xref: /freebsd/contrib/unbound/dnscrypt/dnscrypt.c (revision d0ba1baed3f6e4936a0c1b89c25f6c59168ef6de)
1 
2 #include "config.h"
3 #include <stdlib.h>
4 #include <fcntl.h>
5 #ifdef HAVE_TIME_H
6 #include <time.h>
7 #endif
8 #include <inttypes.h>
9 #include <sys/time.h>
10 #include <sys/types.h>
11 #include "sldns/sbuffer.h"
12 #include "util/config_file.h"
13 #include "util/net_help.h"
14 #include "util/netevent.h"
15 #include "util/log.h"
16 #include "util/storage/slabhash.h"
17 #include "util/storage/lookup3.h"
18 
19 #include "dnscrypt/cert.h"
20 #include "dnscrypt/dnscrypt.h"
21 #include "dnscrypt/dnscrypt_config.h"
22 
23 #include <ctype.h>
24 
25 
26 /**
27  * \file
28  * dnscrypt functions for encrypting DNS packets.
29  */
30 
31 #define DNSCRYPT_QUERY_BOX_OFFSET \
32     (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_PUBLICKEYBYTES + \
33     crypto_box_HALF_NONCEBYTES)
34 
35 //  8 bytes: magic header (CERT_MAGIC_HEADER)
36 // 12 bytes: the client's nonce
37 // 12 bytes: server nonce extension
38 // 16 bytes: Poly1305 MAC (crypto_box_ZEROBYTES - crypto_box_BOXZEROBYTES)
39 
40 #define DNSCRYPT_REPLY_BOX_OFFSET \
41     (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_HALF_NONCEBYTES + \
42     crypto_box_HALF_NONCEBYTES)
43 
44 
45 /**
46  * Shared secret cache key length.
47  * secret key.
48  * 1 byte: ES_VERSION[1]
49  * 32 bytes: client crypto_box_PUBLICKEYBYTES
50  * 32 bytes: server crypto_box_SECRETKEYBYTES
51  */
52 #define DNSCRYPT_SHARED_SECRET_KEY_LENGTH \
53     (1 + crypto_box_PUBLICKEYBYTES + crypto_box_SECRETKEYBYTES)
54 
55 
56 struct shared_secret_cache_key {
57     /** the hash table key */
58     uint8_t key[DNSCRYPT_SHARED_SECRET_KEY_LENGTH];
59     /** the hash table entry, data is uint8_t pointer of size crypto_box_BEFORENMBYTES which contains the shared secret. */
60     struct lruhash_entry entry;
61 };
62 
63 
64 struct nonce_cache_key {
65     /** the nonce used by the client */
66     uint8_t nonce[crypto_box_HALF_NONCEBYTES];
67     /** the client_magic used by the client, this is associated to 1 cert only */
68     uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN];
69     /** the client public key */
70     uint8_t client_publickey[crypto_box_PUBLICKEYBYTES];
71     /** the hash table entry, data is uint8_t */
72     struct lruhash_entry entry;
73 };
74 
75 /**
76  * Generate a key suitable to find shared secret in slabhash.
77  * \param[in] key: a uint8_t pointer of size DNSCRYPT_SHARED_SECRET_KEY_LENGTH
78  * \param[in] esversion: The es version least significant byte.
79  * \param[in] pk: The public key of the client. uint8_t pointer of size
80  * crypto_box_PUBLICKEYBYTES.
81  * \param[in] sk: The secret key of the server matching the magic query number.
82  * uint8_t pointer of size crypto_box_SECRETKEYBYTES.
83  * \return the hash of the key.
84  */
85 static uint32_t
86 dnsc_shared_secrets_cache_key(uint8_t* key,
87                               uint8_t esversion,
88                               uint8_t* pk,
89                               uint8_t* sk)
90 {
91     key[0] = esversion;
92     memcpy(key + 1, pk, crypto_box_PUBLICKEYBYTES);
93     memcpy(key + 1 + crypto_box_PUBLICKEYBYTES, sk, crypto_box_SECRETKEYBYTES);
94     return hashlittle(key, DNSCRYPT_SHARED_SECRET_KEY_LENGTH, 0);
95 }
96 
97 /**
98  * Inserts a shared secret into the shared_secrets_cache slabhash.
99  * The shared secret is copied so the caller can use it freely without caring
100  * about the cache entry being evicted or not.
101  * \param[in] cache: the slabhash in which to look for the key.
102  * \param[in] key: a uint8_t pointer of size DNSCRYPT_SHARED_SECRET_KEY_LENGTH
103  * which contains the key of the shared secret.
104  * \param[in] hash: the hash of the key.
105  * \param[in] nmkey: a uint8_t pointer of size crypto_box_BEFORENMBYTES which
106  * contains the shared secret.
107  */
108 static void
109 dnsc_shared_secret_cache_insert(struct slabhash *cache,
110                                 uint8_t key[DNSCRYPT_SHARED_SECRET_KEY_LENGTH],
111                                 uint32_t hash,
112                                 uint8_t nmkey[crypto_box_BEFORENMBYTES])
113 {
114     struct shared_secret_cache_key* k =
115         (struct shared_secret_cache_key*)calloc(1, sizeof(*k));
116     uint8_t* d = malloc(crypto_box_BEFORENMBYTES);
117     if(!k || !d) {
118         free(k);
119         free(d);
120         return;
121     }
122     memcpy(d, nmkey, crypto_box_BEFORENMBYTES);
123     lock_rw_init(&k->entry.lock);
124     memcpy(k->key, key, DNSCRYPT_SHARED_SECRET_KEY_LENGTH);
125     k->entry.hash = hash;
126     k->entry.key = k;
127     k->entry.data = d;
128     slabhash_insert(cache,
129                     hash, &k->entry,
130                     d,
131                     NULL);
132 }
133 
134 /**
135  * Lookup a record in shared_secrets_cache.
136  * \param[in] cache: a pointer to shared_secrets_cache slabhash.
137  * \param[in] key: a uint8_t pointer of size DNSCRYPT_SHARED_SECRET_KEY_LENGTH
138  * containing the key to look for.
139  * \param[in] hash: a hash of the key.
140  * \return a pointer to the locked cache entry or NULL on failure.
141  */
142 static struct lruhash_entry*
143 dnsc_shared_secrets_lookup(struct slabhash* cache,
144                            uint8_t key[DNSCRYPT_SHARED_SECRET_KEY_LENGTH],
145                            uint32_t hash)
146 {
147     return slabhash_lookup(cache, hash, key, 0);
148 }
149 
150 /**
151  * Generate a key hash suitable to find a nonce in slabhash.
152  * \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES
153  * \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN
154  * \param[in] pk: The public key of the client. uint8_t pointer of size
155  * crypto_box_PUBLICKEYBYTES.
156  * \return the hash of the key.
157  */
158 static uint32_t
159 dnsc_nonce_cache_key_hash(const uint8_t nonce[crypto_box_HALF_NONCEBYTES],
160                           const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN],
161                           const uint8_t pk[crypto_box_PUBLICKEYBYTES])
162 {
163     uint32_t h = 0;
164     h = hashlittle(nonce, crypto_box_HALF_NONCEBYTES, h);
165     h = hashlittle(magic_query, DNSCRYPT_MAGIC_HEADER_LEN, h);
166     return hashlittle(pk, crypto_box_PUBLICKEYBYTES, h);
167 }
168 
169 /**
170  * Inserts a nonce, magic_query, pk tuple into the nonces_cache slabhash.
171  * \param[in] cache: the slabhash in which to look for the key.
172  * \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES
173  * \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN
174  * \param[in] pk: The public key of the client. uint8_t pointer of size
175  * crypto_box_PUBLICKEYBYTES.
176  * \param[in] hash: the hash of the key.
177  */
178 static void
179 dnsc_nonce_cache_insert(struct slabhash *cache,
180                         const uint8_t nonce[crypto_box_HALF_NONCEBYTES],
181                         const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN],
182                         const uint8_t pk[crypto_box_PUBLICKEYBYTES],
183                         uint32_t hash)
184 {
185     struct nonce_cache_key* k =
186         (struct nonce_cache_key*)calloc(1, sizeof(*k));
187     if(!k) {
188         free(k);
189         return;
190     }
191     lock_rw_init(&k->entry.lock);
192     memcpy(k->nonce, nonce, crypto_box_HALF_NONCEBYTES);
193     memcpy(k->magic_query, magic_query, DNSCRYPT_MAGIC_HEADER_LEN);
194     memcpy(k->client_publickey, pk, crypto_box_PUBLICKEYBYTES);
195     k->entry.hash = hash;
196     k->entry.key = k;
197     k->entry.data = NULL;
198     slabhash_insert(cache,
199                     hash, &k->entry,
200                     NULL,
201                     NULL);
202 }
203 
204 /**
205  * Lookup a record in nonces_cache.
206  * \param[in] cache: the slabhash in which to look for the key.
207  * \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES
208  * \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN
209  * \param[in] pk: The public key of the client. uint8_t pointer of size
210  * crypto_box_PUBLICKEYBYTES.
211  * \param[in] hash: the hash of the key.
212  * \return a pointer to the locked cache entry or NULL on failure.
213  */
214 static struct lruhash_entry*
215 dnsc_nonces_lookup(struct slabhash* cache,
216                    const uint8_t nonce[crypto_box_HALF_NONCEBYTES],
217                    const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN],
218                    const uint8_t pk[crypto_box_PUBLICKEYBYTES],
219                    uint32_t hash)
220 {
221     struct nonce_cache_key k;
222     memset(&k, 0, sizeof(k));
223     k.entry.hash = hash;
224     memcpy(k.nonce, nonce, crypto_box_HALF_NONCEBYTES);
225     memcpy(k.magic_query, magic_query, DNSCRYPT_MAGIC_HEADER_LEN);
226     memcpy(k.client_publickey, pk, crypto_box_PUBLICKEYBYTES);
227 
228     return slabhash_lookup(cache, hash, &k, 0);
229 }
230 
231 /**
232  * Decrypt a query using the dnsccert that was found using dnsc_find_cert.
233  * The client nonce will be extracted from the encrypted query and stored in
234  * client_nonce, a shared secret will be computed and stored in nmkey and the
235  * buffer will be decrypted inplace.
236  * \param[in] env the dnscrypt environment.
237  * \param[in] cert the cert that matches this encrypted query.
238  * \param[in] client_nonce where the client nonce will be stored.
239  * \param[in] nmkey where the shared secret key will be written.
240  * \param[in] buffer the encrypted buffer.
241  * \return 0 on success.
242  */
243 static int
244 dnscrypt_server_uncurve(struct dnsc_env* env,
245                         const dnsccert *cert,
246                         uint8_t client_nonce[crypto_box_HALF_NONCEBYTES],
247                         uint8_t nmkey[crypto_box_BEFORENMBYTES],
248                         struct sldns_buffer* buffer)
249 {
250     size_t len = sldns_buffer_limit(buffer);
251     uint8_t *const buf = sldns_buffer_begin(buffer);
252     uint8_t nonce[crypto_box_NONCEBYTES];
253     struct dnscrypt_query_header *query_header;
254     // shared secret cache
255     uint8_t key[DNSCRYPT_SHARED_SECRET_KEY_LENGTH];
256     struct lruhash_entry* entry;
257     uint32_t hash;
258 
259     uint32_t nonce_hash;
260 
261     if (len <= DNSCRYPT_QUERY_HEADER_SIZE) {
262         return -1;
263     }
264 
265     query_header = (struct dnscrypt_query_header *)buf;
266 
267     /* Detect replay attacks */
268     nonce_hash = dnsc_nonce_cache_key_hash(
269         query_header->nonce,
270         cert->magic_query,
271         query_header->publickey);
272 
273     lock_basic_lock(&env->nonces_cache_lock);
274     entry = dnsc_nonces_lookup(
275         env->nonces_cache,
276         query_header->nonce,
277         cert->magic_query,
278         query_header->publickey,
279         nonce_hash);
280 
281     if(entry) {
282         lock_rw_unlock(&entry->lock);
283         env->num_query_dnscrypt_replay++;
284         lock_basic_unlock(&env->nonces_cache_lock);
285         return -1;
286     }
287 
288     dnsc_nonce_cache_insert(
289         env->nonces_cache,
290         query_header->nonce,
291         cert->magic_query,
292         query_header->publickey,
293         nonce_hash);
294     lock_basic_unlock(&env->nonces_cache_lock);
295 
296     /* Find existing shared secret */
297     hash = dnsc_shared_secrets_cache_key(key,
298                                          cert->es_version[1],
299                                          query_header->publickey,
300                                          cert->keypair->crypt_secretkey);
301     entry = dnsc_shared_secrets_lookup(env->shared_secrets_cache,
302                                        key,
303                                        hash);
304 
305     if(!entry) {
306         lock_basic_lock(&env->shared_secrets_cache_lock);
307         env->num_query_dnscrypt_secret_missed_cache++;
308         lock_basic_unlock(&env->shared_secrets_cache_lock);
309         if(cert->es_version[1] == 2) {
310 #ifdef USE_DNSCRYPT_XCHACHA20
311             if (crypto_box_curve25519xchacha20poly1305_beforenm(
312                         nmkey, query_header->publickey,
313                         cert->keypair->crypt_secretkey) != 0) {
314                 return -1;
315             }
316 #else
317             return -1;
318 #endif
319     } else {
320         if (crypto_box_beforenm(nmkey,
321                                 query_header->publickey,
322                                 cert->keypair->crypt_secretkey) != 0) {
323             return -1;
324         }
325     }
326     // Cache the shared secret we just computed.
327     dnsc_shared_secret_cache_insert(env->shared_secrets_cache,
328                                     key,
329                                     hash,
330                                     nmkey);
331     } else {
332         /* copy shared secret and unlock entry */
333         memcpy(nmkey, entry->data, crypto_box_BEFORENMBYTES);
334         lock_rw_unlock(&entry->lock);
335     }
336 
337     memcpy(nonce, query_header->nonce, crypto_box_HALF_NONCEBYTES);
338     memset(nonce + crypto_box_HALF_NONCEBYTES, 0, crypto_box_HALF_NONCEBYTES);
339 
340     if(cert->es_version[1] == 2) {
341 #ifdef USE_DNSCRYPT_XCHACHA20
342         if (crypto_box_curve25519xchacha20poly1305_open_easy_afternm
343                 (buf,
344                 buf + DNSCRYPT_QUERY_BOX_OFFSET,
345                 len - DNSCRYPT_QUERY_BOX_OFFSET, nonce,
346                 nmkey) != 0) {
347             return -1;
348         }
349 #else
350         return -1;
351 #endif
352     } else {
353         if (crypto_box_open_easy_afternm
354             (buf,
355              buf + DNSCRYPT_QUERY_BOX_OFFSET,
356              len - DNSCRYPT_QUERY_BOX_OFFSET, nonce,
357              nmkey) != 0) {
358             return -1;
359         }
360     }
361 
362     len -= DNSCRYPT_QUERY_HEADER_SIZE;
363 
364     while (*sldns_buffer_at(buffer, --len) == 0)
365         ;
366 
367     if (*sldns_buffer_at(buffer, len) != 0x80) {
368         return -1;
369     }
370 
371     memcpy(client_nonce, nonce, crypto_box_HALF_NONCEBYTES);
372 
373     sldns_buffer_set_position(buffer, 0);
374     sldns_buffer_set_limit(buffer, len);
375 
376     return 0;
377 }
378 
379 
380 /**
381  * Add random padding to a buffer, according to a client nonce.
382  * The length has to depend on the query in order to avoid reply attacks.
383  *
384  * @param buf a buffer
385  * @param len the initial size of the buffer
386  * @param max_len the maximum size
387  * @param nonce a nonce, made of the client nonce repeated twice
388  * @param secretkey
389  * @return the new size, after padding
390  */
391 size_t
392 dnscrypt_pad(uint8_t *buf, const size_t len, const size_t max_len,
393              const uint8_t *nonce, const uint8_t *secretkey)
394 {
395     uint8_t *buf_padding_area = buf + len;
396     size_t padded_len;
397     uint32_t rnd;
398 
399     // no padding
400     if (max_len < len + DNSCRYPT_MIN_PAD_LEN)
401         return len;
402 
403     assert(nonce[crypto_box_HALF_NONCEBYTES] == nonce[0]);
404 
405     crypto_stream((unsigned char *)&rnd, (unsigned long long)sizeof(rnd), nonce,
406                   secretkey);
407     padded_len =
408         len + DNSCRYPT_MIN_PAD_LEN + rnd % (max_len - len -
409                                             DNSCRYPT_MIN_PAD_LEN + 1);
410     padded_len += DNSCRYPT_BLOCK_SIZE - padded_len % DNSCRYPT_BLOCK_SIZE;
411     if (padded_len > max_len)
412         padded_len = max_len;
413 
414     memset(buf_padding_area, 0, padded_len - len);
415     *buf_padding_area = 0x80;
416 
417     return padded_len;
418 }
419 
420 uint64_t
421 dnscrypt_hrtime(void)
422 {
423     struct timeval tv;
424     uint64_t ts = (uint64_t)0U;
425     int ret;
426 
427     ret = gettimeofday(&tv, NULL);
428     if (ret == 0) {
429         ts = (uint64_t)tv.tv_sec * 1000000U + (uint64_t)tv.tv_usec;
430     } else {
431         log_err("gettimeofday: %s", strerror(errno));
432     }
433     return ts;
434 }
435 
436 /**
437  * Add the server nonce part to once.
438  * The nonce is made half of client nonce and the seconf half of the server
439  * nonce, both of them of size crypto_box_HALF_NONCEBYTES.
440  * \param[in] nonce: a uint8_t* of size crypto_box_NONCEBYTES
441  */
442 static void
443 add_server_nonce(uint8_t *nonce)
444 {
445     uint64_t ts;
446     uint64_t tsn;
447     uint32_t suffix;
448     ts = dnscrypt_hrtime();
449     // TODO? dnscrypt-wrapper does some logic with context->nonce_ts_last
450     // unclear if we really need it, so skipping it for now.
451     tsn = (ts << 10) | (randombytes_random() & 0x3ff);
452 #if (BYTE_ORDER == LITTLE_ENDIAN)
453     tsn =
454         (((uint64_t)htonl((uint32_t)tsn)) << 32) | htonl((uint32_t)(tsn >> 32));
455 #endif
456     memcpy(nonce + crypto_box_HALF_NONCEBYTES, &tsn, 8);
457     suffix = randombytes_random();
458     memcpy(nonce + crypto_box_HALF_NONCEBYTES + 8, &suffix, 4);
459 }
460 
461 /**
462  * Encrypt a reply using the dnsccert that was used with the query.
463  * The client nonce will be extracted from the encrypted query and stored in
464  * The buffer will be encrypted inplace.
465  * \param[in] cert the dnsccert that matches this encrypted query.
466  * \param[in] client_nonce client nonce used during the query
467  * \param[in] nmkey shared secret key used during the query.
468  * \param[in] buffer the buffer where to encrypt the reply.
469  * \param[in] udp if whether or not it is a UDP query.
470  * \param[in] max_udp_size configured max udp size.
471  * \return 0 on success.
472  */
473 static int
474 dnscrypt_server_curve(const dnsccert *cert,
475                       uint8_t client_nonce[crypto_box_HALF_NONCEBYTES],
476                       uint8_t nmkey[crypto_box_BEFORENMBYTES],
477                       struct sldns_buffer* buffer,
478                       uint8_t udp,
479                       size_t max_udp_size)
480 {
481     size_t dns_reply_len = sldns_buffer_limit(buffer);
482     size_t max_len = dns_reply_len + DNSCRYPT_MAX_PADDING \
483         + DNSCRYPT_REPLY_HEADER_SIZE;
484     size_t max_reply_size = max_udp_size - 20U - 8U;
485     uint8_t nonce[crypto_box_NONCEBYTES];
486     uint8_t *boxed;
487     uint8_t *const buf = sldns_buffer_begin(buffer);
488     size_t len = sldns_buffer_limit(buffer);
489 
490     if(udp){
491         if (max_len > max_reply_size)
492             max_len = max_reply_size;
493     }
494 
495 
496     memcpy(nonce, client_nonce, crypto_box_HALF_NONCEBYTES);
497     memcpy(nonce + crypto_box_HALF_NONCEBYTES, client_nonce,
498            crypto_box_HALF_NONCEBYTES);
499 
500     boxed = buf + DNSCRYPT_REPLY_BOX_OFFSET;
501     memmove(boxed + crypto_box_MACBYTES, buf, len);
502     len = dnscrypt_pad(boxed + crypto_box_MACBYTES, len,
503                        max_len - DNSCRYPT_REPLY_HEADER_SIZE, nonce,
504                        cert->keypair->crypt_secretkey);
505     sldns_buffer_set_at(buffer,
506                         DNSCRYPT_REPLY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
507                         0, crypto_box_ZEROBYTES);
508 
509     // add server nonce extension
510     add_server_nonce(nonce);
511 
512     if(cert->es_version[1] == 2) {
513 #ifdef USE_DNSCRYPT_XCHACHA20
514         if (crypto_box_curve25519xchacha20poly1305_easy_afternm
515             (boxed, boxed + crypto_box_MACBYTES, len, nonce, nmkey) != 0) {
516             return -1;
517         }
518 #else
519         return -1;
520 #endif
521     } else {
522         if (crypto_box_easy_afternm
523             (boxed, boxed + crypto_box_MACBYTES, len, nonce, nmkey) != 0) {
524             return -1;
525         }
526     }
527 
528     sldns_buffer_write_at(buffer,
529                           0,
530                           DNSCRYPT_MAGIC_RESPONSE,
531                           DNSCRYPT_MAGIC_HEADER_LEN);
532     sldns_buffer_write_at(buffer,
533                           DNSCRYPT_MAGIC_HEADER_LEN,
534                           nonce,
535                           crypto_box_NONCEBYTES);
536     sldns_buffer_set_limit(buffer, len + DNSCRYPT_REPLY_HEADER_SIZE);
537     return 0;
538 }
539 
540 /**
541  * Read the content of fname into buf.
542  * \param[in] fname name of the file to read.
543  * \param[in] buf the buffer in which to read the content of the file.
544  * \param[in] count number of bytes to read.
545  * \return 0 on success.
546  */
547 static int
548 dnsc_read_from_file(char *fname, char *buf, size_t count)
549 {
550     int fd;
551     fd = open(fname, O_RDONLY);
552     if (fd == -1) {
553         return -1;
554     }
555     if (read(fd, buf, count) != (ssize_t)count) {
556         close(fd);
557         return -2;
558     }
559     close(fd);
560     return 0;
561 }
562 
563 /**
564  * Given an absolute path on the original root, returns the absolute path
565  * within the chroot. If chroot is disabled, the path is not modified.
566  * No char * is malloced so there is no need to free this.
567  * \param[in] cfg the configuration.
568  * \param[in] path the path from the original root.
569  * \return the path from inside the chroot.
570  */
571 static char *
572 dnsc_chroot_path(struct config_file *cfg, char *path)
573 {
574     char *nm;
575     nm = path;
576     if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
577         cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
578         nm += strlen(cfg->chrootdir);
579     return nm;
580 }
581 
582 /**
583  * Parse certificates files provided by the configuration and load them into
584  * dnsc_env.
585  * \param[in] env the dnsc_env structure to load the certs into.
586  * \param[in] cfg the configuration.
587  * \return the number of certificates loaded.
588  */
589 static int
590 dnsc_parse_certs(struct dnsc_env *env, struct config_file *cfg)
591 {
592 	struct config_strlist *head, *head2;
593 	size_t signed_cert_id;
594 	size_t rotated_cert_id;
595 	char *nm;
596 
597 	env->signed_certs_count = 0U;
598 	env->rotated_certs_count = 0U;
599 	for (head = cfg->dnscrypt_provider_cert; head; head = head->next) {
600 		env->signed_certs_count++;
601 	}
602 	for (head = cfg->dnscrypt_provider_cert_rotated; head; head = head->next) {
603 		env->rotated_certs_count++;
604 	}
605 	env->signed_certs = sodium_allocarray(env->signed_certs_count,
606 										  sizeof *env->signed_certs);
607 
608 	env->rotated_certs = sodium_allocarray(env->rotated_certs_count,
609 										  sizeof env->signed_certs);
610 	signed_cert_id = 0U;
611 	rotated_cert_id = 0U;
612 	for(head = cfg->dnscrypt_provider_cert; head; head = head->next, signed_cert_id++) {
613 		nm = dnsc_chroot_path(cfg, head->str);
614 		if(dnsc_read_from_file(
615 				nm,
616 				(char *)(env->signed_certs + signed_cert_id),
617 				sizeof(struct SignedCert)) != 0) {
618 			fatal_exit("dnsc_parse_certs: failed to load %s: %s", head->str, strerror(errno));
619 		}
620 		for(head2 = cfg->dnscrypt_provider_cert_rotated; head2; head2 = head2->next) {
621 			if(strcmp(head->str, head2->str) == 0) {
622 				*(env->rotated_certs + rotated_cert_id) = env->signed_certs + signed_cert_id;
623 				rotated_cert_id++;
624 				verbose(VERB_OPS, "Cert %s is rotated and will not be distributed via DNS", head->str);
625 				break;
626 			}
627 		}
628 		verbose(VERB_OPS, "Loaded cert %s", head->str);
629 	}
630 	return signed_cert_id;
631 }
632 
633 /**
634  * Helper function to convert a binary key into a printable fingerprint.
635  * \param[in] fingerprint the buffer in which to write the printable key.
636  * \param[in] key the key to convert.
637  */
638 void
639 dnsc_key_to_fingerprint(char fingerprint[80U], const uint8_t * const key)
640 {
641     const size_t fingerprint_size = 80U;
642     size_t       fingerprint_pos = (size_t) 0U;
643     size_t       key_pos = (size_t) 0U;
644 
645     for (;;) {
646         assert(fingerprint_size > fingerprint_pos);
647         snprintf(&fingerprint[fingerprint_pos],
648                         fingerprint_size - fingerprint_pos, "%02X%02X",
649                         key[key_pos], key[key_pos + 1U]);
650         key_pos += 2U;
651         if (key_pos >= crypto_box_PUBLICKEYBYTES) {
652             break;
653         }
654         fingerprint[fingerprint_pos + 4U] = ':';
655         fingerprint_pos += 5U;
656     }
657 }
658 
659 /**
660  * Find the cert matching a DNSCrypt query.
661  * \param[in] dnscenv The DNSCrypt environment, which contains the list of certs
662  * supported by the server.
663  * \param[in] buffer The encrypted DNS query.
664  * \return a dnsccert * if we found a cert matching the magic_number of the
665  * query, NULL otherwise.
666  */
667 static const dnsccert *
668 dnsc_find_cert(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
669 {
670 	const dnsccert *certs = dnscenv->certs;
671 	struct dnscrypt_query_header *dnscrypt_header;
672 	size_t i;
673 
674 	if (sldns_buffer_limit(buffer) < DNSCRYPT_QUERY_HEADER_SIZE) {
675 		return NULL;
676 	}
677 	dnscrypt_header = (struct dnscrypt_query_header *)sldns_buffer_begin(buffer);
678 	for (i = 0U; i < dnscenv->signed_certs_count; i++) {
679 		if (memcmp(certs[i].magic_query, dnscrypt_header->magic_query,
680                    DNSCRYPT_MAGIC_HEADER_LEN) == 0) {
681 			return &certs[i];
682 		}
683 	}
684 	return NULL;
685 }
686 
687 /**
688  * Insert local-zone and local-data into configuration.
689  * In order to be able to serve certs over TXT, we can reuse the local-zone and
690  * local-data config option. The zone and qname are infered from the
691  * provider_name and the content of the TXT record from the certificate content.
692  * returns the number of certificate TXT record that were loaded.
693  * < 0 in case of error.
694  */
695 static int
696 dnsc_load_local_data(struct dnsc_env* dnscenv, struct config_file *cfg)
697 {
698     size_t i, j;
699 	// Insert 'local-zone: "2.dnscrypt-cert.example.com" deny'
700     if(!cfg_str2list_insert(&cfg->local_zones,
701                             strdup(dnscenv->provider_name),
702                             strdup("deny"))) {
703         log_err("Could not load dnscrypt local-zone: %s deny",
704                 dnscenv->provider_name);
705         return -1;
706     }
707 
708     // Add local data entry of type:
709     // 2.dnscrypt-cert.example.com 86400 IN TXT "DNSC......"
710     for(i=0; i<dnscenv->signed_certs_count; i++) {
711         const char *ttl_class_type = " 86400 IN TXT \"";
712         int rotated_cert = 0;
713 	uint32_t serial;
714 	uint16_t rrlen;
715 	char* rr;
716         struct SignedCert *cert = dnscenv->signed_certs + i;
717 		// Check if the certificate is being rotated and should not be published
718         for(j=0; j<dnscenv->rotated_certs_count; j++){
719             if(cert == dnscenv->rotated_certs[j]) {
720                 rotated_cert = 1;
721                 break;
722             }
723         }
724 		memcpy(&serial, cert->serial, sizeof serial);
725 		serial = htonl(serial);
726         if(rotated_cert) {
727             verbose(VERB_OPS,
728                 "DNSCrypt: not adding cert with serial #%"
729                 PRIu32
730                 " to local-data as it is rotated",
731                 serial
732             );
733             continue;
734         }
735         rrlen = strlen(dnscenv->provider_name) +
736                          strlen(ttl_class_type) +
737                          4 * sizeof(struct SignedCert) + // worst case scenario
738                          1 + // trailing double quote
739                          1;
740         rr = malloc(rrlen);
741         if(!rr) {
742             log_err("Could not allocate memory");
743             return -2;
744         }
745         snprintf(rr, rrlen - 1, "%s 86400 IN TXT \"", dnscenv->provider_name);
746         for(j=0; j<sizeof(struct SignedCert); j++) {
747 			int c = (int)*((const uint8_t *) cert + j);
748             if (isprint(c) && c != '"' && c != '\\') {
749                 snprintf(rr + strlen(rr), rrlen - 1 - strlen(rr), "%c", c);
750             } else {
751                 snprintf(rr + strlen(rr), rrlen - 1 - strlen(rr), "\\%03d", c);
752             }
753         }
754         verbose(VERB_OPS,
755 			"DNSCrypt: adding cert with serial #%"
756 			PRIu32
757 			" to local-data to config: %s",
758 			serial, rr
759 		);
760         snprintf(rr + strlen(rr), rrlen - 1 - strlen(rr), "\"");
761         cfg_strlist_insert(&cfg->local_data, strdup(rr));
762         free(rr);
763     }
764     return dnscenv->signed_certs_count;
765 }
766 
767 static const char *
768 key_get_es_version(uint8_t version[2])
769 {
770     struct es_version {
771         uint8_t es_version[2];
772         const char *name;
773     };
774 
775     struct es_version es_versions[] = {
776         {{0x00, 0x01}, "X25519-XSalsa20Poly1305"},
777         {{0x00, 0x02}, "X25519-XChacha20Poly1305"},
778     };
779     int i;
780     for(i=0; i < (int)sizeof(es_versions); i++){
781         if(es_versions[i].es_version[0] == version[0] &&
782            es_versions[i].es_version[1] == version[1]){
783             return es_versions[i].name;
784         }
785     }
786     return NULL;
787 }
788 
789 
790 /**
791  * Parse the secret key files from `dnscrypt-secret-key` config and populates
792  * a list of dnsccert with es_version, magic number and secret/public keys
793  * supported by dnscrypt listener.
794  * \param[in] env The dnsc_env structure which will hold the keypairs.
795  * \param[in] cfg The config with the secret key file paths.
796  */
797 static int
798 dnsc_parse_keys(struct dnsc_env *env, struct config_file *cfg)
799 {
800 	struct config_strlist *head;
801 	size_t cert_id, keypair_id;
802 	size_t c;
803 	char *nm;
804 
805 	env->keypairs_count = 0U;
806 	for (head = cfg->dnscrypt_secret_key; head; head = head->next) {
807 		env->keypairs_count++;
808 	}
809 
810 	env->keypairs = sodium_allocarray(env->keypairs_count,
811 		sizeof *env->keypairs);
812 	env->certs = sodium_allocarray(env->signed_certs_count,
813 		sizeof *env->certs);
814 
815 	cert_id = 0U;
816 	keypair_id = 0U;
817 	for(head = cfg->dnscrypt_secret_key; head; head = head->next, keypair_id++) {
818 		char fingerprint[80];
819 		int found_cert = 0;
820 		KeyPair *current_keypair = &env->keypairs[keypair_id];
821 		nm = dnsc_chroot_path(cfg, head->str);
822 		if(dnsc_read_from_file(
823 				nm,
824 				(char *)(current_keypair->crypt_secretkey),
825 				crypto_box_SECRETKEYBYTES) != 0) {
826 			fatal_exit("dnsc_parse_keys: failed to load %s: %s", head->str, strerror(errno));
827 		}
828 		verbose(VERB_OPS, "Loaded key %s", head->str);
829 		if (crypto_scalarmult_base(current_keypair->crypt_publickey,
830 			current_keypair->crypt_secretkey) != 0) {
831 			fatal_exit("dnsc_parse_keys: could not generate public key from %s", head->str);
832 		}
833 		dnsc_key_to_fingerprint(fingerprint, current_keypair->crypt_publickey);
834 		verbose(VERB_OPS, "Crypt public key fingerprint for %s: %s", head->str, fingerprint);
835 		// find the cert matching this key
836 		for(c = 0; c < env->signed_certs_count; c++) {
837 			if(memcmp(current_keypair->crypt_publickey,
838 				env->signed_certs[c].server_publickey,
839 				crypto_box_PUBLICKEYBYTES) == 0) {
840 				dnsccert *current_cert = &env->certs[cert_id++];
841 				found_cert = 1;
842 				current_cert->keypair = current_keypair;
843 				memcpy(current_cert->magic_query,
844 				       env->signed_certs[c].magic_query,
845 					sizeof env->signed_certs[c].magic_query);
846 				memcpy(current_cert->es_version,
847 				       env->signed_certs[c].version_major,
848 				       sizeof env->signed_certs[c].version_major
849 				);
850 				dnsc_key_to_fingerprint(fingerprint,
851 							current_cert->keypair->crypt_publickey);
852 				verbose(VERB_OPS, "Crypt public key fingerprint for %s: %s",
853 					head->str, fingerprint);
854 				verbose(VERB_OPS, "Using %s",
855 					key_get_es_version(current_cert->es_version));
856 #ifndef USE_DNSCRYPT_XCHACHA20
857 				if (current_cert->es_version[1] == 0x02) {
858 				    fatal_exit("Certificate for XChacha20 but libsodium does not support it.");
859 				}
860 #endif
861 
862             		}
863         	}
864 		if (!found_cert) {
865 		    fatal_exit("dnsc_parse_keys: could not match certificate for key "
866 			       "%s. Unable to determine ES version.",
867 			       head->str);
868 		}
869 	}
870 	return cert_id;
871 }
872 
873 static void
874 sodium_misuse_handler(void)
875 {
876 	fatal_exit(
877 		"dnscrypt: libsodium could not be initialized, this typically"
878 		" happens when no good source of entropy is found. If you run"
879 		" unbound in a chroot, make sure /dev/random is available. See"
880 		" https://www.unbound.net/documentation/unbound.conf.html");
881 }
882 
883 
884 /**
885  * #########################################################
886  * ############# Publicly accessible functions #############
887  * #########################################################
888  */
889 
890 int
891 dnsc_handle_curved_request(struct dnsc_env* dnscenv,
892                            struct comm_reply* repinfo)
893 {
894     struct comm_point* c = repinfo->c;
895 
896     repinfo->is_dnscrypted = 0;
897     if( !c->dnscrypt ) {
898         return 1;
899     }
900     // Attempt to decrypt the query. If it is not crypted, we may still need
901     // to serve the certificate.
902     verbose(VERB_ALGO, "handle request called on DNSCrypt socket");
903     if ((repinfo->dnsc_cert = dnsc_find_cert(dnscenv, c->buffer)) != NULL) {
904         if(dnscrypt_server_uncurve(dnscenv,
905                                    repinfo->dnsc_cert,
906                                    repinfo->client_nonce,
907                                    repinfo->nmkey,
908                                    c->buffer) != 0){
909             verbose(VERB_ALGO, "dnscrypt: Failed to uncurve");
910             comm_point_drop_reply(repinfo);
911             return 0;
912         }
913         repinfo->is_dnscrypted = 1;
914         sldns_buffer_rewind(c->buffer);
915     }
916     return 1;
917 }
918 
919 int
920 dnsc_handle_uncurved_request(struct comm_reply *repinfo)
921 {
922     if(!repinfo->c->dnscrypt) {
923         return 1;
924     }
925     sldns_buffer_copy(repinfo->c->dnscrypt_buffer, repinfo->c->buffer);
926     if(!repinfo->is_dnscrypted) {
927         return 1;
928     }
929 	if(dnscrypt_server_curve(repinfo->dnsc_cert,
930                              repinfo->client_nonce,
931                              repinfo->nmkey,
932                              repinfo->c->dnscrypt_buffer,
933                              repinfo->c->type == comm_udp,
934                              repinfo->max_udp_size) != 0){
935 		verbose(VERB_ALGO, "dnscrypt: Failed to curve cached missed answer");
936 		comm_point_drop_reply(repinfo);
937 		return 0;
938 	}
939     return 1;
940 }
941 
942 struct dnsc_env *
943 dnsc_create(void)
944 {
945 	struct dnsc_env *env;
946 #ifdef SODIUM_MISUSE_HANDLER
947 	sodium_set_misuse_handler(sodium_misuse_handler);
948 #endif
949 	if (sodium_init() == -1) {
950 		fatal_exit("dnsc_create: could not initialize libsodium.");
951 	}
952 	env = (struct dnsc_env *) calloc(1, sizeof(struct dnsc_env));
953 	lock_basic_init(&env->shared_secrets_cache_lock);
954 	lock_protect(&env->shared_secrets_cache_lock,
955                  &env->num_query_dnscrypt_secret_missed_cache,
956                  sizeof(env->num_query_dnscrypt_secret_missed_cache));
957 	lock_basic_init(&env->nonces_cache_lock);
958 	lock_protect(&env->nonces_cache_lock,
959                  &env->nonces_cache,
960                  sizeof(env->nonces_cache));
961 	lock_protect(&env->nonces_cache_lock,
962                  &env->num_query_dnscrypt_replay,
963                  sizeof(env->num_query_dnscrypt_replay));
964 
965 	return env;
966 }
967 
968 int
969 dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg)
970 {
971     if(dnsc_parse_certs(env, cfg) <= 0) {
972         fatal_exit("dnsc_apply_cfg: no cert file loaded");
973     }
974     if(dnsc_parse_keys(env, cfg) <= 0) {
975         fatal_exit("dnsc_apply_cfg: no key file loaded");
976     }
977     randombytes_buf(env->hash_key, sizeof env->hash_key);
978     env->provider_name = cfg->dnscrypt_provider;
979 
980     if(dnsc_load_local_data(env, cfg) <= 0) {
981         fatal_exit("dnsc_apply_cfg: could not load local data");
982     }
983     lock_basic_lock(&env->shared_secrets_cache_lock);
984     env->shared_secrets_cache = slabhash_create(
985         cfg->dnscrypt_shared_secret_cache_slabs,
986         HASH_DEFAULT_STARTARRAY,
987         cfg->dnscrypt_shared_secret_cache_size,
988         dnsc_shared_secrets_sizefunc,
989         dnsc_shared_secrets_compfunc,
990         dnsc_shared_secrets_delkeyfunc,
991         dnsc_shared_secrets_deldatafunc,
992         NULL
993     );
994     lock_basic_unlock(&env->shared_secrets_cache_lock);
995     if(!env->shared_secrets_cache){
996         fatal_exit("dnsc_apply_cfg: could not create shared secrets cache.");
997     }
998     lock_basic_lock(&env->nonces_cache_lock);
999     env->nonces_cache = slabhash_create(
1000         cfg->dnscrypt_nonce_cache_slabs,
1001         HASH_DEFAULT_STARTARRAY,
1002         cfg->dnscrypt_nonce_cache_size,
1003         dnsc_nonces_sizefunc,
1004         dnsc_nonces_compfunc,
1005         dnsc_nonces_delkeyfunc,
1006         dnsc_nonces_deldatafunc,
1007         NULL
1008     );
1009     lock_basic_unlock(&env->nonces_cache_lock);
1010     return 0;
1011 }
1012 
1013 void
1014 dnsc_delete(struct dnsc_env *env)
1015 {
1016 	if(!env) {
1017 		return;
1018 	}
1019 	verbose(VERB_OPS, "DNSCrypt: Freeing environment.");
1020 	sodium_free(env->signed_certs);
1021 	sodium_free(env->rotated_certs);
1022 	sodium_free(env->certs);
1023 	sodium_free(env->keypairs);
1024 	lock_basic_destroy(&env->shared_secrets_cache_lock);
1025 	lock_basic_destroy(&env->nonces_cache_lock);
1026 	slabhash_delete(env->shared_secrets_cache);
1027 	slabhash_delete(env->nonces_cache);
1028 	free(env);
1029 }
1030 
1031 /**
1032  * #########################################################
1033  * ############# Shared secrets cache functions ############
1034  * #########################################################
1035  */
1036 
1037 size_t
1038 dnsc_shared_secrets_sizefunc(void *k, void* ATTR_UNUSED(d))
1039 {
1040     struct shared_secret_cache_key* ssk = (struct shared_secret_cache_key*)k;
1041     size_t key_size = sizeof(struct shared_secret_cache_key)
1042         + lock_get_mem(&ssk->entry.lock);
1043     size_t data_size = crypto_box_BEFORENMBYTES;
1044     (void)ssk; /* otherwise ssk is unused if no threading, or fixed locksize */
1045     return key_size + data_size;
1046 }
1047 
1048 int
1049 dnsc_shared_secrets_compfunc(void *m1, void *m2)
1050 {
1051     return sodium_memcmp(m1, m2, DNSCRYPT_SHARED_SECRET_KEY_LENGTH);
1052 }
1053 
1054 void
1055 dnsc_shared_secrets_delkeyfunc(void *k, void* ATTR_UNUSED(arg))
1056 {
1057     struct shared_secret_cache_key* ssk = (struct shared_secret_cache_key*)k;
1058     lock_rw_destroy(&ssk->entry.lock);
1059     free(ssk);
1060 }
1061 
1062 void
1063 dnsc_shared_secrets_deldatafunc(void* d, void* ATTR_UNUSED(arg))
1064 {
1065     uint8_t* data = (uint8_t*)d;
1066     free(data);
1067 }
1068 
1069 /**
1070  * #########################################################
1071  * ############### Nonces cache functions ##################
1072  * #########################################################
1073  */
1074 
1075 size_t
1076 dnsc_nonces_sizefunc(void *k, void* ATTR_UNUSED(d))
1077 {
1078     struct nonce_cache_key* nk = (struct nonce_cache_key*)k;
1079     size_t key_size = sizeof(struct nonce_cache_key)
1080         + lock_get_mem(&nk->entry.lock);
1081     (void)nk; /* otherwise ssk is unused if no threading, or fixed locksize */
1082     return key_size;
1083 }
1084 
1085 int
1086 dnsc_nonces_compfunc(void *m1, void *m2)
1087 {
1088     struct nonce_cache_key *k1 = m1, *k2 = m2;
1089     return
1090         sodium_memcmp(
1091             k1->nonce,
1092             k2->nonce,
1093             crypto_box_HALF_NONCEBYTES) != 0 ||
1094         sodium_memcmp(
1095             k1->magic_query,
1096             k2->magic_query,
1097             DNSCRYPT_MAGIC_HEADER_LEN) != 0 ||
1098         sodium_memcmp(
1099             k1->client_publickey, k2->client_publickey,
1100             crypto_box_PUBLICKEYBYTES) != 0;
1101 }
1102 
1103 void
1104 dnsc_nonces_delkeyfunc(void *k, void* ATTR_UNUSED(arg))
1105 {
1106     struct nonce_cache_key* nk = (struct nonce_cache_key*)k;
1107     lock_rw_destroy(&nk->entry.lock);
1108     free(nk);
1109 }
1110 
1111 void
1112 dnsc_nonces_deldatafunc(void* ATTR_UNUSED(d), void* ATTR_UNUSED(arg))
1113 {
1114     return;
1115 }
1116