165b390aaSDag-Erling Smørgrav #ifndef UNBOUND_DNSCRYPT_H 265b390aaSDag-Erling Smørgrav #define UNBOUND_DNSCRYPT_H 365b390aaSDag-Erling Smørgrav 465b390aaSDag-Erling Smørgrav /** 565b390aaSDag-Erling Smørgrav * \file 665b390aaSDag-Erling Smørgrav * dnscrypt functions for encrypting DNS packets. 765b390aaSDag-Erling Smørgrav */ 865b390aaSDag-Erling Smørgrav 965b390aaSDag-Erling Smørgrav #include "dnscrypt/dnscrypt_config.h" 1065b390aaSDag-Erling Smørgrav #ifdef USE_DNSCRYPT 1165b390aaSDag-Erling Smørgrav 1265b390aaSDag-Erling Smørgrav #define DNSCRYPT_MAGIC_HEADER_LEN 8U 1365b390aaSDag-Erling Smørgrav #define DNSCRYPT_MAGIC_RESPONSE "r6fnvWj8" 1465b390aaSDag-Erling Smørgrav 1565b390aaSDag-Erling Smørgrav #ifndef DNSCRYPT_MAX_PADDING 1665b390aaSDag-Erling Smørgrav # define DNSCRYPT_MAX_PADDING 256U 1765b390aaSDag-Erling Smørgrav #endif 1865b390aaSDag-Erling Smørgrav #ifndef DNSCRYPT_BLOCK_SIZE 1965b390aaSDag-Erling Smørgrav # define DNSCRYPT_BLOCK_SIZE 64U 2065b390aaSDag-Erling Smørgrav #endif 2165b390aaSDag-Erling Smørgrav #ifndef DNSCRYPT_MIN_PAD_LEN 2265b390aaSDag-Erling Smørgrav # define DNSCRYPT_MIN_PAD_LEN 8U 2365b390aaSDag-Erling Smørgrav #endif 2465b390aaSDag-Erling Smørgrav 2565b390aaSDag-Erling Smørgrav #define crypto_box_HALF_NONCEBYTES (crypto_box_NONCEBYTES / 2U) 2665b390aaSDag-Erling Smørgrav 2765b390aaSDag-Erling Smørgrav #include "config.h" 2865b390aaSDag-Erling Smørgrav #include "dnscrypt/cert.h" 29971980c3SDag-Erling Smørgrav #include "util/locks.h" 3065b390aaSDag-Erling Smørgrav 3165b390aaSDag-Erling Smørgrav #define DNSCRYPT_QUERY_HEADER_SIZE \ 3265b390aaSDag-Erling Smørgrav (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_PUBLICKEYBYTES + crypto_box_HALF_NONCEBYTES + crypto_box_MACBYTES) 3365b390aaSDag-Erling Smørgrav #define DNSCRYPT_RESPONSE_HEADER_SIZE \ 3465b390aaSDag-Erling Smørgrav (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_NONCEBYTES + crypto_box_MACBYTES) 3565b390aaSDag-Erling Smørgrav 3665b390aaSDag-Erling Smørgrav #define DNSCRYPT_REPLY_HEADER_SIZE \ 3765b390aaSDag-Erling Smørgrav (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_HALF_NONCEBYTES * 2 + crypto_box_MACBYTES) 3865b390aaSDag-Erling Smørgrav 3965b390aaSDag-Erling Smørgrav struct sldns_buffer; 4065b390aaSDag-Erling Smørgrav struct config_file; 4165b390aaSDag-Erling Smørgrav struct comm_reply; 42971980c3SDag-Erling Smørgrav struct slabhash; 4365b390aaSDag-Erling Smørgrav 4465b390aaSDag-Erling Smørgrav typedef struct KeyPair_ { 4565b390aaSDag-Erling Smørgrav uint8_t crypt_publickey[crypto_box_PUBLICKEYBYTES]; 4665b390aaSDag-Erling Smørgrav uint8_t crypt_secretkey[crypto_box_SECRETKEYBYTES]; 4765b390aaSDag-Erling Smørgrav } KeyPair; 4865b390aaSDag-Erling Smørgrav 49c7f4d7adSDag-Erling Smørgrav typedef struct cert_ { 50c7f4d7adSDag-Erling Smørgrav uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN]; 51c7f4d7adSDag-Erling Smørgrav uint8_t es_version[2]; 52c7f4d7adSDag-Erling Smørgrav KeyPair *keypair; 53c7f4d7adSDag-Erling Smørgrav } dnsccert; 54c7f4d7adSDag-Erling Smørgrav 5565b390aaSDag-Erling Smørgrav struct dnsc_env { 5665b390aaSDag-Erling Smørgrav struct SignedCert *signed_certs; 5757bddd21SDag-Erling Smørgrav struct SignedCert **rotated_certs; 58c7f4d7adSDag-Erling Smørgrav dnsccert *certs; 5965b390aaSDag-Erling Smørgrav size_t signed_certs_count; 6057bddd21SDag-Erling Smørgrav size_t rotated_certs_count; 6165b390aaSDag-Erling Smørgrav uint8_t provider_publickey[crypto_sign_ed25519_PUBLICKEYBYTES]; 6265b390aaSDag-Erling Smørgrav uint8_t provider_secretkey[crypto_sign_ed25519_SECRETKEYBYTES]; 6365b390aaSDag-Erling Smørgrav KeyPair *keypairs; 6465b390aaSDag-Erling Smørgrav size_t keypairs_count; 6565b390aaSDag-Erling Smørgrav uint64_t nonce_ts_last; 6665b390aaSDag-Erling Smørgrav unsigned char hash_key[crypto_shorthash_KEYBYTES]; 6765b390aaSDag-Erling Smørgrav char * provider_name; 688a384985SDag-Erling Smørgrav 698a384985SDag-Erling Smørgrav /** Caches */ 70971980c3SDag-Erling Smørgrav struct slabhash *shared_secrets_cache; 71971980c3SDag-Erling Smørgrav /** lock on shared secret cache counters */ 72971980c3SDag-Erling Smørgrav lock_basic_type shared_secrets_cache_lock; 73971980c3SDag-Erling Smørgrav /** number of misses from shared_secrets_cache */ 74971980c3SDag-Erling Smørgrav size_t num_query_dnscrypt_secret_missed_cache; 758a384985SDag-Erling Smørgrav 768a384985SDag-Erling Smørgrav /** slabhash keeping track of nonce/cient pk/server sk pairs. */ 778a384985SDag-Erling Smørgrav struct slabhash *nonces_cache; 788a384985SDag-Erling Smørgrav /** lock on nonces_cache, used to avoid race condition in updating the hash */ 798a384985SDag-Erling Smørgrav lock_basic_type nonces_cache_lock; 808a384985SDag-Erling Smørgrav /** number of replayed queries */ 818a384985SDag-Erling Smørgrav size_t num_query_dnscrypt_replay; 8265b390aaSDag-Erling Smørgrav }; 8365b390aaSDag-Erling Smørgrav 8465b390aaSDag-Erling Smørgrav struct dnscrypt_query_header { 8565b390aaSDag-Erling Smørgrav uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN]; 8665b390aaSDag-Erling Smørgrav uint8_t publickey[crypto_box_PUBLICKEYBYTES]; 8765b390aaSDag-Erling Smørgrav uint8_t nonce[crypto_box_HALF_NONCEBYTES]; 8865b390aaSDag-Erling Smørgrav uint8_t mac[crypto_box_MACBYTES]; 8965b390aaSDag-Erling Smørgrav }; 9065b390aaSDag-Erling Smørgrav 9165b390aaSDag-Erling Smørgrav /** 92971980c3SDag-Erling Smørgrav * Initialize DNSCrypt environment. 9365b390aaSDag-Erling Smørgrav * Initialize sodium library and allocate the dnsc_env structure. 9465b390aaSDag-Erling Smørgrav * \return an uninitialized struct dnsc_env. 9565b390aaSDag-Erling Smørgrav */ 9665b390aaSDag-Erling Smørgrav struct dnsc_env * dnsc_create(void); 9765b390aaSDag-Erling Smørgrav 9865b390aaSDag-Erling Smørgrav /** 9965b390aaSDag-Erling Smørgrav * Apply configuration. 10065b390aaSDag-Erling Smørgrav * Read certificates and secret keys from configuration. Initialize hashkey and 10165b390aaSDag-Erling Smørgrav * provider name as well as loading cert TXT records. 10265b390aaSDag-Erling Smørgrav * In case of issue applying configuration, this function fatals. 10365b390aaSDag-Erling Smørgrav * \param[in] env the struct dnsc_env to populate. 10465b390aaSDag-Erling Smørgrav * \param[in] cfg the config_file struct with dnscrypt options. 10565b390aaSDag-Erling Smørgrav * \return 0 on success. 10665b390aaSDag-Erling Smørgrav */ 10765b390aaSDag-Erling Smørgrav int dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg); 10865b390aaSDag-Erling Smørgrav 10965b390aaSDag-Erling Smørgrav /** 110971980c3SDag-Erling Smørgrav * Delete DNSCrypt environment 111971980c3SDag-Erling Smørgrav * 112971980c3SDag-Erling Smørgrav */ 113971980c3SDag-Erling Smørgrav void dnsc_delete(struct dnsc_env *env); 114971980c3SDag-Erling Smørgrav 115971980c3SDag-Erling Smørgrav /** 11665b390aaSDag-Erling Smørgrav * handle a crypted dnscrypt request. 117*24e36522SCy Schubert * Determine whether or not a query is coming over the dnscrypt listener and 11865b390aaSDag-Erling Smørgrav * attempt to uncurve it or detect if it is a certificate query. 11965b390aaSDag-Erling Smørgrav * return 0 in case of failure. 12065b390aaSDag-Erling Smørgrav */ 12165b390aaSDag-Erling Smørgrav int dnsc_handle_curved_request(struct dnsc_env* dnscenv, 12265b390aaSDag-Erling Smørgrav struct comm_reply* repinfo); 12365b390aaSDag-Erling Smørgrav /** 12465b390aaSDag-Erling Smørgrav * handle an unencrypted dnscrypt request. 125*24e36522SCy Schubert * Determine whether or not a query is going over the dnscrypt channel and 12665b390aaSDag-Erling Smørgrav * attempt to curve it unless it was not crypted like when it is a 12765b390aaSDag-Erling Smørgrav * certificate query. 12865b390aaSDag-Erling Smørgrav * \return 0 in case of failure. 12965b390aaSDag-Erling Smørgrav */ 13065b390aaSDag-Erling Smørgrav 13165b390aaSDag-Erling Smørgrav int dnsc_handle_uncurved_request(struct comm_reply *repinfo); 132971980c3SDag-Erling Smørgrav 133971980c3SDag-Erling Smørgrav /** 134971980c3SDag-Erling Smørgrav * Computes the size of the shared secret cache entry. 135971980c3SDag-Erling Smørgrav */ 136971980c3SDag-Erling Smørgrav size_t dnsc_shared_secrets_sizefunc(void *k, void *d); 137971980c3SDag-Erling Smørgrav 138971980c3SDag-Erling Smørgrav /** 139971980c3SDag-Erling Smørgrav * Compares two shared secret cache keys. 140971980c3SDag-Erling Smørgrav */ 141971980c3SDag-Erling Smørgrav int dnsc_shared_secrets_compfunc(void *m1, void *m2); 142971980c3SDag-Erling Smørgrav 143971980c3SDag-Erling Smørgrav /** 144971980c3SDag-Erling Smørgrav * Function to delete a shared secret cache key. 145971980c3SDag-Erling Smørgrav */ 146971980c3SDag-Erling Smørgrav void dnsc_shared_secrets_delkeyfunc(void *k, void* arg); 147971980c3SDag-Erling Smørgrav 148971980c3SDag-Erling Smørgrav /** 149971980c3SDag-Erling Smørgrav * Function to delete a share secret cache value. 150971980c3SDag-Erling Smørgrav */ 151971980c3SDag-Erling Smørgrav void dnsc_shared_secrets_deldatafunc(void* d, void* arg); 152971980c3SDag-Erling Smørgrav 1538a384985SDag-Erling Smørgrav /** 1548a384985SDag-Erling Smørgrav * Computes the size of the nonce cache entry. 1558a384985SDag-Erling Smørgrav */ 1568a384985SDag-Erling Smørgrav size_t dnsc_nonces_sizefunc(void *k, void *d); 1578a384985SDag-Erling Smørgrav 1588a384985SDag-Erling Smørgrav /** 1598a384985SDag-Erling Smørgrav * Compares two nonce cache keys. 1608a384985SDag-Erling Smørgrav */ 1618a384985SDag-Erling Smørgrav int dnsc_nonces_compfunc(void *m1, void *m2); 1628a384985SDag-Erling Smørgrav 1638a384985SDag-Erling Smørgrav /** 1648a384985SDag-Erling Smørgrav * Function to delete a nonce cache key. 1658a384985SDag-Erling Smørgrav */ 1668a384985SDag-Erling Smørgrav void dnsc_nonces_delkeyfunc(void *k, void* arg); 1678a384985SDag-Erling Smørgrav 1688a384985SDag-Erling Smørgrav /** 1698a384985SDag-Erling Smørgrav * Function to delete a nonce cache value. 1708a384985SDag-Erling Smørgrav */ 1718a384985SDag-Erling Smørgrav void dnsc_nonces_deldatafunc(void* d, void* arg); 1728a384985SDag-Erling Smørgrav 1738a384985SDag-Erling Smørgrav 17465b390aaSDag-Erling Smørgrav #endif /* USE_DNSCRYPT */ 17565b390aaSDag-Erling Smørgrav #endif 176