1 /* 2 * util/net_help.c - implementation of the network helper code 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 /** 36 * \file 37 * Implementation of net_help.h. 38 */ 39 40 #include "config.h" 41 #ifdef HAVE_SYS_TYPES_H 42 # include <sys/types.h> 43 #endif 44 #ifdef HAVE_NET_IF_H 45 #include <net/if.h> 46 #endif 47 #ifdef HAVE_NETIOAPI_H 48 #include <netioapi.h> 49 #endif 50 #include "util/net_help.h" 51 #include "util/log.h" 52 #include "util/data/dname.h" 53 #include "util/module.h" 54 #include "util/regional.h" 55 #include "util/config_file.h" 56 #include "sldns/parseutil.h" 57 #include "sldns/wire2str.h" 58 #include "sldns/str2wire.h" 59 #include <fcntl.h> 60 #ifdef HAVE_OPENSSL_SSL_H 61 #include <openssl/ssl.h> 62 #include <openssl/evp.h> 63 #include <openssl/rand.h> 64 #endif 65 #ifdef HAVE_OPENSSL_ERR_H 66 #include <openssl/err.h> 67 #endif 68 #ifdef HAVE_OPENSSL_CORE_NAMES_H 69 #include <openssl/core_names.h> 70 #endif 71 #ifdef USE_WINSOCK 72 #include <wincrypt.h> 73 #endif 74 #ifdef HAVE_NGHTTP2_NGHTTP2_H 75 #include <nghttp2/nghttp2.h> 76 #endif 77 78 /** max length of an IP address (the address portion) that we allow */ 79 #define MAX_ADDR_STRLEN 128 /* characters */ 80 /** default value for EDNS ADVERTISED size */ 81 uint16_t EDNS_ADVERTISED_SIZE = 4096; 82 83 /** minimal responses when positive answer: default is no */ 84 int MINIMAL_RESPONSES = 0; 85 86 /** rrset order roundrobin: default is yes */ 87 int RRSET_ROUNDROBIN = 1; 88 89 /** log tag queries with name instead of 'info' for filtering */ 90 int LOG_TAG_QUERYREPLY = 0; 91 92 static struct tls_session_ticket_key { 93 unsigned char *key_name; 94 unsigned char *aes_key; 95 unsigned char *hmac_key; 96 } *ticket_keys; 97 98 #ifdef HAVE_SSL 99 /** 100 * callback TLS session ticket encrypt and decrypt 101 * For use with SSL_CTX_set_tlsext_ticket_key_cb or 102 * SSL_CTX_set_tlsext_ticket_key_evp_cb 103 * @param s: the SSL_CTX to use (from connect_sslctx_create()) 104 * @param key_name: secret name, 16 bytes 105 * @param iv: up to EVP_MAX_IV_LENGTH. 106 * @param evp_ctx: the evp cipher context, function sets this. 107 * @param hmac_ctx: the hmac context, function sets this. 108 * with ..key_cb it is of type HMAC_CTX* 109 * with ..key_evp_cb it is of type EVP_MAC_CTX* 110 * @param enc: 1 is encrypt, 0 is decrypt 111 * @return 0 on no ticket, 1 for okay, and 2 for okay but renew the ticket 112 * (the ticket is decrypt only). and <0 for failures. 113 */ 114 int tls_session_ticket_key_cb(SSL *s, unsigned char* key_name, 115 unsigned char* iv, EVP_CIPHER_CTX *evp_ctx, 116 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 117 EVP_MAC_CTX *hmac_ctx, 118 #else 119 HMAC_CTX* hmac_ctx, 120 #endif 121 int enc); 122 #endif /* HAVE_SSL */ 123 124 /* returns true is string addr is an ip6 specced address */ 125 int 126 str_is_ip6(const char* str) 127 { 128 if(strchr(str, ':')) 129 return 1; 130 else return 0; 131 } 132 133 int 134 fd_set_nonblock(int s) 135 { 136 #ifdef HAVE_FCNTL 137 int flag; 138 if((flag = fcntl(s, F_GETFL)) == -1) { 139 log_err("can't fcntl F_GETFL: %s", strerror(errno)); 140 flag = 0; 141 } 142 flag |= O_NONBLOCK; 143 if(fcntl(s, F_SETFL, flag) == -1) { 144 log_err("can't fcntl F_SETFL: %s", strerror(errno)); 145 return 0; 146 } 147 #elif defined(HAVE_IOCTLSOCKET) 148 unsigned long on = 1; 149 if(ioctlsocket(s, FIONBIO, &on) != 0) { 150 log_err("can't ioctlsocket FIONBIO on: %s", 151 wsa_strerror(WSAGetLastError())); 152 } 153 #endif 154 return 1; 155 } 156 157 int 158 fd_set_block(int s) 159 { 160 #ifdef HAVE_FCNTL 161 int flag; 162 if((flag = fcntl(s, F_GETFL)) == -1) { 163 log_err("cannot fcntl F_GETFL: %s", strerror(errno)); 164 flag = 0; 165 } 166 flag &= ~O_NONBLOCK; 167 if(fcntl(s, F_SETFL, flag) == -1) { 168 log_err("cannot fcntl F_SETFL: %s", strerror(errno)); 169 return 0; 170 } 171 #elif defined(HAVE_IOCTLSOCKET) 172 unsigned long off = 0; 173 if(ioctlsocket(s, FIONBIO, &off) != 0) { 174 if(WSAGetLastError() != WSAEINVAL || verbosity >= 4) 175 log_err("can't ioctlsocket FIONBIO off: %s", 176 wsa_strerror(WSAGetLastError())); 177 } 178 #endif 179 return 1; 180 } 181 182 int 183 is_pow2(size_t num) 184 { 185 if(num == 0) return 1; 186 return (num & (num-1)) == 0; 187 } 188 189 void* 190 memdup(void* data, size_t len) 191 { 192 void* d; 193 if(!data) return NULL; 194 if(len == 0) return NULL; 195 d = malloc(len); 196 if(!d) return NULL; 197 memcpy(d, data, len); 198 return d; 199 } 200 201 void 202 log_addr(enum verbosity_value v, const char* str, 203 struct sockaddr_storage* addr, socklen_t addrlen) 204 { 205 uint16_t port; 206 const char* family = "unknown"; 207 char dest[100]; 208 int af = (int)((struct sockaddr_in*)addr)->sin_family; 209 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 210 if(verbosity < v) 211 return; 212 switch(af) { 213 case AF_INET: family="ip4"; break; 214 case AF_INET6: family="ip6"; 215 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; 216 break; 217 case AF_LOCAL: 218 dest[0]=0; 219 (void)inet_ntop(af, sinaddr, dest, 220 (socklen_t)sizeof(dest)); 221 verbose(v, "%s local %s", str, dest); 222 return; /* do not continue and try to get port */ 223 default: break; 224 } 225 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { 226 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); 227 } 228 dest[sizeof(dest)-1] = 0; 229 port = ntohs(((struct sockaddr_in*)addr)->sin_port); 230 if(verbosity >= 4) 231 verbose(v, "%s %s %s port %d (len %d)", str, family, dest, 232 (int)port, (int)addrlen); 233 else verbose(v, "%s %s port %d", str, dest, (int)port); 234 } 235 236 int 237 extstrtoaddr(const char* str, struct sockaddr_storage* addr, 238 socklen_t* addrlen, int port) 239 { 240 char* s; 241 if((s=strchr(str, '@'))) { 242 char buf[MAX_ADDR_STRLEN]; 243 if(s-str >= MAX_ADDR_STRLEN) { 244 return 0; 245 } 246 (void)strlcpy(buf, str, sizeof(buf)); 247 buf[s-str] = 0; 248 port = atoi(s+1); 249 if(port == 0 && strcmp(s+1,"0")!=0) { 250 return 0; 251 } 252 return ipstrtoaddr(buf, port, addr, addrlen); 253 } 254 return ipstrtoaddr(str, port, addr, addrlen); 255 } 256 257 int 258 ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr, 259 socklen_t* addrlen) 260 { 261 uint16_t p; 262 if(!ip) return 0; 263 p = (uint16_t) port; 264 if(str_is_ip6(ip)) { 265 char buf[MAX_ADDR_STRLEN]; 266 char* s; 267 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr; 268 *addrlen = (socklen_t)sizeof(struct sockaddr_in6); 269 memset(sa, 0, *addrlen); 270 sa->sin6_family = AF_INET6; 271 sa->sin6_port = (in_port_t)htons(p); 272 if((s=strchr(ip, '%'))) { /* ip6%interface, rfc 4007 */ 273 if(s-ip >= MAX_ADDR_STRLEN) 274 return 0; 275 (void)strlcpy(buf, ip, sizeof(buf)); 276 buf[s-ip]=0; 277 #ifdef HAVE_IF_NAMETOINDEX 278 if (!(sa->sin6_scope_id = if_nametoindex(s+1))) 279 #endif /* HAVE_IF_NAMETOINDEX */ 280 sa->sin6_scope_id = (uint32_t)atoi(s+1); 281 ip = buf; 282 } 283 if(inet_pton((int)sa->sin6_family, ip, &sa->sin6_addr) <= 0) { 284 return 0; 285 } 286 } else { /* ip4 */ 287 struct sockaddr_in* sa = (struct sockaddr_in*)addr; 288 *addrlen = (socklen_t)sizeof(struct sockaddr_in); 289 memset(sa, 0, *addrlen); 290 sa->sin_family = AF_INET; 291 sa->sin_port = (in_port_t)htons(p); 292 if(inet_pton((int)sa->sin_family, ip, &sa->sin_addr) <= 0) { 293 return 0; 294 } 295 } 296 return 1; 297 } 298 299 int netblockstrtoaddr(const char* str, int port, struct sockaddr_storage* addr, 300 socklen_t* addrlen, int* net) 301 { 302 char buf[64]; 303 char* s; 304 *net = (str_is_ip6(str)?128:32); 305 if((s=strchr(str, '/'))) { 306 if(atoi(s+1) > *net) { 307 log_err("netblock too large: %s", str); 308 return 0; 309 } 310 *net = atoi(s+1); 311 if(*net == 0 && strcmp(s+1, "0") != 0) { 312 log_err("cannot parse netblock: '%s'", str); 313 return 0; 314 } 315 strlcpy(buf, str, sizeof(buf)); 316 s = strchr(buf, '/'); 317 if(s) *s = 0; 318 s = buf; 319 } 320 if(!ipstrtoaddr(s?s:str, port, addr, addrlen)) { 321 log_err("cannot parse ip address: '%s'", str); 322 return 0; 323 } 324 if(s) { 325 addr_mask(addr, *addrlen, *net); 326 } 327 return 1; 328 } 329 330 /* RPZ format address dname to network byte order address */ 331 static int ipdnametoaddr(uint8_t* dname, size_t dnamelen, 332 struct sockaddr_storage* addr, socklen_t* addrlen, int* af) 333 { 334 uint8_t* ia; 335 int dnamelabs = dname_count_labels(dname); 336 uint8_t lablen; 337 char* e = NULL; 338 int z = 0; 339 size_t len = 0; 340 int i; 341 *af = AF_INET; 342 343 /* need 1 byte for label length */ 344 if(dnamelen < 1) 345 return 0; 346 347 if(dnamelabs > 6 || 348 dname_has_label(dname, dnamelen, (uint8_t*)"\002zz")) { 349 *af = AF_INET6; 350 } 351 len = *dname; 352 lablen = *dname++; 353 i = (*af == AF_INET) ? 3 : 15; 354 if(*af == AF_INET6) { 355 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr; 356 *addrlen = (socklen_t)sizeof(struct sockaddr_in6); 357 memset(sa, 0, *addrlen); 358 sa->sin6_family = AF_INET6; 359 ia = (uint8_t*)&sa->sin6_addr; 360 } else { /* ip4 */ 361 struct sockaddr_in* sa = (struct sockaddr_in*)addr; 362 *addrlen = (socklen_t)sizeof(struct sockaddr_in); 363 memset(sa, 0, *addrlen); 364 sa->sin_family = AF_INET; 365 ia = (uint8_t*)&sa->sin_addr; 366 } 367 while(lablen && i >= 0 && len <= dnamelen) { 368 char buff[LDNS_MAX_LABELLEN+1]; 369 uint16_t chunk; /* big enough to not overflow on IPv6 hextet */ 370 if((*af == AF_INET && (lablen > 3 || dnamelabs > 6)) || 371 (*af == AF_INET6 && (lablen > 4 || dnamelabs > 10))) { 372 return 0; 373 } 374 if(memcmp(dname, "zz", 2) == 0 && *af == AF_INET6) { 375 /* Add one or more 0 labels. Address is initialised at 376 * 0, so just skip the zero part. */ 377 int zl = 11 - dnamelabs; 378 if(z || zl < 0) 379 return 0; 380 z = 1; 381 i -= (zl*2); 382 } else { 383 memcpy(buff, dname, lablen); 384 buff[lablen] = '\0'; 385 chunk = strtol(buff, &e, (*af == AF_INET) ? 10 : 16); 386 if(!e || *e != '\0' || (*af == AF_INET && chunk > 255)) 387 return 0; 388 if(*af == AF_INET) { 389 log_assert(i < 4 && i >= 0); 390 ia[i] = (uint8_t)chunk; 391 i--; 392 } else { 393 log_assert(i < 16 && i >= 1); 394 /* ia in network byte order */ 395 ia[i-1] = (uint8_t)(chunk >> 8); 396 ia[i] = (uint8_t)(chunk & 0x00FF); 397 i -= 2; 398 } 399 } 400 dname += lablen; 401 lablen = *dname++; 402 len += lablen; 403 } 404 if(i != -1) 405 /* input too short */ 406 return 0; 407 return 1; 408 } 409 410 int netblockdnametoaddr(uint8_t* dname, size_t dnamelen, 411 struct sockaddr_storage* addr, socklen_t* addrlen, int* net, int* af) 412 { 413 char buff[3 /* 3 digit netblock */ + 1]; 414 size_t nlablen; 415 if(dnamelen < 1 || *dname > 3) 416 /* netblock invalid */ 417 return 0; 418 nlablen = *dname; 419 420 if(dnamelen < 1 + nlablen) 421 return 0; 422 423 memcpy(buff, dname+1, nlablen); 424 buff[nlablen] = '\0'; 425 *net = atoi(buff); 426 if(*net == 0 && strcmp(buff, "0") != 0) 427 return 0; 428 dname += nlablen; 429 dname++; 430 if(!ipdnametoaddr(dname, dnamelen-1-nlablen, addr, addrlen, af)) 431 return 0; 432 if((*af == AF_INET6 && *net > 128) || (*af == AF_INET && *net > 32)) 433 return 0; 434 return 1; 435 } 436 437 int authextstrtoaddr(char* str, struct sockaddr_storage* addr, 438 socklen_t* addrlen, char** auth_name) 439 { 440 char* s; 441 int port = UNBOUND_DNS_PORT; 442 if((s=strchr(str, '@'))) { 443 char buf[MAX_ADDR_STRLEN]; 444 size_t len = (size_t)(s-str); 445 char* hash = strchr(s+1, '#'); 446 if(hash) { 447 *auth_name = hash+1; 448 } else { 449 *auth_name = NULL; 450 } 451 if(len >= MAX_ADDR_STRLEN) { 452 return 0; 453 } 454 (void)strlcpy(buf, str, sizeof(buf)); 455 buf[len] = 0; 456 port = atoi(s+1); 457 if(port == 0) { 458 if(!hash && strcmp(s+1,"0")!=0) 459 return 0; 460 if(hash && strncmp(s+1,"0#",2)!=0) 461 return 0; 462 } 463 return ipstrtoaddr(buf, port, addr, addrlen); 464 } 465 if((s=strchr(str, '#'))) { 466 char buf[MAX_ADDR_STRLEN]; 467 size_t len = (size_t)(s-str); 468 if(len >= MAX_ADDR_STRLEN) { 469 return 0; 470 } 471 (void)strlcpy(buf, str, sizeof(buf)); 472 buf[len] = 0; 473 port = UNBOUND_DNS_OVER_TLS_PORT; 474 *auth_name = s+1; 475 return ipstrtoaddr(buf, port, addr, addrlen); 476 } 477 *auth_name = NULL; 478 return ipstrtoaddr(str, port, addr, addrlen); 479 } 480 481 uint8_t* authextstrtodname(char* str, int* port, char** auth_name) 482 { 483 char* s; 484 uint8_t* dname; 485 size_t dname_len; 486 *port = UNBOUND_DNS_PORT; 487 *auth_name = NULL; 488 if((s=strchr(str, '@'))) { 489 char* hash = strchr(s+1, '#'); 490 if(hash) { 491 *auth_name = hash+1; 492 } else { 493 *auth_name = NULL; 494 } 495 *port = atoi(s+1); 496 if(*port == 0) { 497 if(!hash && strcmp(s+1,"0")!=0) 498 return 0; 499 if(hash && strncmp(s+1,"0#",2)!=0) 500 return 0; 501 } 502 *s = 0; 503 dname = sldns_str2wire_dname(str, &dname_len); 504 *s = '@'; 505 } else if((s=strchr(str, '#'))) { 506 *port = UNBOUND_DNS_OVER_TLS_PORT; 507 *auth_name = s+1; 508 *s = 0; 509 dname = sldns_str2wire_dname(str, &dname_len); 510 *s = '#'; 511 } else { 512 dname = sldns_str2wire_dname(str, &dname_len); 513 } 514 return dname; 515 } 516 517 /** store port number into sockaddr structure */ 518 void 519 sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen, int port) 520 { 521 if(addr_is_ip6(addr, addrlen)) { 522 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr; 523 sa->sin6_port = (in_port_t)htons((uint16_t)port); 524 } else { 525 struct sockaddr_in* sa = (struct sockaddr_in*)addr; 526 sa->sin_port = (in_port_t)htons((uint16_t)port); 527 } 528 } 529 530 void 531 log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name, 532 uint16_t type, uint16_t dclass) 533 { 534 char buf[LDNS_MAX_DOMAINLEN+1]; 535 char t[12], c[12]; 536 const char *ts, *cs; 537 if(verbosity < v) 538 return; 539 dname_str(name, buf); 540 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG"; 541 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR"; 542 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR"; 543 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB"; 544 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA"; 545 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY"; 546 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name) 547 ts = sldns_rr_descript(type)->_name; 548 else { 549 snprintf(t, sizeof(t), "TYPE%d", (int)type); 550 ts = t; 551 } 552 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) && 553 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name) 554 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name; 555 else { 556 snprintf(c, sizeof(c), "CLASS%d", (int)dclass); 557 cs = c; 558 } 559 log_info("%s %s %s %s", str, buf, ts, cs); 560 } 561 562 void 563 log_query_in(const char* str, uint8_t* name, uint16_t type, uint16_t dclass) 564 { 565 char buf[LDNS_MAX_DOMAINLEN+1]; 566 char t[12], c[12]; 567 const char *ts, *cs; 568 dname_str(name, buf); 569 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG"; 570 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR"; 571 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR"; 572 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB"; 573 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA"; 574 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY"; 575 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name) 576 ts = sldns_rr_descript(type)->_name; 577 else { 578 snprintf(t, sizeof(t), "TYPE%d", (int)type); 579 ts = t; 580 } 581 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) && 582 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name) 583 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name; 584 else { 585 snprintf(c, sizeof(c), "CLASS%d", (int)dclass); 586 cs = c; 587 } 588 if(LOG_TAG_QUERYREPLY) 589 log_query("%s %s %s %s", str, buf, ts, cs); 590 else log_info("%s %s %s %s", str, buf, ts, cs); 591 } 592 593 void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone, 594 struct sockaddr_storage* addr, socklen_t addrlen) 595 { 596 uint16_t port; 597 const char* family = "unknown_family "; 598 char namebuf[LDNS_MAX_DOMAINLEN+1]; 599 char dest[100]; 600 int af = (int)((struct sockaddr_in*)addr)->sin_family; 601 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 602 if(verbosity < v) 603 return; 604 switch(af) { 605 case AF_INET: family=""; break; 606 case AF_INET6: family=""; 607 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; 608 break; 609 case AF_LOCAL: family="local "; break; 610 default: break; 611 } 612 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { 613 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); 614 } 615 dest[sizeof(dest)-1] = 0; 616 port = ntohs(((struct sockaddr_in*)addr)->sin_port); 617 dname_str(zone, namebuf); 618 if(af != AF_INET && af != AF_INET6) 619 verbose(v, "%s <%s> %s%s#%d (addrlen %d)", 620 str, namebuf, family, dest, (int)port, (int)addrlen); 621 else verbose(v, "%s <%s> %s%s#%d", 622 str, namebuf, family, dest, (int)port); 623 } 624 625 void log_err_addr(const char* str, const char* err, 626 struct sockaddr_storage* addr, socklen_t addrlen) 627 { 628 uint16_t port; 629 char dest[100]; 630 int af = (int)((struct sockaddr_in*)addr)->sin_family; 631 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 632 if(af == AF_INET6) 633 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; 634 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { 635 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); 636 } 637 dest[sizeof(dest)-1] = 0; 638 port = ntohs(((struct sockaddr_in*)addr)->sin_port); 639 if(verbosity >= 4) 640 log_err("%s: %s for %s port %d (len %d)", str, err, dest, 641 (int)port, (int)addrlen); 642 else log_err("%s: %s for %s port %d", str, err, dest, (int)port); 643 } 644 645 int 646 sockaddr_cmp(struct sockaddr_storage* addr1, socklen_t len1, 647 struct sockaddr_storage* addr2, socklen_t len2) 648 { 649 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; 650 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; 651 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; 652 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; 653 if(len1 < len2) 654 return -1; 655 if(len1 > len2) 656 return 1; 657 log_assert(len1 == len2); 658 if( p1_in->sin_family < p2_in->sin_family) 659 return -1; 660 if( p1_in->sin_family > p2_in->sin_family) 661 return 1; 662 log_assert( p1_in->sin_family == p2_in->sin_family ); 663 /* compare ip4 */ 664 if( p1_in->sin_family == AF_INET ) { 665 /* just order it, ntohs not required */ 666 if(p1_in->sin_port < p2_in->sin_port) 667 return -1; 668 if(p1_in->sin_port > p2_in->sin_port) 669 return 1; 670 log_assert(p1_in->sin_port == p2_in->sin_port); 671 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE); 672 } else if (p1_in6->sin6_family == AF_INET6) { 673 /* just order it, ntohs not required */ 674 if(p1_in6->sin6_port < p2_in6->sin6_port) 675 return -1; 676 if(p1_in6->sin6_port > p2_in6->sin6_port) 677 return 1; 678 log_assert(p1_in6->sin6_port == p2_in6->sin6_port); 679 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, 680 INET6_SIZE); 681 } else { 682 /* eek unknown type, perform this comparison for sanity. */ 683 return memcmp(addr1, addr2, len1); 684 } 685 } 686 687 int 688 sockaddr_cmp_addr(struct sockaddr_storage* addr1, socklen_t len1, 689 struct sockaddr_storage* addr2, socklen_t len2) 690 { 691 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; 692 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; 693 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; 694 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; 695 if(len1 < len2) 696 return -1; 697 if(len1 > len2) 698 return 1; 699 log_assert(len1 == len2); 700 if( p1_in->sin_family < p2_in->sin_family) 701 return -1; 702 if( p1_in->sin_family > p2_in->sin_family) 703 return 1; 704 log_assert( p1_in->sin_family == p2_in->sin_family ); 705 /* compare ip4 */ 706 if( p1_in->sin_family == AF_INET ) { 707 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE); 708 } else if (p1_in6->sin6_family == AF_INET6) { 709 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, 710 INET6_SIZE); 711 } else { 712 /* eek unknown type, perform this comparison for sanity. */ 713 return memcmp(addr1, addr2, len1); 714 } 715 } 716 717 int 718 addr_is_ip6(struct sockaddr_storage* addr, socklen_t len) 719 { 720 if(len == (socklen_t)sizeof(struct sockaddr_in6) && 721 ((struct sockaddr_in6*)addr)->sin6_family == AF_INET6) 722 return 1; 723 else return 0; 724 } 725 726 void 727 addr_mask(struct sockaddr_storage* addr, socklen_t len, int net) 728 { 729 uint8_t mask[8] = {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe}; 730 int i, max; 731 uint8_t* s; 732 if(addr_is_ip6(addr, len)) { 733 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr; 734 max = 128; 735 } else { 736 s = (uint8_t*)&((struct sockaddr_in*)addr)->sin_addr; 737 max = 32; 738 } 739 if(net >= max) 740 return; 741 for(i=net/8+1; i<max/8; i++) { 742 s[i] = 0; 743 } 744 s[net/8] &= mask[net&0x7]; 745 } 746 747 int 748 addr_in_common(struct sockaddr_storage* addr1, int net1, 749 struct sockaddr_storage* addr2, int net2, socklen_t addrlen) 750 { 751 int min = (net1<net2)?net1:net2; 752 int i, to; 753 int match = 0; 754 uint8_t* s1, *s2; 755 if(addr_is_ip6(addr1, addrlen)) { 756 s1 = (uint8_t*)&((struct sockaddr_in6*)addr1)->sin6_addr; 757 s2 = (uint8_t*)&((struct sockaddr_in6*)addr2)->sin6_addr; 758 to = 16; 759 } else { 760 s1 = (uint8_t*)&((struct sockaddr_in*)addr1)->sin_addr; 761 s2 = (uint8_t*)&((struct sockaddr_in*)addr2)->sin_addr; 762 to = 4; 763 } 764 /* match = bits_in_common(s1, s2, to); */ 765 for(i=0; i<to; i++) { 766 if(s1[i] == s2[i]) { 767 match += 8; 768 } else { 769 uint8_t z = s1[i]^s2[i]; 770 log_assert(z); 771 while(!(z&0x80)) { 772 match++; 773 z<<=1; 774 } 775 break; 776 } 777 } 778 if(match > min) match = min; 779 return match; 780 } 781 782 void 783 addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen, 784 char* buf, size_t len) 785 { 786 int af = (int)((struct sockaddr_in*)addr)->sin_family; 787 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 788 if(addr_is_ip6(addr, addrlen)) 789 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; 790 if(inet_ntop(af, sinaddr, buf, (socklen_t)len) == 0) { 791 snprintf(buf, len, "(inet_ntop_error)"); 792 } 793 } 794 795 int 796 prefixnet_is_nat64(int prefixnet) 797 { 798 return (prefixnet == 32 || prefixnet == 40 || 799 prefixnet == 48 || prefixnet == 56 || 800 prefixnet == 64 || prefixnet == 96); 801 } 802 803 void 804 addr_to_nat64(const struct sockaddr_storage* addr, 805 const struct sockaddr_storage* nat64_prefix, 806 socklen_t nat64_prefixlen, int nat64_prefixnet, 807 struct sockaddr_storage* nat64_addr, socklen_t* nat64_addrlen) 808 { 809 struct sockaddr_in *sin = (struct sockaddr_in *)addr; 810 struct sockaddr_in6 *sin6; 811 uint8_t *v4_byte; 812 813 /* This needs to be checked by the caller */ 814 log_assert(addr->ss_family == AF_INET); 815 /* Current usage is only from config values; prefix lengths enforced 816 * during config validation */ 817 log_assert(prefixnet_is_nat64(nat64_prefixnet)); 818 819 *nat64_addr = *nat64_prefix; 820 *nat64_addrlen = nat64_prefixlen; 821 822 sin6 = (struct sockaddr_in6 *)nat64_addr; 823 sin6->sin6_flowinfo = 0; 824 sin6->sin6_port = sin->sin_port; 825 826 nat64_prefixnet = nat64_prefixnet / 8; 827 828 v4_byte = (uint8_t *)&sin->sin_addr.s_addr; 829 for(int i = 0; i < 4; i++) { 830 if(nat64_prefixnet == 8) { 831 /* bits 64...71 are MBZ */ 832 sin6->sin6_addr.s6_addr[nat64_prefixnet++] = 0; 833 } 834 sin6->sin6_addr.s6_addr[nat64_prefixnet++] = *v4_byte++; 835 } 836 } 837 838 int 839 addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen) 840 { 841 /* prefix for ipv4 into ipv6 mapping is ::ffff:x.x.x.x */ 842 const uint8_t map_prefix[16] = 843 {0,0,0,0, 0,0,0,0, 0,0,0xff,0xff, 0,0,0,0}; 844 uint8_t* s; 845 if(!addr_is_ip6(addr, addrlen)) 846 return 0; 847 /* s is 16 octet ipv6 address string */ 848 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr; 849 return (memcmp(s, map_prefix, 12) == 0); 850 } 851 852 int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen) 853 { 854 int af = (int)((struct sockaddr_in*)addr)->sin_family; 855 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 856 return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in) 857 && memcmp(sinaddr, "\377\377\377\377", 4) == 0; 858 } 859 860 int addr_is_any(struct sockaddr_storage* addr, socklen_t addrlen) 861 { 862 int af = (int)((struct sockaddr_in*)addr)->sin_family; 863 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 864 void* sin6addr = &((struct sockaddr_in6*)addr)->sin6_addr; 865 if(af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in) 866 && memcmp(sinaddr, "\000\000\000\000", 4) == 0) 867 return 1; 868 else if(af==AF_INET6 && addrlen>=(socklen_t)sizeof(struct sockaddr_in6) 869 && memcmp(sin6addr, "\000\000\000\000\000\000\000\000" 870 "\000\000\000\000\000\000\000\000", 16) == 0) 871 return 1; 872 return 0; 873 } 874 875 void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr, 876 socklen_t len, struct regional* region) 877 { 878 struct sock_list* add = (struct sock_list*)regional_alloc(region, 879 sizeof(*add) - sizeof(add->addr) + (size_t)len); 880 if(!add) { 881 log_err("out of memory in socketlist insert"); 882 return; 883 } 884 log_assert(list); 885 add->next = *list; 886 add->len = len; 887 *list = add; 888 if(len) memmove(&add->addr, addr, len); 889 } 890 891 void sock_list_prepend(struct sock_list** list, struct sock_list* add) 892 { 893 struct sock_list* last = add; 894 if(!last) 895 return; 896 while(last->next) 897 last = last->next; 898 last->next = *list; 899 *list = add; 900 } 901 902 int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr, 903 socklen_t len) 904 { 905 while(list) { 906 if(len == list->len) { 907 if(len == 0 || sockaddr_cmp_addr(addr, len, 908 &list->addr, list->len) == 0) 909 return 1; 910 } 911 list = list->next; 912 } 913 return 0; 914 } 915 916 void sock_list_merge(struct sock_list** list, struct regional* region, 917 struct sock_list* add) 918 { 919 struct sock_list* p; 920 for(p=add; p; p=p->next) { 921 if(!sock_list_find(*list, &p->addr, p->len)) 922 sock_list_insert(list, &p->addr, p->len, region); 923 } 924 } 925 926 void 927 log_crypto_err(const char* str) 928 { 929 #ifdef HAVE_SSL 930 log_crypto_err_code(str, ERR_get_error()); 931 #else 932 (void)str; 933 #endif /* HAVE_SSL */ 934 } 935 936 void log_crypto_err_code(const char* str, unsigned long err) 937 { 938 #ifdef HAVE_SSL 939 /* error:[error code]:[library name]:[function name]:[reason string] */ 940 char buf[128]; 941 unsigned long e; 942 ERR_error_string_n(err, buf, sizeof(buf)); 943 log_err("%s crypto %s", str, buf); 944 while( (e=ERR_get_error()) ) { 945 ERR_error_string_n(e, buf, sizeof(buf)); 946 log_err("and additionally crypto %s", buf); 947 } 948 #else 949 (void)str; 950 (void)err; 951 #endif /* HAVE_SSL */ 952 } 953 954 #ifdef HAVE_SSL 955 /** log certificate details */ 956 void 957 log_cert(unsigned level, const char* str, void* cert) 958 { 959 BIO* bio; 960 char nul = 0; 961 char* pp = NULL; 962 long len; 963 if(verbosity < level) return; 964 bio = BIO_new(BIO_s_mem()); 965 if(!bio) return; 966 X509_print_ex(bio, (X509*)cert, 0, (unsigned long)-1 967 ^(X509_FLAG_NO_SUBJECT 968 |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY 969 |X509_FLAG_NO_EXTENSIONS|X509_FLAG_NO_AUX 970 |X509_FLAG_NO_ATTRIBUTES)); 971 BIO_write(bio, &nul, (int)sizeof(nul)); 972 len = BIO_get_mem_data(bio, &pp); 973 if(len != 0 && pp) { 974 /* reduce size of cert printout */ 975 char* s; 976 while((s=strstr(pp, " "))!=NULL) 977 memmove(s, s+1, strlen(s+1)+1); 978 while((s=strstr(pp, "\t\t"))!=NULL) 979 memmove(s, s+1, strlen(s+1)+1); 980 verbose(level, "%s: \n%s", str, pp); 981 } 982 BIO_free(bio); 983 } 984 #endif /* HAVE_SSL */ 985 986 #if defined(HAVE_SSL) && defined(HAVE_NGHTTP2) && defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB) 987 static int alpn_select_cb(SSL* ATTR_UNUSED(ssl), const unsigned char** out, 988 unsigned char* outlen, const unsigned char* in, unsigned int inlen, 989 void* ATTR_UNUSED(arg)) 990 { 991 int rv = nghttp2_select_next_protocol((unsigned char **)out, outlen, in, 992 inlen); 993 if(rv == -1) { 994 return SSL_TLSEXT_ERR_NOACK; 995 } 996 /* either http/1.1 or h2 selected */ 997 return SSL_TLSEXT_ERR_OK; 998 } 999 #endif 1000 1001 int 1002 listen_sslctx_setup(void* ctxt) 1003 { 1004 #ifdef HAVE_SSL 1005 SSL_CTX* ctx = (SSL_CTX*)ctxt; 1006 /* no SSLv2, SSLv3 because has defects */ 1007 #if SSL_OP_NO_SSLv2 != 0 1008 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) 1009 != SSL_OP_NO_SSLv2){ 1010 log_crypto_err("could not set SSL_OP_NO_SSLv2"); 1011 return 0; 1012 } 1013 #endif 1014 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) 1015 != SSL_OP_NO_SSLv3){ 1016 log_crypto_err("could not set SSL_OP_NO_SSLv3"); 1017 return 0; 1018 } 1019 #if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1) 1020 /* if we have tls 1.1 disable 1.0 */ 1021 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1) 1022 != SSL_OP_NO_TLSv1){ 1023 log_crypto_err("could not set SSL_OP_NO_TLSv1"); 1024 return 0; 1025 } 1026 #endif 1027 #if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2) 1028 /* if we have tls 1.2 disable 1.1 */ 1029 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1) 1030 != SSL_OP_NO_TLSv1_1){ 1031 log_crypto_err("could not set SSL_OP_NO_TLSv1_1"); 1032 return 0; 1033 } 1034 #endif 1035 #if defined(SSL_OP_NO_RENEGOTIATION) 1036 /* disable client renegotiation */ 1037 if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) & 1038 SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) { 1039 log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION"); 1040 return 0; 1041 } 1042 #endif 1043 #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA) 1044 /* if we detect system-wide crypto policies, use those */ 1045 if (access( "/etc/crypto-policies/config", F_OK ) != 0 ) { 1046 /* if we have sha256, set the cipher list to have no known vulns */ 1047 if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256")) 1048 log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list"); 1049 } 1050 #endif 1051 #if defined(SSL_OP_IGNORE_UNEXPECTED_EOF) 1052 /* ignore errors when peers do not send the mandatory close_notify 1053 * alert on shutdown. 1054 * Relevant for openssl >= 3 */ 1055 if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) & 1056 SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) { 1057 log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF"); 1058 return 0; 1059 } 1060 #endif 1061 1062 if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) & 1063 SSL_OP_CIPHER_SERVER_PREFERENCE) != 1064 SSL_OP_CIPHER_SERVER_PREFERENCE) { 1065 log_crypto_err("could not set SSL_OP_CIPHER_SERVER_PREFERENCE"); 1066 return 0; 1067 } 1068 1069 #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL 1070 SSL_CTX_set_security_level(ctx, 0); 1071 #endif 1072 #if defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB) && defined(HAVE_NGHTTP2) 1073 SSL_CTX_set_alpn_select_cb(ctx, alpn_select_cb, NULL); 1074 #endif 1075 #else 1076 (void)ctxt; 1077 #endif /* HAVE_SSL */ 1078 return 1; 1079 } 1080 1081 void 1082 listen_sslctx_setup_2(void* ctxt) 1083 { 1084 #ifdef HAVE_SSL 1085 SSL_CTX* ctx = (SSL_CTX*)ctxt; 1086 (void)ctx; 1087 #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO 1088 if(!SSL_CTX_set_ecdh_auto(ctx,1)) { 1089 log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE"); 1090 } 1091 #elif defined(USE_ECDSA) 1092 if(1) { 1093 EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1); 1094 if (!ecdh) { 1095 log_crypto_err("could not find p256, not enabling ECDHE"); 1096 } else { 1097 if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) { 1098 log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE"); 1099 } 1100 EC_KEY_free (ecdh); 1101 } 1102 } 1103 #endif 1104 #else 1105 (void)ctxt; 1106 #endif /* HAVE_SSL */ 1107 } 1108 1109 void* listen_sslctx_create(char* key, char* pem, char* verifypem) 1110 { 1111 #ifdef HAVE_SSL 1112 SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method()); 1113 if(!ctx) { 1114 log_crypto_err("could not SSL_CTX_new"); 1115 return NULL; 1116 } 1117 if(!key || key[0] == 0) { 1118 log_err("error: no tls-service-key file specified"); 1119 SSL_CTX_free(ctx); 1120 return NULL; 1121 } 1122 if(!pem || pem[0] == 0) { 1123 log_err("error: no tls-service-pem file specified"); 1124 SSL_CTX_free(ctx); 1125 return NULL; 1126 } 1127 if(!listen_sslctx_setup(ctx)) { 1128 SSL_CTX_free(ctx); 1129 return NULL; 1130 } 1131 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { 1132 log_err("error for cert file: %s", pem); 1133 log_crypto_err("error in SSL_CTX use_certificate_chain_file"); 1134 SSL_CTX_free(ctx); 1135 return NULL; 1136 } 1137 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) { 1138 log_err("error for private key file: %s", key); 1139 log_crypto_err("Error in SSL_CTX use_PrivateKey_file"); 1140 SSL_CTX_free(ctx); 1141 return NULL; 1142 } 1143 if(!SSL_CTX_check_private_key(ctx)) { 1144 log_err("error for key file: %s", key); 1145 log_crypto_err("Error in SSL_CTX check_private_key"); 1146 SSL_CTX_free(ctx); 1147 return NULL; 1148 } 1149 listen_sslctx_setup_2(ctx); 1150 if(verifypem && verifypem[0]) { 1151 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) { 1152 log_crypto_err("Error in SSL_CTX verify locations"); 1153 SSL_CTX_free(ctx); 1154 return NULL; 1155 } 1156 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file( 1157 verifypem)); 1158 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); 1159 } 1160 return ctx; 1161 #else 1162 (void)key; (void)pem; (void)verifypem; 1163 return NULL; 1164 #endif 1165 } 1166 1167 #ifdef USE_WINSOCK 1168 /* For windows, the CA trust store is not read by openssl. 1169 Add code to open the trust store using wincrypt API and add 1170 the root certs into openssl trust store */ 1171 static int 1172 add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx) 1173 { 1174 HCERTSTORE hSystemStore; 1175 PCCERT_CONTEXT pTargetCert = NULL; 1176 X509_STORE* store; 1177 1178 verbose(VERB_ALGO, "Adding Windows certificates from system root store to CA store"); 1179 1180 /* load just once per context lifetime for this version 1181 TODO: dynamically update CA trust changes as they are available */ 1182 if (!tls_ctx) 1183 return 0; 1184 1185 /* Call wincrypt's CertOpenStore to open the CA root store. */ 1186 1187 if ((hSystemStore = CertOpenStore( 1188 CERT_STORE_PROV_SYSTEM, 1189 0, 1190 0, 1191 /* NOTE: mingw does not have this const: replace with 1 << 16 from code 1192 CERT_SYSTEM_STORE_CURRENT_USER, */ 1193 1 << 16, 1194 L"root")) == 0) 1195 { 1196 return 0; 1197 } 1198 1199 store = SSL_CTX_get_cert_store(tls_ctx); 1200 if (!store) 1201 return 0; 1202 1203 /* failure if the CA store is empty or the call fails */ 1204 if ((pTargetCert = CertEnumCertificatesInStore( 1205 hSystemStore, pTargetCert)) == 0) { 1206 verbose(VERB_ALGO, "CA certificate store for Windows is empty."); 1207 return 0; 1208 } 1209 /* iterate over the windows cert store and add to openssl store */ 1210 do 1211 { 1212 X509 *cert1 = d2i_X509(NULL, 1213 (const unsigned char **)&pTargetCert->pbCertEncoded, 1214 pTargetCert->cbCertEncoded); 1215 if (!cert1) { 1216 unsigned long error = ERR_get_error(); 1217 /* return error if a cert fails */ 1218 verbose(VERB_ALGO, "%s %d:%s", 1219 "Unable to parse certificate in memory", 1220 (int)error, ERR_error_string(error, NULL)); 1221 return 0; 1222 } 1223 else { 1224 /* return error if a cert add to store fails */ 1225 if (X509_STORE_add_cert(store, cert1) == 0) { 1226 unsigned long error = ERR_peek_last_error(); 1227 1228 /* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the 1229 * certificate is already in the store. */ 1230 if(ERR_GET_LIB(error) != ERR_LIB_X509 || 1231 ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) { 1232 error = ERR_get_error(); 1233 verbose(VERB_ALGO, "%s %d:%s\n", 1234 "Error adding certificate", (int)error, 1235 ERR_error_string(error, NULL)); 1236 X509_free(cert1); 1237 return 0; 1238 } 1239 } 1240 X509_free(cert1); 1241 } 1242 } while ((pTargetCert = CertEnumCertificatesInStore( 1243 hSystemStore, pTargetCert)) != 0); 1244 1245 /* Clean up memory and quit. */ 1246 if (pTargetCert) 1247 CertFreeCertificateContext(pTargetCert); 1248 if (hSystemStore) 1249 { 1250 if (!CertCloseStore( 1251 hSystemStore, 0)) 1252 return 0; 1253 } 1254 verbose(VERB_ALGO, "Completed adding Windows certificates to CA store successfully"); 1255 return 1; 1256 } 1257 #endif /* USE_WINSOCK */ 1258 1259 void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert) 1260 { 1261 #ifdef HAVE_SSL 1262 SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method()); 1263 if(!ctx) { 1264 log_crypto_err("could not allocate SSL_CTX pointer"); 1265 return NULL; 1266 } 1267 #if SSL_OP_NO_SSLv2 != 0 1268 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) 1269 != SSL_OP_NO_SSLv2) { 1270 log_crypto_err("could not set SSL_OP_NO_SSLv2"); 1271 SSL_CTX_free(ctx); 1272 return NULL; 1273 } 1274 #endif 1275 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) 1276 != SSL_OP_NO_SSLv3) { 1277 log_crypto_err("could not set SSL_OP_NO_SSLv3"); 1278 SSL_CTX_free(ctx); 1279 return NULL; 1280 } 1281 #if defined(SSL_OP_NO_RENEGOTIATION) 1282 /* disable client renegotiation */ 1283 if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) & 1284 SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) { 1285 log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION"); 1286 SSL_CTX_free(ctx); 1287 return 0; 1288 } 1289 #endif 1290 #if defined(SSL_OP_IGNORE_UNEXPECTED_EOF) 1291 /* ignore errors when peers do not send the mandatory close_notify 1292 * alert on shutdown. 1293 * Relevant for openssl >= 3 */ 1294 if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) & 1295 SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) { 1296 log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF"); 1297 SSL_CTX_free(ctx); 1298 return 0; 1299 } 1300 #endif 1301 if(key && key[0]) { 1302 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { 1303 log_err("error in client certificate %s", pem); 1304 log_crypto_err("error in certificate file"); 1305 SSL_CTX_free(ctx); 1306 return NULL; 1307 } 1308 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) { 1309 log_err("error in client private key %s", key); 1310 log_crypto_err("error in key file"); 1311 SSL_CTX_free(ctx); 1312 return NULL; 1313 } 1314 if(!SSL_CTX_check_private_key(ctx)) { 1315 log_err("error in client key %s", key); 1316 log_crypto_err("error in SSL_CTX_check_private_key"); 1317 SSL_CTX_free(ctx); 1318 return NULL; 1319 } 1320 } 1321 if((verifypem && verifypem[0]) || wincert) { 1322 if(verifypem && verifypem[0]) { 1323 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) { 1324 log_crypto_err("error in SSL_CTX verify"); 1325 SSL_CTX_free(ctx); 1326 return NULL; 1327 } 1328 } 1329 #ifdef USE_WINSOCK 1330 if(wincert) { 1331 if(!add_WIN_cacerts_to_openssl_store(ctx)) { 1332 log_crypto_err("error in add_WIN_cacerts_to_openssl_store"); 1333 SSL_CTX_free(ctx); 1334 return NULL; 1335 } 1336 } 1337 #else 1338 if(wincert) { 1339 if(!SSL_CTX_set_default_verify_paths(ctx)) { 1340 log_crypto_err("error in default_verify_paths"); 1341 SSL_CTX_free(ctx); 1342 return NULL; 1343 } 1344 } 1345 #endif 1346 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); 1347 } 1348 return ctx; 1349 #else 1350 (void)key; (void)pem; (void)verifypem; (void)wincert; 1351 return NULL; 1352 #endif 1353 } 1354 1355 void* incoming_ssl_fd(void* sslctx, int fd) 1356 { 1357 #ifdef HAVE_SSL 1358 SSL* ssl = SSL_new((SSL_CTX*)sslctx); 1359 if(!ssl) { 1360 log_crypto_err("could not SSL_new"); 1361 return NULL; 1362 } 1363 SSL_set_accept_state(ssl); 1364 (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY); 1365 if(!SSL_set_fd(ssl, fd)) { 1366 log_crypto_err("could not SSL_set_fd"); 1367 SSL_free(ssl); 1368 return NULL; 1369 } 1370 return ssl; 1371 #else 1372 (void)sslctx; (void)fd; 1373 return NULL; 1374 #endif 1375 } 1376 1377 void* outgoing_ssl_fd(void* sslctx, int fd) 1378 { 1379 #ifdef HAVE_SSL 1380 SSL* ssl = SSL_new((SSL_CTX*)sslctx); 1381 if(!ssl) { 1382 log_crypto_err("could not SSL_new"); 1383 return NULL; 1384 } 1385 SSL_set_connect_state(ssl); 1386 (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY); 1387 if(!SSL_set_fd(ssl, fd)) { 1388 log_crypto_err("could not SSL_set_fd"); 1389 SSL_free(ssl); 1390 return NULL; 1391 } 1392 return ssl; 1393 #else 1394 (void)sslctx; (void)fd; 1395 return NULL; 1396 #endif 1397 } 1398 1399 int check_auth_name_for_ssl(char* auth_name) 1400 { 1401 if(!auth_name) return 1; 1402 #if defined(HAVE_SSL) && !defined(HAVE_SSL_SET1_HOST) && !defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) 1403 log_err("the query has an auth_name %s, but libssl has no call to " 1404 "perform TLS authentication. Remove that name from config " 1405 "or upgrade the ssl crypto library.", auth_name); 1406 return 0; 1407 #else 1408 return 1; 1409 #endif 1410 } 1411 1412 /** set the authname on an SSL structure, SSL* ssl */ 1413 int set_auth_name_on_ssl(void* ssl, char* auth_name, int use_sni) 1414 { 1415 if(!auth_name) return 1; 1416 #ifdef HAVE_SSL 1417 if(use_sni) { 1418 (void)SSL_set_tlsext_host_name(ssl, auth_name); 1419 } 1420 #else 1421 (void)ssl; 1422 (void)use_sni; 1423 #endif 1424 #ifdef HAVE_SSL_SET1_HOST 1425 SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL); 1426 /* setting the hostname makes openssl verify the 1427 * host name in the x509 certificate in the 1428 * SSL connection*/ 1429 if(!SSL_set1_host(ssl, auth_name)) { 1430 log_err("SSL_set1_host failed"); 1431 return 0; 1432 } 1433 #elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) 1434 /* openssl 1.0.2 has this function that can be used for 1435 * set1_host like verification */ 1436 if(auth_name) { 1437 X509_VERIFY_PARAM* param = SSL_get0_param(ssl); 1438 # ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 1439 X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); 1440 # endif 1441 if(!X509_VERIFY_PARAM_set1_host(param, auth_name, strlen(auth_name))) { 1442 log_err("X509_VERIFY_PARAM_set1_host failed"); 1443 return 0; 1444 } 1445 SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL); 1446 } 1447 #else 1448 verbose(VERB_ALGO, "the query has an auth_name, but libssl has no call to perform TLS authentication"); 1449 #endif /* HAVE_SSL_SET1_HOST */ 1450 return 1; 1451 } 1452 1453 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L 1454 /** global lock list for openssl locks */ 1455 static lock_basic_type *ub_openssl_locks = NULL; 1456 1457 /** callback that gets thread id for openssl */ 1458 #ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK 1459 static void 1460 ub_crypto_id_cb(CRYPTO_THREADID *id) 1461 { 1462 CRYPTO_THREADID_set_numeric(id, (unsigned long)log_thread_get()); 1463 } 1464 #else 1465 static unsigned long 1466 ub_crypto_id_cb(void) 1467 { 1468 return (unsigned long)log_thread_get(); 1469 } 1470 #endif 1471 1472 static void 1473 ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file), 1474 int ATTR_UNUSED(line)) 1475 { 1476 if((mode&CRYPTO_LOCK)) { 1477 lock_basic_lock(&ub_openssl_locks[type]); 1478 } else { 1479 lock_basic_unlock(&ub_openssl_locks[type]); 1480 } 1481 } 1482 #endif /* OPENSSL_THREADS */ 1483 1484 int ub_openssl_lock_init(void) 1485 { 1486 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L 1487 int i; 1488 ub_openssl_locks = (lock_basic_type*)reallocarray( 1489 NULL, (size_t)CRYPTO_num_locks(), sizeof(lock_basic_type)); 1490 if(!ub_openssl_locks) 1491 return 0; 1492 for(i=0; i<CRYPTO_num_locks(); i++) { 1493 lock_basic_init(&ub_openssl_locks[i]); 1494 } 1495 # ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK 1496 CRYPTO_THREADID_set_callback(&ub_crypto_id_cb); 1497 # else 1498 CRYPTO_set_id_callback(&ub_crypto_id_cb); 1499 # endif 1500 CRYPTO_set_locking_callback(&ub_crypto_lock_cb); 1501 #endif /* OPENSSL_THREADS */ 1502 return 1; 1503 } 1504 1505 void ub_openssl_lock_delete(void) 1506 { 1507 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L 1508 int i; 1509 if(!ub_openssl_locks) 1510 return; 1511 # ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK 1512 CRYPTO_THREADID_set_callback(NULL); 1513 # else 1514 CRYPTO_set_id_callback(NULL); 1515 # endif 1516 CRYPTO_set_locking_callback(NULL); 1517 for(i=0; i<CRYPTO_num_locks(); i++) { 1518 lock_basic_destroy(&ub_openssl_locks[i]); 1519 } 1520 free(ub_openssl_locks); 1521 #endif /* OPENSSL_THREADS */ 1522 } 1523 1524 int listen_sslctx_setup_ticket_keys(void* sslctx, struct config_strlist* tls_session_ticket_keys) { 1525 #ifdef HAVE_SSL 1526 size_t s = 1; 1527 struct config_strlist* p; 1528 struct tls_session_ticket_key *keys; 1529 for(p = tls_session_ticket_keys; p; p = p->next) { 1530 s++; 1531 } 1532 keys = calloc(s, sizeof(struct tls_session_ticket_key)); 1533 if(!keys) 1534 return 0; 1535 memset(keys, 0, s*sizeof(*keys)); 1536 ticket_keys = keys; 1537 1538 for(p = tls_session_ticket_keys; p; p = p->next) { 1539 size_t n; 1540 unsigned char *data; 1541 FILE *f; 1542 1543 data = (unsigned char *)malloc(80); 1544 if(!data) 1545 return 0; 1546 1547 f = fopen(p->str, "rb"); 1548 if(!f) { 1549 log_err("could not read tls-session-ticket-key %s: %s", p->str, strerror(errno)); 1550 free(data); 1551 return 0; 1552 } 1553 n = fread(data, 1, 80, f); 1554 fclose(f); 1555 1556 if(n != 80) { 1557 log_err("tls-session-ticket-key %s is %d bytes, must be 80 bytes", p->str, (int)n); 1558 free(data); 1559 return 0; 1560 } 1561 verbose(VERB_OPS, "read tls-session-ticket-key: %s", p->str); 1562 1563 keys->key_name = data; 1564 keys->aes_key = data + 16; 1565 keys->hmac_key = data + 48; 1566 keys++; 1567 } 1568 /* terminate array with NULL key name entry */ 1569 keys->key_name = NULL; 1570 # ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1571 if(SSL_CTX_set_tlsext_ticket_key_evp_cb(sslctx, tls_session_ticket_key_cb) == 0) { 1572 log_err("no support for TLS session ticket"); 1573 return 0; 1574 } 1575 # else 1576 if(SSL_CTX_set_tlsext_ticket_key_cb(sslctx, tls_session_ticket_key_cb) == 0) { 1577 log_err("no support for TLS session ticket"); 1578 return 0; 1579 } 1580 # endif 1581 return 1; 1582 #else 1583 (void)sslctx; 1584 (void)tls_session_ticket_keys; 1585 return 0; 1586 #endif 1587 1588 } 1589 1590 #ifdef HAVE_SSL 1591 int tls_session_ticket_key_cb(SSL *ATTR_UNUSED(sslctx), unsigned char* key_name, 1592 unsigned char* iv, EVP_CIPHER_CTX *evp_sctx, 1593 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1594 EVP_MAC_CTX *hmac_ctx, 1595 #else 1596 HMAC_CTX* hmac_ctx, 1597 #endif 1598 int enc) 1599 { 1600 #ifdef HAVE_SSL 1601 # ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1602 OSSL_PARAM params[3]; 1603 # else 1604 const EVP_MD *digest; 1605 # endif 1606 const EVP_CIPHER *cipher; 1607 int evp_cipher_length; 1608 # ifndef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1609 digest = EVP_sha256(); 1610 # endif 1611 cipher = EVP_aes_256_cbc(); 1612 evp_cipher_length = EVP_CIPHER_iv_length(cipher); 1613 if( enc == 1 ) { 1614 /* encrypt */ 1615 verbose(VERB_CLIENT, "start session encrypt"); 1616 memcpy(key_name, ticket_keys->key_name, 16); 1617 if (RAND_bytes(iv, evp_cipher_length) != 1) { 1618 verbose(VERB_CLIENT, "RAND_bytes failed"); 1619 return -1; 1620 } 1621 if (EVP_EncryptInit_ex(evp_sctx, cipher, NULL, ticket_keys->aes_key, iv) != 1) { 1622 verbose(VERB_CLIENT, "EVP_EncryptInit_ex failed"); 1623 return -1; 1624 } 1625 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1626 params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, 1627 ticket_keys->hmac_key, 32); 1628 params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, 1629 "sha256", 0); 1630 params[2] = OSSL_PARAM_construct_end(); 1631 #ifdef HAVE_EVP_MAC_CTX_SET_PARAMS 1632 EVP_MAC_CTX_set_params(hmac_ctx, params); 1633 #else 1634 EVP_MAC_set_ctx_params(hmac_ctx, params); 1635 #endif 1636 #elif !defined(HMAC_INIT_EX_RETURNS_VOID) 1637 if (HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL) != 1) { 1638 verbose(VERB_CLIENT, "HMAC_Init_ex failed"); 1639 return -1; 1640 } 1641 #else 1642 HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL); 1643 #endif 1644 return 1; 1645 } else if (enc == 0) { 1646 /* decrypt */ 1647 struct tls_session_ticket_key *key; 1648 verbose(VERB_CLIENT, "start session decrypt"); 1649 for(key = ticket_keys; key->key_name != NULL; key++) { 1650 if (!memcmp(key_name, key->key_name, 16)) { 1651 verbose(VERB_CLIENT, "Found session_key"); 1652 break; 1653 } 1654 } 1655 if(key->key_name == NULL) { 1656 verbose(VERB_CLIENT, "Not found session_key"); 1657 return 0; 1658 } 1659 1660 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1661 params[0] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, 1662 key->hmac_key, 32); 1663 params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, 1664 "sha256", 0); 1665 params[2] = OSSL_PARAM_construct_end(); 1666 #ifdef HAVE_EVP_MAC_CTX_SET_PARAMS 1667 EVP_MAC_CTX_set_params(hmac_ctx, params); 1668 #else 1669 EVP_MAC_set_ctx_params(hmac_ctx, params); 1670 #endif 1671 #elif !defined(HMAC_INIT_EX_RETURNS_VOID) 1672 if (HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL) != 1) { 1673 verbose(VERB_CLIENT, "HMAC_Init_ex failed"); 1674 return -1; 1675 } 1676 #else 1677 HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL); 1678 #endif 1679 if (EVP_DecryptInit_ex(evp_sctx, cipher, NULL, key->aes_key, iv) != 1) { 1680 log_err("EVP_DecryptInit_ex failed"); 1681 return -1; 1682 } 1683 1684 return (key == ticket_keys) ? 1 : 2; 1685 } 1686 return -1; 1687 #else 1688 (void)key_name; 1689 (void)iv; 1690 (void)evp_sctx; 1691 (void)hmac_ctx; 1692 (void)enc; 1693 return 0; 1694 #endif 1695 } 1696 #endif /* HAVE_SSL */ 1697 1698 void 1699 listen_sslctx_delete_ticket_keys(void) 1700 { 1701 struct tls_session_ticket_key *key; 1702 if(!ticket_keys) return; 1703 for(key = ticket_keys; key->key_name != NULL; key++) { 1704 /* wipe key data from memory*/ 1705 #ifdef HAVE_EXPLICIT_BZERO 1706 explicit_bzero(key->key_name, 80); 1707 #else 1708 memset(key->key_name, 0xdd, 80); 1709 #endif 1710 free(key->key_name); 1711 } 1712 free(ticket_keys); 1713 ticket_keys = NULL; 1714 } 1715 1716 # ifndef USE_WINSOCK 1717 char* 1718 sock_strerror(int errn) 1719 { 1720 return strerror(errn); 1721 } 1722 1723 void 1724 sock_close(int socket) 1725 { 1726 close(socket); 1727 } 1728 1729 # else 1730 char* 1731 sock_strerror(int ATTR_UNUSED(errn)) 1732 { 1733 return wsa_strerror(WSAGetLastError()); 1734 } 1735 1736 void 1737 sock_close(int socket) 1738 { 1739 closesocket(socket); 1740 } 1741 # endif /* USE_WINSOCK */ 1742