1 2 #include "config.h" 3 #include <stdlib.h> 4 #include <fcntl.h> 5 #ifdef HAVE_TIME_H 6 #include <time.h> 7 #endif 8 #include <inttypes.h> 9 #include <sys/time.h> 10 #include <sys/types.h> 11 #include "sldns/sbuffer.h" 12 #include "util/config_file.h" 13 #include "util/net_help.h" 14 #include "util/netevent.h" 15 #include "util/log.h" 16 #include "util/storage/slabhash.h" 17 #include "util/storage/lookup3.h" 18 19 #include "dnscrypt/cert.h" 20 #include "dnscrypt/dnscrypt.h" 21 #include "dnscrypt/dnscrypt_config.h" 22 23 #include <ctype.h> 24 25 26 /** 27 * \file 28 * dnscrypt functions for encrypting DNS packets. 29 */ 30 31 #define DNSCRYPT_QUERY_BOX_OFFSET \ 32 (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_PUBLICKEYBYTES + \ 33 crypto_box_HALF_NONCEBYTES) 34 35 // 8 bytes: magic header (CERT_MAGIC_HEADER) 36 // 12 bytes: the client's nonce 37 // 12 bytes: server nonce extension 38 // 16 bytes: Poly1305 MAC (crypto_box_ZEROBYTES - crypto_box_BOXZEROBYTES) 39 40 #define DNSCRYPT_REPLY_BOX_OFFSET \ 41 (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_HALF_NONCEBYTES + \ 42 crypto_box_HALF_NONCEBYTES) 43 44 45 /** 46 * Shared secret cache key length. 47 * secret key. 48 * 1 byte: ES_VERSION[1] 49 * 32 bytes: client crypto_box_PUBLICKEYBYTES 50 * 32 bytes: server crypto_box_SECRETKEYBYTES 51 */ 52 #define DNSCRYPT_SHARED_SECRET_KEY_LENGTH \ 53 (1 + crypto_box_PUBLICKEYBYTES + crypto_box_SECRETKEYBYTES) 54 55 56 struct shared_secret_cache_key { 57 /** the hash table key */ 58 uint8_t key[DNSCRYPT_SHARED_SECRET_KEY_LENGTH]; 59 /** the hash table entry, data is uint8_t pointer of size crypto_box_BEFORENMBYTES which contains the shared secret. */ 60 struct lruhash_entry entry; 61 }; 62 63 64 struct nonce_cache_key { 65 /** the nonce used by the client */ 66 uint8_t nonce[crypto_box_HALF_NONCEBYTES]; 67 /** the client_magic used by the client, this is associated to 1 cert only */ 68 uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN]; 69 /** the client public key */ 70 uint8_t client_publickey[crypto_box_PUBLICKEYBYTES]; 71 /** the hash table entry, data is uint8_t */ 72 struct lruhash_entry entry; 73 }; 74 75 /** 76 * Generate a key suitable to find shared secret in slabhash. 77 * \param[in] key: a uint8_t pointer of size DNSCRYPT_SHARED_SECRET_KEY_LENGTH 78 * \param[in] esversion: The es version least significant byte. 79 * \param[in] pk: The public key of the client. uint8_t pointer of size 80 * crypto_box_PUBLICKEYBYTES. 81 * \param[in] sk: The secret key of the server matching the magic query number. 82 * uint8_t pointer of size crypto_box_SECRETKEYBYTES. 83 * \return the hash of the key. 84 */ 85 static uint32_t 86 dnsc_shared_secrets_cache_key(uint8_t* key, 87 uint8_t esversion, 88 uint8_t* pk, 89 uint8_t* sk) 90 { 91 key[0] = esversion; 92 memcpy(key + 1, pk, crypto_box_PUBLICKEYBYTES); 93 memcpy(key + 1 + crypto_box_PUBLICKEYBYTES, sk, crypto_box_SECRETKEYBYTES); 94 return hashlittle(key, DNSCRYPT_SHARED_SECRET_KEY_LENGTH, 0); 95 } 96 97 /** 98 * Inserts a shared secret into the shared_secrets_cache slabhash. 99 * The shared secret is copied so the caller can use it freely without caring 100 * about the cache entry being evicted or not. 101 * \param[in] cache: the slabhash in which to look for the key. 102 * \param[in] key: a uint8_t pointer of size DNSCRYPT_SHARED_SECRET_KEY_LENGTH 103 * which contains the key of the shared secret. 104 * \param[in] hash: the hash of the key. 105 * \param[in] nmkey: a uint8_t pointer of size crypto_box_BEFORENMBYTES which 106 * contains the shared secret. 107 */ 108 static void 109 dnsc_shared_secret_cache_insert(struct slabhash *cache, 110 uint8_t key[DNSCRYPT_SHARED_SECRET_KEY_LENGTH], 111 uint32_t hash, 112 uint8_t nmkey[crypto_box_BEFORENMBYTES]) 113 { 114 struct shared_secret_cache_key* k = 115 (struct shared_secret_cache_key*)calloc(1, sizeof(*k)); 116 uint8_t* d = malloc(crypto_box_BEFORENMBYTES); 117 if(!k || !d) { 118 free(k); 119 free(d); 120 return; 121 } 122 memcpy(d, nmkey, crypto_box_BEFORENMBYTES); 123 lock_rw_init(&k->entry.lock); 124 memcpy(k->key, key, DNSCRYPT_SHARED_SECRET_KEY_LENGTH); 125 k->entry.hash = hash; 126 k->entry.key = k; 127 k->entry.data = d; 128 slabhash_insert(cache, 129 hash, &k->entry, 130 d, 131 NULL); 132 } 133 134 /** 135 * Lookup a record in shared_secrets_cache. 136 * \param[in] cache: a pointer to shared_secrets_cache slabhash. 137 * \param[in] key: a uint8_t pointer of size DNSCRYPT_SHARED_SECRET_KEY_LENGTH 138 * containing the key to look for. 139 * \param[in] hash: a hash of the key. 140 * \return a pointer to the locked cache entry or NULL on failure. 141 */ 142 static struct lruhash_entry* 143 dnsc_shared_secrets_lookup(struct slabhash* cache, 144 uint8_t key[DNSCRYPT_SHARED_SECRET_KEY_LENGTH], 145 uint32_t hash) 146 { 147 return slabhash_lookup(cache, hash, key, 0); 148 } 149 150 /** 151 * Generate a key hash suitable to find a nonce in slabhash. 152 * \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES 153 * \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN 154 * \param[in] pk: The public key of the client. uint8_t pointer of size 155 * crypto_box_PUBLICKEYBYTES. 156 * \return the hash of the key. 157 */ 158 static uint32_t 159 dnsc_nonce_cache_key_hash(const uint8_t nonce[crypto_box_HALF_NONCEBYTES], 160 const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN], 161 const uint8_t pk[crypto_box_PUBLICKEYBYTES]) 162 { 163 uint32_t h = 0; 164 h = hashlittle(nonce, crypto_box_HALF_NONCEBYTES, h); 165 h = hashlittle(magic_query, DNSCRYPT_MAGIC_HEADER_LEN, h); 166 return hashlittle(pk, crypto_box_PUBLICKEYBYTES, h); 167 } 168 169 /** 170 * Inserts a nonce, magic_query, pk tuple into the nonces_cache slabhash. 171 * \param[in] cache: the slabhash in which to look for the key. 172 * \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES 173 * \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN 174 * \param[in] pk: The public key of the client. uint8_t pointer of size 175 * crypto_box_PUBLICKEYBYTES. 176 * \param[in] hash: the hash of the key. 177 */ 178 static void 179 dnsc_nonce_cache_insert(struct slabhash *cache, 180 const uint8_t nonce[crypto_box_HALF_NONCEBYTES], 181 const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN], 182 const uint8_t pk[crypto_box_PUBLICKEYBYTES], 183 uint32_t hash) 184 { 185 struct nonce_cache_key* k = 186 (struct nonce_cache_key*)calloc(1, sizeof(*k)); 187 if(!k) { 188 free(k); 189 return; 190 } 191 lock_rw_init(&k->entry.lock); 192 memcpy(k->nonce, nonce, crypto_box_HALF_NONCEBYTES); 193 memcpy(k->magic_query, magic_query, DNSCRYPT_MAGIC_HEADER_LEN); 194 memcpy(k->client_publickey, pk, crypto_box_PUBLICKEYBYTES); 195 k->entry.hash = hash; 196 k->entry.key = k; 197 k->entry.data = NULL; 198 slabhash_insert(cache, 199 hash, &k->entry, 200 NULL, 201 NULL); 202 } 203 204 /** 205 * Lookup a record in nonces_cache. 206 * \param[in] cache: the slabhash in which to look for the key. 207 * \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES 208 * \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN 209 * \param[in] pk: The public key of the client. uint8_t pointer of size 210 * crypto_box_PUBLICKEYBYTES. 211 * \param[in] hash: the hash of the key. 212 * \return a pointer to the locked cache entry or NULL on failure. 213 */ 214 static struct lruhash_entry* 215 dnsc_nonces_lookup(struct slabhash* cache, 216 const uint8_t nonce[crypto_box_HALF_NONCEBYTES], 217 const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN], 218 const uint8_t pk[crypto_box_PUBLICKEYBYTES], 219 uint32_t hash) 220 { 221 struct nonce_cache_key k; 222 memset(&k, 0, sizeof(k)); 223 k.entry.hash = hash; 224 memcpy(k.nonce, nonce, crypto_box_HALF_NONCEBYTES); 225 memcpy(k.magic_query, magic_query, DNSCRYPT_MAGIC_HEADER_LEN); 226 memcpy(k.client_publickey, pk, crypto_box_PUBLICKEYBYTES); 227 228 return slabhash_lookup(cache, hash, &k, 0); 229 } 230 231 /** 232 * Decrypt a query using the dnsccert that was found using dnsc_find_cert. 233 * The client nonce will be extracted from the encrypted query and stored in 234 * client_nonce, a shared secret will be computed and stored in nmkey and the 235 * buffer will be decrypted inplace. 236 * \param[in] env the dnscrypt environment. 237 * \param[in] cert the cert that matches this encrypted query. 238 * \param[in] client_nonce where the client nonce will be stored. 239 * \param[in] nmkey where the shared secret key will be written. 240 * \param[in] buffer the encrypted buffer. 241 * \return 0 on success. 242 */ 243 static int 244 dnscrypt_server_uncurve(struct dnsc_env* env, 245 const dnsccert *cert, 246 uint8_t client_nonce[crypto_box_HALF_NONCEBYTES], 247 uint8_t nmkey[crypto_box_BEFORENMBYTES], 248 struct sldns_buffer* buffer) 249 { 250 size_t len = sldns_buffer_limit(buffer); 251 uint8_t *const buf = sldns_buffer_begin(buffer); 252 uint8_t nonce[crypto_box_NONCEBYTES]; 253 struct dnscrypt_query_header *query_header; 254 // shared secret cache 255 uint8_t key[DNSCRYPT_SHARED_SECRET_KEY_LENGTH]; 256 struct lruhash_entry* entry; 257 uint32_t hash; 258 259 uint32_t nonce_hash; 260 261 if (len <= DNSCRYPT_QUERY_HEADER_SIZE) { 262 return -1; 263 } 264 265 query_header = (struct dnscrypt_query_header *)buf; 266 267 /* Detect replay attacks */ 268 nonce_hash = dnsc_nonce_cache_key_hash( 269 query_header->nonce, 270 cert->magic_query, 271 query_header->publickey); 272 273 lock_basic_lock(&env->nonces_cache_lock); 274 entry = dnsc_nonces_lookup( 275 env->nonces_cache, 276 query_header->nonce, 277 cert->magic_query, 278 query_header->publickey, 279 nonce_hash); 280 281 if(entry) { 282 lock_rw_unlock(&entry->lock); 283 env->num_query_dnscrypt_replay++; 284 lock_basic_unlock(&env->nonces_cache_lock); 285 return -1; 286 } 287 288 dnsc_nonce_cache_insert( 289 env->nonces_cache, 290 query_header->nonce, 291 cert->magic_query, 292 query_header->publickey, 293 nonce_hash); 294 lock_basic_unlock(&env->nonces_cache_lock); 295 296 /* Find existing shared secret */ 297 hash = dnsc_shared_secrets_cache_key(key, 298 cert->es_version[1], 299 query_header->publickey, 300 cert->keypair->crypt_secretkey); 301 entry = dnsc_shared_secrets_lookup(env->shared_secrets_cache, 302 key, 303 hash); 304 305 if(!entry) { 306 lock_basic_lock(&env->shared_secrets_cache_lock); 307 env->num_query_dnscrypt_secret_missed_cache++; 308 lock_basic_unlock(&env->shared_secrets_cache_lock); 309 if(cert->es_version[1] == 2) { 310 #ifdef USE_DNSCRYPT_XCHACHA20 311 if (crypto_box_curve25519xchacha20poly1305_beforenm( 312 nmkey, query_header->publickey, 313 cert->keypair->crypt_secretkey) != 0) { 314 return -1; 315 } 316 #else 317 return -1; 318 #endif 319 } else { 320 if (crypto_box_beforenm(nmkey, 321 query_header->publickey, 322 cert->keypair->crypt_secretkey) != 0) { 323 return -1; 324 } 325 } 326 // Cache the shared secret we just computed. 327 dnsc_shared_secret_cache_insert(env->shared_secrets_cache, 328 key, 329 hash, 330 nmkey); 331 } else { 332 /* copy shared secret and unlock entry */ 333 memcpy(nmkey, entry->data, crypto_box_BEFORENMBYTES); 334 lock_rw_unlock(&entry->lock); 335 } 336 337 memcpy(nonce, query_header->nonce, crypto_box_HALF_NONCEBYTES); 338 memset(nonce + crypto_box_HALF_NONCEBYTES, 0, crypto_box_HALF_NONCEBYTES); 339 340 if(cert->es_version[1] == 2) { 341 #ifdef USE_DNSCRYPT_XCHACHA20 342 if (crypto_box_curve25519xchacha20poly1305_open_easy_afternm 343 (buf, 344 buf + DNSCRYPT_QUERY_BOX_OFFSET, 345 len - DNSCRYPT_QUERY_BOX_OFFSET, nonce, 346 nmkey) != 0) { 347 return -1; 348 } 349 #else 350 return -1; 351 #endif 352 } else { 353 if (crypto_box_open_easy_afternm 354 (buf, 355 buf + DNSCRYPT_QUERY_BOX_OFFSET, 356 len - DNSCRYPT_QUERY_BOX_OFFSET, nonce, 357 nmkey) != 0) { 358 return -1; 359 } 360 } 361 362 len -= DNSCRYPT_QUERY_HEADER_SIZE; 363 364 while (*sldns_buffer_at(buffer, --len) == 0) 365 ; 366 367 if (*sldns_buffer_at(buffer, len) != 0x80) { 368 return -1; 369 } 370 371 memcpy(client_nonce, nonce, crypto_box_HALF_NONCEBYTES); 372 373 sldns_buffer_set_position(buffer, 0); 374 sldns_buffer_set_limit(buffer, len); 375 376 return 0; 377 } 378 379 380 /** 381 * Add random padding to a buffer, according to a client nonce. 382 * The length has to depend on the query in order to avoid reply attacks. 383 * 384 * @param buf a buffer 385 * @param len the initial size of the buffer 386 * @param max_len the maximum size 387 * @param nonce a nonce, made of the client nonce repeated twice 388 * @param secretkey 389 * @return the new size, after padding 390 */ 391 size_t 392 dnscrypt_pad(uint8_t *buf, const size_t len, const size_t max_len, 393 const uint8_t *nonce, const uint8_t *secretkey) 394 { 395 uint8_t *buf_padding_area = buf + len; 396 size_t padded_len; 397 uint32_t rnd; 398 399 // no padding 400 if (max_len < len + DNSCRYPT_MIN_PAD_LEN) 401 return len; 402 403 assert(nonce[crypto_box_HALF_NONCEBYTES] == nonce[0]); 404 405 crypto_stream((unsigned char *)&rnd, (unsigned long long)sizeof(rnd), nonce, 406 secretkey); 407 padded_len = 408 len + DNSCRYPT_MIN_PAD_LEN + rnd % (max_len - len - 409 DNSCRYPT_MIN_PAD_LEN + 1); 410 padded_len += DNSCRYPT_BLOCK_SIZE - padded_len % DNSCRYPT_BLOCK_SIZE; 411 if (padded_len > max_len) 412 padded_len = max_len; 413 414 memset(buf_padding_area, 0, padded_len - len); 415 *buf_padding_area = 0x80; 416 417 return padded_len; 418 } 419 420 uint64_t 421 dnscrypt_hrtime(void) 422 { 423 struct timeval tv; 424 uint64_t ts = (uint64_t)0U; 425 int ret; 426 427 ret = gettimeofday(&tv, NULL); 428 if (ret == 0) { 429 ts = (uint64_t)tv.tv_sec * 1000000U + (uint64_t)tv.tv_usec; 430 } else { 431 log_err("gettimeofday: %s", strerror(errno)); 432 } 433 return ts; 434 } 435 436 /** 437 * Add the server nonce part to once. 438 * The nonce is made half of client nonce and the second half of the server 439 * nonce, both of them of size crypto_box_HALF_NONCEBYTES. 440 * \param[in] nonce: a uint8_t* of size crypto_box_NONCEBYTES 441 */ 442 static void 443 add_server_nonce(uint8_t *nonce) 444 { 445 randombytes_buf(nonce + crypto_box_HALF_NONCEBYTES, 8/*tsn*/+4/*suffix*/); 446 } 447 448 /** 449 * Encrypt a reply using the dnsccert that was used with the query. 450 * The client nonce will be extracted from the encrypted query and stored in 451 * The buffer will be encrypted inplace. 452 * \param[in] cert the dnsccert that matches this encrypted query. 453 * \param[in] client_nonce client nonce used during the query 454 * \param[in] nmkey shared secret key used during the query. 455 * \param[in] buffer the buffer where to encrypt the reply. 456 * \param[in] udp if whether or not it is a UDP query. 457 * \param[in] max_udp_size configured max udp size. 458 * \return 0 on success. 459 */ 460 static int 461 dnscrypt_server_curve(const dnsccert *cert, 462 uint8_t client_nonce[crypto_box_HALF_NONCEBYTES], 463 uint8_t nmkey[crypto_box_BEFORENMBYTES], 464 struct sldns_buffer* buffer, 465 uint8_t udp, 466 size_t max_udp_size) 467 { 468 size_t dns_reply_len = sldns_buffer_limit(buffer); 469 size_t max_len = dns_reply_len + DNSCRYPT_MAX_PADDING \ 470 + DNSCRYPT_REPLY_HEADER_SIZE; 471 size_t max_reply_size = max_udp_size - 20U - 8U; 472 uint8_t nonce[crypto_box_NONCEBYTES]; 473 uint8_t *boxed; 474 uint8_t *const buf = sldns_buffer_begin(buffer); 475 size_t len = sldns_buffer_limit(buffer); 476 477 if(udp){ 478 if (max_len > max_reply_size) 479 max_len = max_reply_size; 480 } 481 482 483 memcpy(nonce, client_nonce, crypto_box_HALF_NONCEBYTES); 484 memcpy(nonce + crypto_box_HALF_NONCEBYTES, client_nonce, 485 crypto_box_HALF_NONCEBYTES); 486 487 boxed = buf + DNSCRYPT_REPLY_BOX_OFFSET; 488 memmove(boxed + crypto_box_MACBYTES, buf, len); 489 len = dnscrypt_pad(boxed + crypto_box_MACBYTES, len, 490 max_len - DNSCRYPT_REPLY_HEADER_SIZE, nonce, 491 cert->keypair->crypt_secretkey); 492 sldns_buffer_set_at(buffer, 493 DNSCRYPT_REPLY_BOX_OFFSET - crypto_box_BOXZEROBYTES, 494 0, crypto_box_ZEROBYTES); 495 496 // add server nonce extension 497 add_server_nonce(nonce); 498 499 if(cert->es_version[1] == 2) { 500 #ifdef USE_DNSCRYPT_XCHACHA20 501 if (crypto_box_curve25519xchacha20poly1305_easy_afternm 502 (boxed, boxed + crypto_box_MACBYTES, len, nonce, nmkey) != 0) { 503 return -1; 504 } 505 #else 506 return -1; 507 #endif 508 } else { 509 if (crypto_box_easy_afternm 510 (boxed, boxed + crypto_box_MACBYTES, len, nonce, nmkey) != 0) { 511 return -1; 512 } 513 } 514 515 sldns_buffer_write_at(buffer, 516 0, 517 DNSCRYPT_MAGIC_RESPONSE, 518 DNSCRYPT_MAGIC_HEADER_LEN); 519 sldns_buffer_write_at(buffer, 520 DNSCRYPT_MAGIC_HEADER_LEN, 521 nonce, 522 crypto_box_NONCEBYTES); 523 sldns_buffer_set_limit(buffer, len + DNSCRYPT_REPLY_HEADER_SIZE); 524 return 0; 525 } 526 527 /** 528 * Read the content of fname into buf. 529 * \param[in] fname name of the file to read. 530 * \param[in] buf the buffer in which to read the content of the file. 531 * \param[in] count number of bytes to read. 532 * \return 0 on success. 533 */ 534 static int 535 dnsc_read_from_file(char *fname, char *buf, size_t count) 536 { 537 int fd; 538 fd = open(fname, O_RDONLY); 539 if (fd == -1) { 540 return -1; 541 } 542 if (read(fd, buf, count) != (ssize_t)count) { 543 close(fd); 544 return -2; 545 } 546 close(fd); 547 return 0; 548 } 549 550 /** 551 * Given an absolute path on the original root, returns the absolute path 552 * within the chroot. If chroot is disabled, the path is not modified. 553 * No char * is malloced so there is no need to free this. 554 * \param[in] cfg the configuration. 555 * \param[in] path the path from the original root. 556 * \return the path from inside the chroot. 557 */ 558 static char * 559 dnsc_chroot_path(struct config_file *cfg, char *path) 560 { 561 char *nm; 562 nm = path; 563 if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm, 564 cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 565 nm += strlen(cfg->chrootdir); 566 return nm; 567 } 568 569 /** 570 * Parse certificates files provided by the configuration and load them into 571 * dnsc_env. 572 * \param[in] env the dnsc_env structure to load the certs into. 573 * \param[in] cfg the configuration. 574 * \return the number of certificates loaded. 575 */ 576 static int 577 dnsc_parse_certs(struct dnsc_env *env, struct config_file *cfg) 578 { 579 struct config_strlist *head, *head2; 580 size_t signed_cert_id; 581 size_t rotated_cert_id; 582 char *nm; 583 584 env->signed_certs_count = 0U; 585 env->rotated_certs_count = 0U; 586 for (head = cfg->dnscrypt_provider_cert; head; head = head->next) { 587 env->signed_certs_count++; 588 } 589 for (head = cfg->dnscrypt_provider_cert_rotated; head; head = head->next) { 590 env->rotated_certs_count++; 591 } 592 env->signed_certs = sodium_allocarray(env->signed_certs_count, 593 sizeof *env->signed_certs); 594 595 env->rotated_certs = sodium_allocarray(env->rotated_certs_count, 596 sizeof env->signed_certs); 597 signed_cert_id = 0U; 598 rotated_cert_id = 0U; 599 for(head = cfg->dnscrypt_provider_cert; head; head = head->next, signed_cert_id++) { 600 nm = dnsc_chroot_path(cfg, head->str); 601 if(dnsc_read_from_file( 602 nm, 603 (char *)(env->signed_certs + signed_cert_id), 604 sizeof(struct SignedCert)) != 0) { 605 fatal_exit("dnsc_parse_certs: failed to load %s: %s", head->str, strerror(errno)); 606 } 607 for(head2 = cfg->dnscrypt_provider_cert_rotated; head2; head2 = head2->next) { 608 if(strcmp(head->str, head2->str) == 0) { 609 *(env->rotated_certs + rotated_cert_id) = env->signed_certs + signed_cert_id; 610 rotated_cert_id++; 611 verbose(VERB_OPS, "Cert %s is rotated and will not be distributed via DNS", head->str); 612 break; 613 } 614 } 615 verbose(VERB_OPS, "Loaded cert %s", head->str); 616 } 617 return signed_cert_id; 618 } 619 620 /** 621 * Helper function to convert a binary key into a printable fingerprint. 622 * \param[in] fingerprint the buffer in which to write the printable key. 623 * \param[in] key the key to convert. 624 */ 625 void 626 dnsc_key_to_fingerprint(char fingerprint[80U], const uint8_t * const key) 627 { 628 const size_t fingerprint_size = 80U; 629 size_t fingerprint_pos = (size_t) 0U; 630 size_t key_pos = (size_t) 0U; 631 632 for (;;) { 633 assert(fingerprint_size > fingerprint_pos); 634 snprintf(&fingerprint[fingerprint_pos], 635 fingerprint_size - fingerprint_pos, "%02X%02X", 636 key[key_pos], key[key_pos + 1U]); 637 key_pos += 2U; 638 if (key_pos >= crypto_box_PUBLICKEYBYTES) { 639 break; 640 } 641 fingerprint[fingerprint_pos + 4U] = ':'; 642 fingerprint_pos += 5U; 643 } 644 } 645 646 /** 647 * Find the cert matching a DNSCrypt query. 648 * \param[in] dnscenv The DNSCrypt environment, which contains the list of certs 649 * supported by the server. 650 * \param[in] buffer The encrypted DNS query. 651 * \return a dnsccert * if we found a cert matching the magic_number of the 652 * query, NULL otherwise. 653 */ 654 static const dnsccert * 655 dnsc_find_cert(struct dnsc_env* dnscenv, struct sldns_buffer* buffer) 656 { 657 const dnsccert *certs = dnscenv->certs; 658 struct dnscrypt_query_header *dnscrypt_header; 659 size_t i; 660 661 if (sldns_buffer_limit(buffer) < DNSCRYPT_QUERY_HEADER_SIZE) { 662 return NULL; 663 } 664 dnscrypt_header = (struct dnscrypt_query_header *)sldns_buffer_begin(buffer); 665 for (i = 0U; i < dnscenv->signed_certs_count; i++) { 666 if (memcmp(certs[i].magic_query, dnscrypt_header->magic_query, 667 DNSCRYPT_MAGIC_HEADER_LEN) == 0) { 668 return &certs[i]; 669 } 670 } 671 return NULL; 672 } 673 674 /** 675 * Insert local-zone and local-data into configuration. 676 * In order to be able to serve certs over TXT, we can reuse the local-zone and 677 * local-data config option. The zone and qname are inferred from the 678 * provider_name and the content of the TXT record from the certificate content. 679 * returns the number of certificate TXT record that were loaded. 680 * < 0 in case of error. 681 */ 682 static int 683 dnsc_load_local_data(struct dnsc_env* dnscenv, struct config_file *cfg) 684 { 685 size_t i, j; 686 // Insert 'local-zone: "2.dnscrypt-cert.example.com" deny' 687 if(!cfg_str2list_insert(&cfg->local_zones, 688 strdup(dnscenv->provider_name), 689 strdup("deny"))) { 690 log_err("Could not load dnscrypt local-zone: %s deny", 691 dnscenv->provider_name); 692 return -1; 693 } 694 695 // Add local data entry of type: 696 // 2.dnscrypt-cert.example.com 86400 IN TXT "DNSC......" 697 for(i=0; i<dnscenv->signed_certs_count; i++) { 698 const char *ttl_class_type = " 86400 IN TXT \""; 699 int rotated_cert = 0; 700 uint32_t serial; 701 uint16_t rrlen; 702 char* rr; 703 struct SignedCert *cert = dnscenv->signed_certs + i; 704 // Check if the certificate is being rotated and should not be published 705 for(j=0; j<dnscenv->rotated_certs_count; j++){ 706 if(cert == dnscenv->rotated_certs[j]) { 707 rotated_cert = 1; 708 break; 709 } 710 } 711 memcpy(&serial, cert->serial, sizeof serial); 712 serial = htonl(serial); 713 if(rotated_cert) { 714 verbose(VERB_OPS, 715 "DNSCrypt: not adding cert with serial #%" 716 PRIu32 717 " to local-data as it is rotated", 718 serial 719 ); 720 continue; 721 } 722 if((unsigned)strlen(dnscenv->provider_name) >= (unsigned)0xffff0000) { 723 /* guard against integer overflow in rrlen calculation */ 724 verbose(VERB_OPS, "cert #%" PRIu32 " is too long", serial); 725 continue; 726 } 727 rrlen = strlen(dnscenv->provider_name) + 728 strlen(ttl_class_type) + 729 4 * sizeof(struct SignedCert) + // worst case scenario 730 1 + // trailing double quote 731 1; 732 rr = malloc(rrlen); 733 if(!rr) { 734 log_err("Could not allocate memory"); 735 return -2; 736 } 737 snprintf(rr, rrlen - 1, "%s 86400 IN TXT \"", dnscenv->provider_name); 738 for(j=0; j<sizeof(struct SignedCert); j++) { 739 int c = (int)*((const uint8_t *) cert + j); 740 if (isprint(c) && c != '"' && c != '\\') { 741 snprintf(rr + strlen(rr), rrlen - strlen(rr), "%c", c); 742 } else { 743 snprintf(rr + strlen(rr), rrlen - strlen(rr), "\\%03d", c); 744 } 745 } 746 verbose(VERB_OPS, 747 "DNSCrypt: adding cert with serial #%" 748 PRIu32 749 " to local-data to config: %s", 750 serial, rr 751 ); 752 snprintf(rr + strlen(rr), rrlen - strlen(rr), "\""); 753 cfg_strlist_insert(&cfg->local_data, strdup(rr)); 754 free(rr); 755 } 756 return dnscenv->signed_certs_count; 757 } 758 759 static const char * 760 key_get_es_version(uint8_t version[2]) 761 { 762 struct es_version { 763 uint8_t es_version[2]; 764 const char *name; 765 }; 766 767 const int num_versions = 2; 768 struct es_version es_versions[] = { 769 {{0x00, 0x01}, "X25519-XSalsa20Poly1305"}, 770 {{0x00, 0x02}, "X25519-XChacha20Poly1305"}, 771 }; 772 int i; 773 for(i=0; i < num_versions; i++){ 774 if(es_versions[i].es_version[0] == version[0] && 775 es_versions[i].es_version[1] == version[1]){ 776 return es_versions[i].name; 777 } 778 } 779 return NULL; 780 } 781 782 783 /** 784 * Parse the secret key files from `dnscrypt-secret-key` config and populates 785 * a list of dnsccert with es_version, magic number and secret/public keys 786 * supported by dnscrypt listener. 787 * \param[in] env The dnsc_env structure which will hold the keypairs. 788 * \param[in] cfg The config with the secret key file paths. 789 */ 790 static int 791 dnsc_parse_keys(struct dnsc_env *env, struct config_file *cfg) 792 { 793 struct config_strlist *head; 794 size_t cert_id, keypair_id; 795 size_t c; 796 char *nm; 797 798 env->keypairs_count = 0U; 799 for (head = cfg->dnscrypt_secret_key; head; head = head->next) { 800 env->keypairs_count++; 801 } 802 803 env->keypairs = sodium_allocarray(env->keypairs_count, 804 sizeof *env->keypairs); 805 env->certs = sodium_allocarray(env->signed_certs_count, 806 sizeof *env->certs); 807 808 cert_id = 0U; 809 keypair_id = 0U; 810 for(head = cfg->dnscrypt_secret_key; head; head = head->next, keypair_id++) { 811 char fingerprint[80]; 812 int found_cert = 0; 813 KeyPair *current_keypair = &env->keypairs[keypair_id]; 814 nm = dnsc_chroot_path(cfg, head->str); 815 if(dnsc_read_from_file( 816 nm, 817 (char *)(current_keypair->crypt_secretkey), 818 crypto_box_SECRETKEYBYTES) != 0) { 819 fatal_exit("dnsc_parse_keys: failed to load %s: %s", head->str, strerror(errno)); 820 } 821 verbose(VERB_OPS, "Loaded key %s", head->str); 822 if (crypto_scalarmult_base(current_keypair->crypt_publickey, 823 current_keypair->crypt_secretkey) != 0) { 824 fatal_exit("dnsc_parse_keys: could not generate public key from %s", head->str); 825 } 826 dnsc_key_to_fingerprint(fingerprint, current_keypair->crypt_publickey); 827 verbose(VERB_OPS, "Crypt public key fingerprint for %s: %s", head->str, fingerprint); 828 // find the cert matching this key 829 for(c = 0; c < env->signed_certs_count; c++) { 830 if(memcmp(current_keypair->crypt_publickey, 831 env->signed_certs[c].server_publickey, 832 crypto_box_PUBLICKEYBYTES) == 0) { 833 dnsccert *current_cert = &env->certs[cert_id++]; 834 found_cert = 1; 835 current_cert->keypair = current_keypair; 836 memcpy(current_cert->magic_query, 837 env->signed_certs[c].magic_query, 838 sizeof env->signed_certs[c].magic_query); 839 memcpy(current_cert->es_version, 840 env->signed_certs[c].version_major, 841 sizeof env->signed_certs[c].version_major 842 ); 843 dnsc_key_to_fingerprint(fingerprint, 844 current_cert->keypair->crypt_publickey); 845 verbose(VERB_OPS, "Crypt public key fingerprint for %s: %s", 846 head->str, fingerprint); 847 verbose(VERB_OPS, "Using %s", 848 key_get_es_version(current_cert->es_version)); 849 #ifndef USE_DNSCRYPT_XCHACHA20 850 if (current_cert->es_version[1] == 0x02) { 851 fatal_exit("Certificate for XChacha20 but libsodium does not support it."); 852 } 853 #endif 854 855 } 856 } 857 if (!found_cert) { 858 fatal_exit("dnsc_parse_keys: could not match certificate for key " 859 "%s. Unable to determine ES version.", 860 head->str); 861 } 862 } 863 return cert_id; 864 } 865 866 #ifdef SODIUM_MISUSE_HANDLER 867 static void 868 sodium_misuse_handler(void) 869 { 870 fatal_exit( 871 "dnscrypt: libsodium could not be initialized, this typically" 872 " happens when no good source of entropy is found. If you run" 873 " unbound in a chroot, make sure /dev/urandom is available. See" 874 " https://www.unbound.net/documentation/unbound.conf.html"); 875 } 876 #endif 877 878 879 /** 880 * ######################################################### 881 * ############# Publicly accessible functions ############# 882 * ######################################################### 883 */ 884 885 int 886 dnsc_handle_curved_request(struct dnsc_env* dnscenv, 887 struct comm_reply* repinfo) 888 { 889 struct comm_point* c = repinfo->c; 890 891 repinfo->is_dnscrypted = 0; 892 if( !c->dnscrypt ) { 893 return 1; 894 } 895 // Attempt to decrypt the query. If it is not crypted, we may still need 896 // to serve the certificate. 897 verbose(VERB_ALGO, "handle request called on DNSCrypt socket"); 898 if ((repinfo->dnsc_cert = dnsc_find_cert(dnscenv, c->buffer)) != NULL) { 899 if(dnscrypt_server_uncurve(dnscenv, 900 repinfo->dnsc_cert, 901 repinfo->client_nonce, 902 repinfo->nmkey, 903 c->buffer) != 0){ 904 verbose(VERB_ALGO, "dnscrypt: Failed to uncurve"); 905 comm_point_drop_reply(repinfo); 906 return 0; 907 } 908 repinfo->is_dnscrypted = 1; 909 sldns_buffer_rewind(c->buffer); 910 } 911 return 1; 912 } 913 914 int 915 dnsc_handle_uncurved_request(struct comm_reply *repinfo) 916 { 917 if(!repinfo->c->dnscrypt) { 918 return 1; 919 } 920 sldns_buffer_copy(repinfo->c->dnscrypt_buffer, repinfo->c->buffer); 921 if(!repinfo->is_dnscrypted) { 922 return 1; 923 } 924 if(dnscrypt_server_curve(repinfo->dnsc_cert, 925 repinfo->client_nonce, 926 repinfo->nmkey, 927 repinfo->c->dnscrypt_buffer, 928 repinfo->c->type == comm_udp, 929 repinfo->max_udp_size) != 0){ 930 verbose(VERB_ALGO, "dnscrypt: Failed to curve cached missed answer"); 931 comm_point_drop_reply(repinfo); 932 return 0; 933 } 934 return 1; 935 } 936 937 struct dnsc_env * 938 dnsc_create(void) 939 { 940 struct dnsc_env *env; 941 #ifdef SODIUM_MISUSE_HANDLER 942 sodium_set_misuse_handler(sodium_misuse_handler); 943 #endif 944 if (sodium_init() == -1) { 945 fatal_exit("dnsc_create: could not initialize libsodium."); 946 } 947 env = (struct dnsc_env *) calloc(1, sizeof(struct dnsc_env)); 948 lock_basic_init(&env->shared_secrets_cache_lock); 949 lock_protect(&env->shared_secrets_cache_lock, 950 &env->num_query_dnscrypt_secret_missed_cache, 951 sizeof(env->num_query_dnscrypt_secret_missed_cache)); 952 lock_basic_init(&env->nonces_cache_lock); 953 lock_protect(&env->nonces_cache_lock, 954 &env->nonces_cache, 955 sizeof(env->nonces_cache)); 956 lock_protect(&env->nonces_cache_lock, 957 &env->num_query_dnscrypt_replay, 958 sizeof(env->num_query_dnscrypt_replay)); 959 960 return env; 961 } 962 963 int 964 dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg) 965 { 966 if(dnsc_parse_certs(env, cfg) <= 0) { 967 fatal_exit("dnsc_apply_cfg: no cert file loaded"); 968 } 969 if(dnsc_parse_keys(env, cfg) <= 0) { 970 fatal_exit("dnsc_apply_cfg: no key file loaded"); 971 } 972 randombytes_buf(env->hash_key, sizeof env->hash_key); 973 env->provider_name = cfg->dnscrypt_provider; 974 975 if(dnsc_load_local_data(env, cfg) <= 0) { 976 fatal_exit("dnsc_apply_cfg: could not load local data"); 977 } 978 lock_basic_lock(&env->shared_secrets_cache_lock); 979 env->shared_secrets_cache = slabhash_create( 980 cfg->dnscrypt_shared_secret_cache_slabs, 981 HASH_DEFAULT_STARTARRAY, 982 cfg->dnscrypt_shared_secret_cache_size, 983 dnsc_shared_secrets_sizefunc, 984 dnsc_shared_secrets_compfunc, 985 dnsc_shared_secrets_delkeyfunc, 986 dnsc_shared_secrets_deldatafunc, 987 NULL 988 ); 989 lock_basic_unlock(&env->shared_secrets_cache_lock); 990 if(!env->shared_secrets_cache){ 991 fatal_exit("dnsc_apply_cfg: could not create shared secrets cache."); 992 } 993 lock_basic_lock(&env->nonces_cache_lock); 994 env->nonces_cache = slabhash_create( 995 cfg->dnscrypt_nonce_cache_slabs, 996 HASH_DEFAULT_STARTARRAY, 997 cfg->dnscrypt_nonce_cache_size, 998 dnsc_nonces_sizefunc, 999 dnsc_nonces_compfunc, 1000 dnsc_nonces_delkeyfunc, 1001 dnsc_nonces_deldatafunc, 1002 NULL 1003 ); 1004 lock_basic_unlock(&env->nonces_cache_lock); 1005 return 0; 1006 } 1007 1008 void 1009 dnsc_delete(struct dnsc_env *env) 1010 { 1011 if(!env) { 1012 return; 1013 } 1014 verbose(VERB_OPS, "DNSCrypt: Freeing environment."); 1015 sodium_free(env->signed_certs); 1016 sodium_free(env->rotated_certs); 1017 sodium_free(env->certs); 1018 sodium_free(env->keypairs); 1019 lock_basic_destroy(&env->shared_secrets_cache_lock); 1020 lock_basic_destroy(&env->nonces_cache_lock); 1021 slabhash_delete(env->shared_secrets_cache); 1022 slabhash_delete(env->nonces_cache); 1023 free(env); 1024 } 1025 1026 /** 1027 * ######################################################### 1028 * ############# Shared secrets cache functions ############ 1029 * ######################################################### 1030 */ 1031 1032 size_t 1033 dnsc_shared_secrets_sizefunc(void *k, void* ATTR_UNUSED(d)) 1034 { 1035 struct shared_secret_cache_key* ssk = (struct shared_secret_cache_key*)k; 1036 size_t key_size = sizeof(struct shared_secret_cache_key) 1037 + lock_get_mem(&ssk->entry.lock); 1038 size_t data_size = crypto_box_BEFORENMBYTES; 1039 (void)ssk; /* otherwise ssk is unused if no threading, or fixed locksize */ 1040 return key_size + data_size; 1041 } 1042 1043 int 1044 dnsc_shared_secrets_compfunc(void *m1, void *m2) 1045 { 1046 return sodium_memcmp(m1, m2, DNSCRYPT_SHARED_SECRET_KEY_LENGTH); 1047 } 1048 1049 void 1050 dnsc_shared_secrets_delkeyfunc(void *k, void* ATTR_UNUSED(arg)) 1051 { 1052 struct shared_secret_cache_key* ssk = (struct shared_secret_cache_key*)k; 1053 lock_rw_destroy(&ssk->entry.lock); 1054 free(ssk); 1055 } 1056 1057 void 1058 dnsc_shared_secrets_deldatafunc(void* d, void* ATTR_UNUSED(arg)) 1059 { 1060 uint8_t* data = (uint8_t*)d; 1061 free(data); 1062 } 1063 1064 /** 1065 * ######################################################### 1066 * ############### Nonces cache functions ################## 1067 * ######################################################### 1068 */ 1069 1070 size_t 1071 dnsc_nonces_sizefunc(void *k, void* ATTR_UNUSED(d)) 1072 { 1073 struct nonce_cache_key* nk = (struct nonce_cache_key*)k; 1074 size_t key_size = sizeof(struct nonce_cache_key) 1075 + lock_get_mem(&nk->entry.lock); 1076 (void)nk; /* otherwise ssk is unused if no threading, or fixed locksize */ 1077 return key_size; 1078 } 1079 1080 int 1081 dnsc_nonces_compfunc(void *m1, void *m2) 1082 { 1083 struct nonce_cache_key *k1 = m1, *k2 = m2; 1084 return 1085 sodium_memcmp( 1086 k1->nonce, 1087 k2->nonce, 1088 crypto_box_HALF_NONCEBYTES) != 0 || 1089 sodium_memcmp( 1090 k1->magic_query, 1091 k2->magic_query, 1092 DNSCRYPT_MAGIC_HEADER_LEN) != 0 || 1093 sodium_memcmp( 1094 k1->client_publickey, k2->client_publickey, 1095 crypto_box_PUBLICKEYBYTES) != 0; 1096 } 1097 1098 void 1099 dnsc_nonces_delkeyfunc(void *k, void* ATTR_UNUSED(arg)) 1100 { 1101 struct nonce_cache_key* nk = (struct nonce_cache_key*)k; 1102 lock_rw_destroy(&nk->entry.lock); 1103 free(nk); 1104 } 1105 1106 void 1107 dnsc_nonces_deldatafunc(void* ATTR_UNUSED(d), void* ATTR_UNUSED(arg)) 1108 { 1109 return; 1110 } 1111