for_ssl(char * auth_name)1691 int check_auth_name_for_ssl(char* auth_name)
1692 {
1693 if(!auth_name) return 1;
1694 #if defined(HAVE_SSL) && !defined(HAVE_SSL_SET1_HOST) && !defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
1695 log_err("the query has an auth_name %s, but libssl has no call to "
1696 "perform TLS authentication. Remove that name from config "
1697 "or upgrade the ssl crypto library.", auth_name);
1698 return 0;
1699 #else
1700 return 1;
1701 #endif
1702 }
1703
1704 /** set the authname on an SSL structure, SSL* ssl */
set_auth_name_on_ssl(void * ssl,char * auth_name,int use_sni)1705 int set_auth_name_on_ssl(void* ssl, char* auth_name, int use_sni)
1706 {
1707 if(!auth_name) return 1;
1708 #ifdef HAVE_SSL
1709 if(use_sni) {
1710 (void)SSL_set_tlsext_host_name(ssl, auth_name);
1711 }
1712 #else
1713 (void)ssl;
1714 (void)use_sni;
1715 #endif
1716 #ifdef HAVE_SSL_SET1_HOST
1717 SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
1718 /* setting the hostname makes openssl verify the
1719 * host name in the x509 certificate in the
1720 * SSL connection*/
1721 if(!SSL_set1_host(ssl, auth_name)) {
1722 log_err("SSL_set1_host failed");
1723 return 0;
1724 }
1725 #elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
1726 /* openssl 1.0.2 has this function that can be used for
1727 * set1_host like verification */
1728 if(auth_name) {
1729 X509_VERIFY_PARAM* param = SSL_get0_param(ssl);
1730 # ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
1731 X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
1732 # endif
1733 if(!X509_VERIFY_PARAM_set1_host(param, auth_name, strlen(auth_name))) {
1734 log_err("X509_VERIFY_PARAM_set1_host failed");
1735 return 0;
1736 }
1737 SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
1738 }
1739 #else
1740 verbose(VERB_ALGO, "the query has an auth_name, but libssl has no call to perform TLS authentication");
1741 #endif /* HAVE_SSL_SET1_HOST */
1742 return 1;
1743 }
1744
1745 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
1746 /** global lock list for openssl locks */
1747 static lock_basic_type *ub_openssl_locks = NULL;
1748
1749 /** callback that gets thread id for openssl */
1750 #ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK
1751 static void
ub_crypto_id_cb(CRYPTO_THREADID * id)1752 ub_crypto_id_cb(CRYPTO_THREADID *id)
1753 {
1754 CRYPTO_THREADID_set_numeric(id, (unsigned long)log_thread_get());
1755 }
1756 #else
1757 static unsigned long
ub_crypto_id_cb(void)1758 ub_crypto_id_cb(void)
1759 {
1760 return (unsigned long)log_thread_get();
1761 }
1762 #endif
1763
1764 static void
ub_crypto_lock_cb(int mode,int type,const char * ATTR_UNUSED (file),int ATTR_UNUSED (line))1765 ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
1766 int ATTR_UNUSED(line))
1767 {
1768 if((mode&CRYPTO_LOCK)) {
1769 lock_basic_lock(&ub_openssl_locks[type]);
1770 } else {
1771 lock_basic_unlock(&ub_openssl_locks[type]);
1772 }
1773 }
1774 #endif /* OPENSSL_THREADS */
1775
ub_openssl_lock_init(void)1776 int ub_openssl_lock_init(void)
1777 {
1778 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
1779 int i;
1780 ub_openssl_locks = (lock_basic_type*)reallocarray(
1781 NULL, (size_t)CRYPTO_num_locks(), sizeof(lock_basic_type));
1782 if(!ub_openssl_locks)
1783 return 0;
1784 for(i=0; i<CRYPTO_num_locks(); i++) {
1785 lock_basic_init(&ub_openssl_locks[i]);
1786 }
1787 # ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK
1788 CRYPTO_THREADID_set_callback(&ub_crypto_id_cb);
1789 # else
1790 CRYPTO_set_id_callback(&ub_crypto_id_cb);
1791 # endif
1792 CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
1793 #endif /* OPENSSL_THREADS */
1794 return 1;
1795 }
1796
ub_openssl_lock_delete(void)1797 void ub_openssl_lock_delete(void)
1798 {
1799 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
1800 int i;
1801 if(!ub_openssl_locks)
1802 return;
1803 # ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK
1804 CRYPTO_THREADID_set_callback(NULL);
1805 # else
1806 CRYPTO_set_id_callback(NULL);
1807 # endif
1808 CRYPTO_set_locking_callback(NULL);
1809 for(i=0; i<CRYPTO_num_locks(); i++) {
1810 lock_basic_destroy(&ub_openssl_locks[i]);
1811 }
1812 free(ub_openssl_locks);
1813 #endif /* OPENSSL_THREADS */
1814 }
1815
listen_sslctx_setup_ticket_keys(struct config_strlist * tls_session_ticket_keys,char * chroot)1816 int listen_sslctx_setup_ticket_keys(struct config_strlist* tls_session_ticket_keys, char* chroot) {
1817 #ifdef HAVE_SSL
1818 size_t s = 1;
1819 struct config_strlist* p;
1820 struct tls_session_ticket_key *keys;
1821 for(p = tls_session_ticket_keys; p; p = p->next) {
1822 s++;
1823 }
1824 keys = calloc(s, sizeof(struct tls_session_ticket_key));
1825 if(!keys)
1826 return 0;
1827 memset(keys, 0, s*sizeof(*keys));
1828 ticket_keys = keys;
1829
1830 for(p = tls_session_ticket_keys; p; p = p->next) {
1831 size_t n;
1832 unsigned char *data;
1833 FILE *f;
1834 char* fstr;
1835
1836 data = (unsigned char *)malloc(80);
1837 if(!data)
1838 return 0;
1839
1840 fstr = p->str;
1841 if(chroot && strncmp(fstr, chroot, strlen(chroot)) == 0)
1842 fstr += strlen(chroot);
1843 f = fopen(fstr, "rb");
1844 if(!f) {
1845 log_err("could not read tls-session-ticket-key %s: %s", fstr, strerror(errno));
1846 free(data);
1847 return 0;
1848 }
1849 n = fread(data, 1, 80, f);
1850 fclose(f);
1851
1852 if(n != 80) {
1853 log_err("tls-session-ticket-key %s is %d bytes, must be 80 bytes", fstr, (int)n);
1854 free(data);
1855 return 0;
1856 }
1857 verbose(VERB_OPS, "read tls-session-ticket-key: %s", fstr);
1858
1859 keys->key_name = data;
1860 keys->aes_key = data + 16;
1861 keys->hmac_key = data + 48;
1862 keys++;
1863 }
1864 /* terminate array with NULL key name entry */
1865 keys->key_name = NULL;
1866 return 1;
1867 #else
1868 (void)tls_session_ticket_keys; (void)chroot;
1869 return 0;
1870 #endif
1871 }
1872
1873 #ifdef HAVE_SSL
tls_session_ticket_key_cb(SSL * ATTR_UNUSED (sslctx),unsigned char * key_name,unsigned char * iv,EVP_CIPHER_CTX * evp_sctx,EVP_MAC_CTX * hmac_ctx,int enc)1874 int tls_session_ticket_key_cb(SSL *ATTR_UNUSED(sslctx), unsigned char* key_name,
1875 unsigned char* iv, EVP_CIPHER_CTX *evp_sctx,
1876 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1877 EVP_MAC_CTX *hmac_ctx,
1878 #else
1879 HMAC_CTX* hmac_ctx,
1880 #endif
1881 int enc)
1882 {
1883 #ifdef HAVE_SSL
1884 # ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1885 OSSL_PARAM params[3];
1886 # else
1887 const EVP_MD *digest;
1888 # endif
1889 const EVP_CIPHER *cipher;
1890 int evp_cipher_length;
1891 # ifndef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1892 digest = EVP_sha256();
1893 # endif
1894 cipher = EVP_aes_256_cbc();
1895 evp_cipher_length = EVP_CIPHER_iv_length(cipher);
1896 if( enc == 1 ) {
1897 /* encrypt */
1898 verbose(VERB_CLIENT, "start session encrypt");
1899 memcpy(key_name, ticket_keys->key_name, 16);
1900 if (RAND_bytes(iv, evp_cipher_length) != 1) {
1901 verbose(VERB_CLIENT, "RAND_bytes failed");
1902 return -1;
1903 }
1904 if (EVP_EncryptInit_ex(evp_sctx, cipher, NULL, ticket_keys->aes_key, iv) != 1) {
1905 verbose(VERB_CLIENT, "EVP_EncryptInit_ex failed");
1906 return -1;
1907 }
1908 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1909 params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
1910 ticket_keys->hmac_key, 32);
1911 params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
1912 "sha256", 0);
1913 params[2] = OSSL_PARAM_construct_end();
1914 #ifdef HAVE_EVP_MAC_CTX_SET_PARAMS
1915 EVP_MAC_CTX_set_params(hmac_ctx, params);
1916 #else
1917 EVP_MAC_set_ctx_params(hmac_ctx, params);
1918 #endif
1919 #elif !defined(HMAC_INIT_EX_RETURNS_VOID)
1920 if (HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL) != 1) {
1921 verbose(VERB_CLIENT, "HMAC_Init_ex failed");
1922 return -1;
1923 }
1924 #else
1925 HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL);
1926 #endif
1927 return 1;
1928 } else if (enc == 0) {
1929 /* decrypt */
1930 struct tls_session_ticket_key *key;
1931 verbose(VERB_CLIENT, "start session decrypt");
1932 for(key = ticket_keys; key->key_name != NULL; key++) {
1933 if (!memcmp(key_name, key->key_name, 16)) {
1934 verbose(VERB_CLIENT, "Found session_key");
1935 break;
1936 }
1937 }
1938 if(key->key_name == NULL) {
1939 verbose(VERB_CLIENT, "Not found session_key");
1940 return 0;
1941 }
1942
1943 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1944 params[0] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
1945 key->hmac_key, 32);
1946 params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
1947 "sha256", 0);
1948 params[2] = OSSL_PARAM_construct_end();
1949 #ifdef HAVE_EVP_MAC_CTX_SET_PARAMS
1950 EVP_MAC_CTX_set_params(hmac_ctx, params);
1951 #else
1952 EVP_MAC_set_ctx_params(hmac_ctx, params);
1953 #endif
1954 #elif !defined(HMAC_INIT_EX_RETURNS_VOID)
1955 if (HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL) != 1) {
1956 verbose(VERB_CLIENT, "HMAC_Init_ex failed");
1957 return -1;
1958 }
1959 #else
1960 HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL);
1961 #endif
1962 if (EVP_DecryptInit_ex(evp_sctx, cipher, NULL, key->aes_key, iv) != 1) {
1963 log_err("EVP_DecryptInit_ex failed");
1964 return -1;
1965 }
1966
1967 return (key == ticket_keys) ? 1 : 2;
1968 }
1969 return -1;
1970 #else
1971 (void)key_name;
1972 (void)iv;
1973 (void)evp_sctx;
1974 (void)hmac_ctx;
1975 (void)enc;
1976 return 0;
1977 #endif
1978 }
1979 #endif /* HAVE_SSL */
1980
1981 #ifdef HAVE_SSL
1982 void
listen_sslctx_delete_ticket_keys(void)1983 listen_sslctx_delete_ticket_keys(void)
1984 {
1985 struct tls_session_ticket_key *key;
1986 if(!ticket_keys) return;
1987 for(key = ticket_keys; key->key_name != NULL; key++) {
1988 /* wipe key data from memory*/
1989 #ifdef HAVE_EXPLICIT_BZERO
1990 explicit_bzero(key->key_name, 80);
1991 #else
1992 memset(key->key_name, 0xdd, 80);
1993 #endif
1994 free(key->key_name);
1995 }
1996 free(ticket_keys);
1997 ticket_keys = NULL;
1998 }
1999 #endif /* HAVE_SSL */
2000
2001 # ifndef USE_WINSOCK
2002 char*
sock_strerror(int errn)2003 sock_strerror(int errn)
2004 {
2005 return strerror(errn);
2006 }
2007
2008 void
sock_close(int socket)2009 sock_close(int socket)
2010 {
2011 close(socket);
2012 }
2013
2014 # else
2015 char*
sock_strerror(int ATTR_UNUSED (errn))2016 sock_strerror(int ATTR_UNUSED(errn))
2017 {
2018 return wsa_strerror(WSAGetLastError());
2019 }
2020
2021 void
sock_close(int socket)2022 sock_close(int socket)
2023 {
2024 closesocket(socket);
2025 }
2026 # endif /* USE_WINSOCK */
2027
2028 ssize_t
hex_ntop(uint8_t const * src,size_t srclength,char * target,size_t targsize)2029 hex_ntop(uint8_t const *src, size_t srclength, char *target, size_t targsize)
2030 {
2031 static char hexdigits[] = {
2032 '0', '1', '2', '3', '4', '5', '6', '7',
2033 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
2034 };
2035 size_t i;
2036
2037 if (targsize < srclength * 2 + 1) {
2038 return -1;
2039 }
2040
2041 for (i = 0; i < srclength; ++i) {
2042 *target++ = hexdigits[src[i] >> 4U];
2043 *target++ = hexdigits[src[i] & 0xfU];
2044 }
2045 *target = '\0';
2046 return 2 * srclength;
2047 }
2048
2049 ssize_t
hex_pton(const char * src,uint8_t * target,size_t targsize)2050 hex_pton(const char* src, uint8_t* target, size_t targsize)
2051 {
2052 uint8_t *t = target;
2053 if(strlen(src) % 2 != 0 || strlen(src)/2 > targsize) {
2054 return -1;
2055 }
2056 while(*src) {
2057 if(!isxdigit((unsigned char)src[0]) ||
2058 !isxdigit((unsigned char)src[1]))
2059 return -1;
2060 *t++ = sldns_hexdigit_to_int(src[0]) * 16 +
2061 sldns_hexdigit_to_int(src[1]) ;
2062 src += 2;
2063 }
2064 return t-target;
2065 }
2066