1 /*
2 * util/net_help.c - implementation of the network helper code
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35 /**
36 * \file
37 * Implementation of net_help.h.
38 */
39
40 #include "config.h"
41 #ifdef HAVE_SYS_TYPES_H
42 # include <sys/types.h>
43 #endif
44 #ifdef HAVE_NET_IF_H
45 #include <net/if.h>
46 #endif
47 #ifdef HAVE_NETIOAPI_H
48 #include <netioapi.h>
49 #endif
50 #include "util/net_help.h"
51 #include "util/log.h"
52 #include "util/data/dname.h"
53 #include "util/module.h"
54 #include "util/regional.h"
55 #include "util/config_file.h"
56 #include "sldns/parseutil.h"
57 #include "sldns/wire2str.h"
58 #include "sldns/str2wire.h"
59 #include <fcntl.h>
60 #ifdef HAVE_OPENSSL_SSL_H
61 #include <openssl/ssl.h>
62 #include <openssl/evp.h>
63 #include <openssl/rand.h>
64 #endif
65 #ifdef HAVE_OPENSSL_ERR_H
66 #include <openssl/err.h>
67 #endif
68 #ifdef HAVE_OPENSSL_CORE_NAMES_H
69 #include <openssl/core_names.h>
70 #endif
71 #ifdef USE_WINSOCK
72 #include <wincrypt.h>
73 #endif
74 #ifdef HAVE_NGHTTP2_NGHTTP2_H
75 #include <nghttp2/nghttp2.h>
76 #endif
77
78 /** max length of an IP address (the address portion) that we allow */
79 #define MAX_ADDR_STRLEN 128 /* characters */
80 /** max length of a hostname (with port and tls name) that we allow */
81 #define MAX_HOST_STRLEN (LDNS_MAX_DOMAINLEN * 3) /* characters */
82 /** default value for EDNS ADVERTISED size */
83 uint16_t EDNS_ADVERTISED_SIZE = 4096;
84
85 /** minimal responses when positive answer: default is no */
86 int MINIMAL_RESPONSES = 0;
87
88 /** rrset order roundrobin: default is yes */
89 int RRSET_ROUNDROBIN = 1;
90
91 /** log tag queries with name instead of 'info' for filtering */
92 int LOG_TAG_QUERYREPLY = 0;
93
94 static struct tls_session_ticket_key {
95 unsigned char *key_name;
96 unsigned char *aes_key;
97 unsigned char *hmac_key;
98 } *ticket_keys;
99
100 #ifdef HAVE_SSL
101 /**
102 * callback TLS session ticket encrypt and decrypt
103 * For use with SSL_CTX_set_tlsext_ticket_key_cb or
104 * SSL_CTX_set_tlsext_ticket_key_evp_cb
105 * @param s: the SSL_CTX to use (from connect_sslctx_create())
106 * @param key_name: secret name, 16 bytes
107 * @param iv: up to EVP_MAX_IV_LENGTH.
108 * @param evp_ctx: the evp cipher context, function sets this.
109 * @param hmac_ctx: the hmac context, function sets this.
110 * with ..key_cb it is of type HMAC_CTX*
111 * with ..key_evp_cb it is of type EVP_MAC_CTX*
112 * @param enc: 1 is encrypt, 0 is decrypt
113 * @return 0 on no ticket, 1 for okay, and 2 for okay but renew the ticket
114 * (the ticket is decrypt only). and <0 for failures.
115 */
116 int tls_session_ticket_key_cb(SSL *s, unsigned char* key_name,
117 unsigned char* iv, EVP_CIPHER_CTX *evp_ctx,
118 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
119 EVP_MAC_CTX *hmac_ctx,
120 #else
121 HMAC_CTX* hmac_ctx,
122 #endif
123 int enc);
124 #endif /* HAVE_SSL */
125
126 /* returns true is string addr is an ip6 specced address */
127 int
str_is_ip6(const char * str)128 str_is_ip6(const char* str)
129 {
130 if(strchr(str, ':'))
131 return 1;
132 else return 0;
133 }
134
135 int
fd_set_nonblock(int s)136 fd_set_nonblock(int s)
137 {
138 #ifdef HAVE_FCNTL
139 int flag;
140 if((flag = fcntl(s, F_GETFL)) == -1) {
141 log_err("can't fcntl F_GETFL: %s", strerror(errno));
142 flag = 0;
143 }
144 flag |= O_NONBLOCK;
145 if(fcntl(s, F_SETFL, flag) == -1) {
146 log_err("can't fcntl F_SETFL: %s", strerror(errno));
147 return 0;
148 }
149 #elif defined(HAVE_IOCTLSOCKET)
150 unsigned long on = 1;
151 if(ioctlsocket(s, FIONBIO, &on) != 0) {
152 log_err("can't ioctlsocket FIONBIO on: %s",
153 wsa_strerror(WSAGetLastError()));
154 }
155 #endif
156 return 1;
157 }
158
159 int
fd_set_block(int s)160 fd_set_block(int s)
161 {
162 #ifdef HAVE_FCNTL
163 int flag;
164 if((flag = fcntl(s, F_GETFL)) == -1) {
165 log_err("cannot fcntl F_GETFL: %s", strerror(errno));
166 flag = 0;
167 }
168 flag &= ~O_NONBLOCK;
169 if(fcntl(s, F_SETFL, flag) == -1) {
170 log_err("cannot fcntl F_SETFL: %s", strerror(errno));
171 return 0;
172 }
173 #elif defined(HAVE_IOCTLSOCKET)
174 unsigned long off = 0;
175 if(ioctlsocket(s, FIONBIO, &off) != 0) {
176 if(WSAGetLastError() != WSAEINVAL || verbosity >= 4)
177 log_err("can't ioctlsocket FIONBIO off: %s",
178 wsa_strerror(WSAGetLastError()));
179 }
180 #endif
181 return 1;
182 }
183
184 int
is_pow2(size_t num)185 is_pow2(size_t num)
186 {
187 if(num == 0) return 1;
188 return (num & (num-1)) == 0;
189 }
190
191 void*
memdup(void * data,size_t len)192 memdup(void* data, size_t len)
193 {
194 void* d;
195 if(!data) return NULL;
196 if(len == 0) return NULL;
197 d = malloc(len);
198 if(!d) return NULL;
199 memcpy(d, data, len);
200 return d;
201 }
202
203 void
log_addr(enum verbosity_value v,const char * str,struct sockaddr_storage * addr,socklen_t addrlen)204 log_addr(enum verbosity_value v, const char* str,
205 struct sockaddr_storage* addr, socklen_t addrlen)
206 {
207 uint16_t port;
208 const char* family = "unknown";
209 char dest[100];
210 int af = (int)((struct sockaddr_in*)addr)->sin_family;
211 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
212 if(verbosity < v)
213 return;
214 switch(af) {
215 case AF_INET: family="ip4"; break;
216 case AF_INET6: family="ip6";
217 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
218 break;
219 case AF_LOCAL:
220 dest[0]=0;
221 (void)inet_ntop(af, sinaddr, dest,
222 (socklen_t)sizeof(dest));
223 verbose(v, "%s local %s", str, dest);
224 return; /* do not continue and try to get port */
225 default: break;
226 }
227 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
228 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
229 }
230 dest[sizeof(dest)-1] = 0;
231 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
232 if(verbosity >= 4)
233 verbose(v, "%s %s %s port %d (len %d)", str, family, dest,
234 (int)port, (int)addrlen);
235 else verbose(v, "%s %s port %d", str, dest, (int)port);
236 }
237
238 int
extstrtoaddr(const char * str,struct sockaddr_storage * addr,socklen_t * addrlen,int port)239 extstrtoaddr(const char* str, struct sockaddr_storage* addr,
240 socklen_t* addrlen, int port)
241 {
242 char* s;
243 if((s=strchr(str, '@'))) {
244 char buf[MAX_ADDR_STRLEN];
245 if(s-str >= MAX_ADDR_STRLEN) {
246 return 0;
247 }
248 (void)strlcpy(buf, str, sizeof(buf));
249 buf[s-str] = 0;
250 port = atoi(s+1);
251 if(port == 0 && strcmp(s+1,"0")!=0) {
252 return 0;
253 }
254 return ipstrtoaddr(buf, port, addr, addrlen);
255 }
256 return ipstrtoaddr(str, port, addr, addrlen);
257 }
258
259 int
ipstrtoaddr(const char * ip,int port,struct sockaddr_storage * addr,socklen_t * addrlen)260 ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr,
261 socklen_t* addrlen)
262 {
263 uint16_t p;
264 if(!ip) return 0;
265 p = (uint16_t) port;
266 if(str_is_ip6(ip)) {
267 char buf[MAX_ADDR_STRLEN];
268 char* s;
269 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
270 *addrlen = (socklen_t)sizeof(struct sockaddr_in6);
271 memset(sa, 0, *addrlen);
272 sa->sin6_family = AF_INET6;
273 sa->sin6_port = (in_port_t)htons(p);
274 if((s=strchr(ip, '%'))) { /* ip6%interface, rfc 4007 */
275 if(s-ip >= MAX_ADDR_STRLEN)
276 return 0;
277 (void)strlcpy(buf, ip, sizeof(buf));
278 buf[s-ip]=0;
279 #ifdef HAVE_IF_NAMETOINDEX
280 if (!(sa->sin6_scope_id = if_nametoindex(s+1)))
281 #endif /* HAVE_IF_NAMETOINDEX */
282 sa->sin6_scope_id = (uint32_t)atoi(s+1);
283 ip = buf;
284 }
285 if(inet_pton((int)sa->sin6_family, ip, &sa->sin6_addr) <= 0) {
286 return 0;
287 }
288 } else { /* ip4 */
289 struct sockaddr_in* sa = (struct sockaddr_in*)addr;
290 *addrlen = (socklen_t)sizeof(struct sockaddr_in);
291 memset(sa, 0, *addrlen);
292 sa->sin_family = AF_INET;
293 sa->sin_port = (in_port_t)htons(p);
294 if(inet_pton((int)sa->sin_family, ip, &sa->sin_addr) <= 0) {
295 return 0;
296 }
297 }
298 return 1;
299 }
300
netblockstrtoaddr(const char * str,int port,struct sockaddr_storage * addr,socklen_t * addrlen,int * net)301 int netblockstrtoaddr(const char* str, int port, struct sockaddr_storage* addr,
302 socklen_t* addrlen, int* net)
303 {
304 char buf[64];
305 char* s;
306 *net = (str_is_ip6(str)?128:32);
307 if((s=strchr(str, '/'))) {
308 if(atoi(s+1) > *net) {
309 log_err("netblock too large: %s", str);
310 return 0;
311 }
312 *net = atoi(s+1);
313 if(*net == 0 && strcmp(s+1, "0") != 0) {
314 log_err("cannot parse netblock: '%s'", str);
315 return 0;
316 }
317 strlcpy(buf, str, sizeof(buf));
318 s = strchr(buf, '/');
319 if(s) *s = 0;
320 s = buf;
321 }
322 if(!ipstrtoaddr(s?s:str, port, addr, addrlen)) {
323 log_err("cannot parse ip address: '%s'", str);
324 return 0;
325 }
326 if(s) {
327 addr_mask(addr, *addrlen, *net);
328 }
329 return 1;
330 }
331
332 /* RPZ format address dname to network byte order address */
ipdnametoaddr(uint8_t * dname,size_t dnamelen,struct sockaddr_storage * addr,socklen_t * addrlen,int * af)333 static int ipdnametoaddr(uint8_t* dname, size_t dnamelen,
334 struct sockaddr_storage* addr, socklen_t* addrlen, int* af)
335 {
336 uint8_t* ia;
337 int dnamelabs = dname_count_labels(dname);
338 uint8_t lablen;
339 char* e = NULL;
340 int z = 0;
341 size_t len = 0;
342 int i;
343 *af = AF_INET;
344
345 /* need 1 byte for label length */
346 if(dnamelen < 1)
347 return 0;
348
349 if(dnamelabs > 6 ||
350 dname_has_label(dname, dnamelen, (uint8_t*)"\002zz")) {
351 *af = AF_INET6;
352 }
353 len = *dname;
354 lablen = *dname++;
355 i = (*af == AF_INET) ? 3 : 15;
356 if(*af == AF_INET6) {
357 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
358 *addrlen = (socklen_t)sizeof(struct sockaddr_in6);
359 memset(sa, 0, *addrlen);
360 sa->sin6_family = AF_INET6;
361 ia = (uint8_t*)&sa->sin6_addr;
362 } else { /* ip4 */
363 struct sockaddr_in* sa = (struct sockaddr_in*)addr;
364 *addrlen = (socklen_t)sizeof(struct sockaddr_in);
365 memset(sa, 0, *addrlen);
366 sa->sin_family = AF_INET;
367 ia = (uint8_t*)&sa->sin_addr;
368 }
369 while(lablen && i >= 0 && len <= dnamelen) {
370 char buff[LDNS_MAX_LABELLEN+1];
371 uint16_t chunk; /* big enough to not overflow on IPv6 hextet */
372 if((*af == AF_INET && (lablen > 3 || dnamelabs > 6)) ||
373 (*af == AF_INET6 && (lablen > 4 || dnamelabs > 10))) {
374 return 0;
375 }
376 if(memcmp(dname, "zz", 2) == 0 && *af == AF_INET6) {
377 /* Add one or more 0 labels. Address is initialised at
378 * 0, so just skip the zero part. */
379 int zl = 11 - dnamelabs;
380 if(z || zl < 0)
381 return 0;
382 z = 1;
383 i -= (zl*2);
384 } else {
385 memcpy(buff, dname, lablen);
386 buff[lablen] = '\0';
387 chunk = strtol(buff, &e, (*af == AF_INET) ? 10 : 16);
388 if(!e || *e != '\0' || (*af == AF_INET && chunk > 255))
389 return 0;
390 if(*af == AF_INET) {
391 log_assert(i < 4 && i >= 0);
392 ia[i] = (uint8_t)chunk;
393 i--;
394 } else {
395 log_assert(i < 16 && i >= 1);
396 /* ia in network byte order */
397 ia[i-1] = (uint8_t)(chunk >> 8);
398 ia[i] = (uint8_t)(chunk & 0x00FF);
399 i -= 2;
400 }
401 }
402 dname += lablen;
403 lablen = *dname++;
404 len += lablen;
405 }
406 if(i != -1)
407 /* input too short */
408 return 0;
409 return 1;
410 }
411
netblockdnametoaddr(uint8_t * dname,size_t dnamelen,struct sockaddr_storage * addr,socklen_t * addrlen,int * net,int * af)412 int netblockdnametoaddr(uint8_t* dname, size_t dnamelen,
413 struct sockaddr_storage* addr, socklen_t* addrlen, int* net, int* af)
414 {
415 char buff[3 /* 3 digit netblock */ + 1];
416 size_t nlablen;
417 if(dnamelen < 1 || *dname > 3)
418 /* netblock invalid */
419 return 0;
420 nlablen = *dname;
421
422 if(dnamelen < 1 + nlablen)
423 return 0;
424
425 memcpy(buff, dname+1, nlablen);
426 buff[nlablen] = '\0';
427 *net = atoi(buff);
428 if(*net == 0 && strcmp(buff, "0") != 0)
429 return 0;
430 dname += nlablen;
431 dname++;
432 if(!ipdnametoaddr(dname, dnamelen-1-nlablen, addr, addrlen, af))
433 return 0;
434 if((*af == AF_INET6 && *net > 128) || (*af == AF_INET && *net > 32))
435 return 0;
436 return 1;
437 }
438
authextstrtoaddr(char * str,struct sockaddr_storage * addr,socklen_t * addrlen,char ** auth_name)439 int authextstrtoaddr(char* str, struct sockaddr_storage* addr,
440 socklen_t* addrlen, char** auth_name)
441 {
442 char* s;
443 int port = UNBOUND_DNS_PORT;
444 if((s=strchr(str, '@'))) {
445 char buf[MAX_ADDR_STRLEN];
446 size_t len = (size_t)(s-str);
447 char* hash = strchr(s+1, '#');
448 if(hash) {
449 *auth_name = hash+1;
450 } else {
451 *auth_name = NULL;
452 }
453 if(len >= MAX_ADDR_STRLEN) {
454 return 0;
455 }
456 (void)strlcpy(buf, str, sizeof(buf));
457 buf[len] = 0;
458 port = atoi(s+1);
459 if(port == 0) {
460 if(!hash && strcmp(s+1,"0")!=0)
461 return 0;
462 if(hash && strncmp(s+1,"0#",2)!=0)
463 return 0;
464 }
465 return ipstrtoaddr(buf, port, addr, addrlen);
466 }
467 if((s=strchr(str, '#'))) {
468 char buf[MAX_ADDR_STRLEN];
469 size_t len = (size_t)(s-str);
470 if(len >= MAX_ADDR_STRLEN) {
471 return 0;
472 }
473 (void)strlcpy(buf, str, sizeof(buf));
474 buf[len] = 0;
475 port = UNBOUND_DNS_OVER_TLS_PORT;
476 *auth_name = s+1;
477 return ipstrtoaddr(buf, port, addr, addrlen);
478 }
479 *auth_name = NULL;
480 return ipstrtoaddr(str, port, addr, addrlen);
481 }
482
authextstrtodname(char * str,int * port,char ** auth_name)483 uint8_t* authextstrtodname(char* str, int* port, char** auth_name)
484 {
485 char* s;
486 uint8_t* dname;
487 size_t dname_len;
488 *port = UNBOUND_DNS_PORT;
489 *auth_name = NULL;
490 if((s=strchr(str, '@'))) {
491 char buf[MAX_HOST_STRLEN];
492 size_t len = (size_t)(s-str);
493 char* hash = strchr(s+1, '#');
494 if(hash) {
495 *auth_name = hash+1;
496 } else {
497 *auth_name = NULL;
498 }
499 if(len >= MAX_HOST_STRLEN) {
500 return NULL;
501 }
502 (void)strlcpy(buf, str, sizeof(buf));
503 buf[len] = 0;
504 *port = atoi(s+1);
505 if(*port == 0) {
506 if(!hash && strcmp(s+1,"0")!=0)
507 return NULL;
508 if(hash && strncmp(s+1,"0#",2)!=0)
509 return NULL;
510 }
511 dname = sldns_str2wire_dname(buf, &dname_len);
512 } else if((s=strchr(str, '#'))) {
513 char buf[MAX_HOST_STRLEN];
514 size_t len = (size_t)(s-str);
515 if(len >= MAX_HOST_STRLEN) {
516 return NULL;
517 }
518 (void)strlcpy(buf, str, sizeof(buf));
519 buf[len] = 0;
520 *port = UNBOUND_DNS_OVER_TLS_PORT;
521 *auth_name = s+1;
522 dname = sldns_str2wire_dname(buf, &dname_len);
523 } else {
524 dname = sldns_str2wire_dname(str, &dname_len);
525 }
526 return dname;
527 }
528
529 /** store port number into sockaddr structure */
530 void
sockaddr_store_port(struct sockaddr_storage * addr,socklen_t addrlen,int port)531 sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen, int port)
532 {
533 if(addr_is_ip6(addr, addrlen)) {
534 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
535 sa->sin6_port = (in_port_t)htons((uint16_t)port);
536 } else {
537 struct sockaddr_in* sa = (struct sockaddr_in*)addr;
538 sa->sin_port = (in_port_t)htons((uint16_t)port);
539 }
540 }
541
542 void
log_nametypeclass(enum verbosity_value v,const char * str,uint8_t * name,uint16_t type,uint16_t dclass)543 log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name,
544 uint16_t type, uint16_t dclass)
545 {
546 char buf[LDNS_MAX_DOMAINLEN+1];
547 char t[12], c[12];
548 const char *ts, *cs;
549 if(verbosity < v)
550 return;
551 dname_str(name, buf);
552 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG";
553 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR";
554 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR";
555 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB";
556 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA";
557 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY";
558 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name)
559 ts = sldns_rr_descript(type)->_name;
560 else {
561 snprintf(t, sizeof(t), "TYPE%d", (int)type);
562 ts = t;
563 }
564 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) &&
565 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name)
566 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name;
567 else {
568 snprintf(c, sizeof(c), "CLASS%d", (int)dclass);
569 cs = c;
570 }
571 log_info("%s %s %s %s", str, buf, ts, cs);
572 }
573
574 void
log_query_in(const char * str,uint8_t * name,uint16_t type,uint16_t dclass)575 log_query_in(const char* str, uint8_t* name, uint16_t type, uint16_t dclass)
576 {
577 char buf[LDNS_MAX_DOMAINLEN+1];
578 char t[12], c[12];
579 const char *ts, *cs;
580 dname_str(name, buf);
581 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG";
582 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR";
583 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR";
584 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB";
585 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA";
586 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY";
587 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name)
588 ts = sldns_rr_descript(type)->_name;
589 else {
590 snprintf(t, sizeof(t), "TYPE%d", (int)type);
591 ts = t;
592 }
593 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) &&
594 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name)
595 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name;
596 else {
597 snprintf(c, sizeof(c), "CLASS%d", (int)dclass);
598 cs = c;
599 }
600 if(LOG_TAG_QUERYREPLY)
601 log_query("%s %s %s %s", str, buf, ts, cs);
602 else log_info("%s %s %s %s", str, buf, ts, cs);
603 }
604
log_name_addr(enum verbosity_value v,const char * str,uint8_t * zone,struct sockaddr_storage * addr,socklen_t addrlen)605 void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone,
606 struct sockaddr_storage* addr, socklen_t addrlen)
607 {
608 uint16_t port;
609 const char* family = "unknown_family ";
610 char namebuf[LDNS_MAX_DOMAINLEN+1];
611 char dest[100];
612 int af = (int)((struct sockaddr_in*)addr)->sin_family;
613 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
614 if(verbosity < v)
615 return;
616 switch(af) {
617 case AF_INET: family=""; break;
618 case AF_INET6: family="";
619 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
620 break;
621 case AF_LOCAL: family="local "; break;
622 default: break;
623 }
624 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
625 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
626 }
627 dest[sizeof(dest)-1] = 0;
628 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
629 dname_str(zone, namebuf);
630 if(af != AF_INET && af != AF_INET6)
631 verbose(v, "%s <%s> %s%s#%d (addrlen %d)",
632 str, namebuf, family, dest, (int)port, (int)addrlen);
633 else verbose(v, "%s <%s> %s%s#%d",
634 str, namebuf, family, dest, (int)port);
635 }
636
log_err_addr(const char * str,const char * err,struct sockaddr_storage * addr,socklen_t addrlen)637 void log_err_addr(const char* str, const char* err,
638 struct sockaddr_storage* addr, socklen_t addrlen)
639 {
640 uint16_t port;
641 char dest[100];
642 int af = (int)((struct sockaddr_in*)addr)->sin_family;
643 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
644 if(af == AF_INET6)
645 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
646 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
647 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
648 }
649 dest[sizeof(dest)-1] = 0;
650 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
651 if(verbosity >= 4)
652 log_err("%s: %s for %s port %d (len %d)", str, err, dest,
653 (int)port, (int)addrlen);
654 else log_err("%s: %s for %s port %d", str, err, dest, (int)port);
655 }
656
657 int
sockaddr_cmp(struct sockaddr_storage * addr1,socklen_t len1,struct sockaddr_storage * addr2,socklen_t len2)658 sockaddr_cmp(struct sockaddr_storage* addr1, socklen_t len1,
659 struct sockaddr_storage* addr2, socklen_t len2)
660 {
661 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
662 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
663 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
664 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
665 if(len1 < len2)
666 return -1;
667 if(len1 > len2)
668 return 1;
669 log_assert(len1 == len2);
670 if( p1_in->sin_family < p2_in->sin_family)
671 return -1;
672 if( p1_in->sin_family > p2_in->sin_family)
673 return 1;
674 log_assert( p1_in->sin_family == p2_in->sin_family );
675 /* compare ip4 */
676 if( p1_in->sin_family == AF_INET ) {
677 /* just order it, ntohs not required */
678 if(p1_in->sin_port < p2_in->sin_port)
679 return -1;
680 if(p1_in->sin_port > p2_in->sin_port)
681 return 1;
682 log_assert(p1_in->sin_port == p2_in->sin_port);
683 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
684 } else if (p1_in6->sin6_family == AF_INET6) {
685 /* just order it, ntohs not required */
686 if(p1_in6->sin6_port < p2_in6->sin6_port)
687 return -1;
688 if(p1_in6->sin6_port > p2_in6->sin6_port)
689 return 1;
690 log_assert(p1_in6->sin6_port == p2_in6->sin6_port);
691 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
692 INET6_SIZE);
693 } else {
694 /* eek unknown type, perform this comparison for sanity. */
695 return memcmp(addr1, addr2, len1);
696 }
697 }
698
699 int
sockaddr_cmp_addr(struct sockaddr_storage * addr1,socklen_t len1,struct sockaddr_storage * addr2,socklen_t len2)700 sockaddr_cmp_addr(struct sockaddr_storage* addr1, socklen_t len1,
701 struct sockaddr_storage* addr2, socklen_t len2)
702 {
703 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
704 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
705 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
706 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
707 if(len1 < len2)
708 return -1;
709 if(len1 > len2)
710 return 1;
711 log_assert(len1 == len2);
712 if( p1_in->sin_family < p2_in->sin_family)
713 return -1;
714 if( p1_in->sin_family > p2_in->sin_family)
715 return 1;
716 log_assert( p1_in->sin_family == p2_in->sin_family );
717 /* compare ip4 */
718 if( p1_in->sin_family == AF_INET ) {
719 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
720 } else if (p1_in6->sin6_family == AF_INET6) {
721 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
722 INET6_SIZE);
723 } else {
724 /* eek unknown type, perform this comparison for sanity. */
725 return memcmp(addr1, addr2, len1);
726 }
727 }
728
729 int
addr_is_ip6(struct sockaddr_storage * addr,socklen_t len)730 addr_is_ip6(struct sockaddr_storage* addr, socklen_t len)
731 {
732 if(len == (socklen_t)sizeof(struct sockaddr_in6) &&
733 ((struct sockaddr_in6*)addr)->sin6_family == AF_INET6)
734 return 1;
735 else return 0;
736 }
737
738 void
addr_mask(struct sockaddr_storage * addr,socklen_t len,int net)739 addr_mask(struct sockaddr_storage* addr, socklen_t len, int net)
740 {
741 uint8_t mask[8] = {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe};
742 int i, max;
743 uint8_t* s;
744 if(addr_is_ip6(addr, len)) {
745 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr;
746 max = 128;
747 } else {
748 s = (uint8_t*)&((struct sockaddr_in*)addr)->sin_addr;
749 max = 32;
750 }
751 if(net >= max)
752 return;
753 for(i=net/8+1; i<max/8; i++) {
754 s[i] = 0;
755 }
756 s[net/8] &= mask[net&0x7];
757 }
758
759 int
addr_in_common(struct sockaddr_storage * addr1,int net1,struct sockaddr_storage * addr2,int net2,socklen_t addrlen)760 addr_in_common(struct sockaddr_storage* addr1, int net1,
761 struct sockaddr_storage* addr2, int net2, socklen_t addrlen)
762 {
763 int min = (net1<net2)?net1:net2;
764 int i, to;
765 int match = 0;
766 uint8_t* s1, *s2;
767 if(addr_is_ip6(addr1, addrlen)) {
768 s1 = (uint8_t*)&((struct sockaddr_in6*)addr1)->sin6_addr;
769 s2 = (uint8_t*)&((struct sockaddr_in6*)addr2)->sin6_addr;
770 to = 16;
771 } else {
772 s1 = (uint8_t*)&((struct sockaddr_in*)addr1)->sin_addr;
773 s2 = (uint8_t*)&((struct sockaddr_in*)addr2)->sin_addr;
774 to = 4;
775 }
776 /* match = bits_in_common(s1, s2, to); */
777 for(i=0; i<to; i++) {
778 if(s1[i] == s2[i]) {
779 match += 8;
780 } else {
781 uint8_t z = s1[i]^s2[i];
782 log_assert(z);
783 while(!(z&0x80)) {
784 match++;
785 z<<=1;
786 }
787 break;
788 }
789 }
790 if(match > min) match = min;
791 return match;
792 }
793
794 void
addr_to_str(struct sockaddr_storage * addr,socklen_t addrlen,char * buf,size_t len)795 addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen,
796 char* buf, size_t len)
797 {
798 int af = (int)((struct sockaddr_in*)addr)->sin_family;
799 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
800 if(addr_is_ip6(addr, addrlen))
801 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
802 if(inet_ntop(af, sinaddr, buf, (socklen_t)len) == 0) {
803 snprintf(buf, len, "(inet_ntop_error)");
804 }
805 }
806
807 int
prefixnet_is_nat64(int prefixnet)808 prefixnet_is_nat64(int prefixnet)
809 {
810 return (prefixnet == 32 || prefixnet == 40 ||
811 prefixnet == 48 || prefixnet == 56 ||
812 prefixnet == 64 || prefixnet == 96);
813 }
814
815 void
addr_to_nat64(const struct sockaddr_storage * addr,const struct sockaddr_storage * nat64_prefix,socklen_t nat64_prefixlen,int nat64_prefixnet,struct sockaddr_storage * nat64_addr,socklen_t * nat64_addrlen)816 addr_to_nat64(const struct sockaddr_storage* addr,
817 const struct sockaddr_storage* nat64_prefix,
818 socklen_t nat64_prefixlen, int nat64_prefixnet,
819 struct sockaddr_storage* nat64_addr, socklen_t* nat64_addrlen)
820 {
821 struct sockaddr_in *sin = (struct sockaddr_in *)addr;
822 struct sockaddr_in6 *sin6;
823 uint8_t *v4_byte;
824 int i;
825
826 /* This needs to be checked by the caller */
827 log_assert(addr->ss_family == AF_INET);
828 /* Current usage is only from config values; prefix lengths enforced
829 * during config validation */
830 log_assert(prefixnet_is_nat64(nat64_prefixnet));
831
832 *nat64_addr = *nat64_prefix;
833 *nat64_addrlen = nat64_prefixlen;
834
835 sin6 = (struct sockaddr_in6 *)nat64_addr;
836 sin6->sin6_flowinfo = 0;
837 sin6->sin6_port = sin->sin_port;
838
839 nat64_prefixnet = nat64_prefixnet / 8;
840
841 v4_byte = (uint8_t *)&sin->sin_addr.s_addr;
842 for(i = 0; i < 4; i++) {
843 if(nat64_prefixnet == 8) {
844 /* bits 64...71 are MBZ */
845 sin6->sin6_addr.s6_addr[nat64_prefixnet++] = 0;
846 }
847 sin6->sin6_addr.s6_addr[nat64_prefixnet++] = *v4_byte++;
848 }
849 }
850
851 int
addr_is_ip4mapped(struct sockaddr_storage * addr,socklen_t addrlen)852 addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen)
853 {
854 /* prefix for ipv4 into ipv6 mapping is ::ffff:x.x.x.x */
855 const uint8_t map_prefix[16] =
856 {0,0,0,0, 0,0,0,0, 0,0,0xff,0xff, 0,0,0,0};
857 uint8_t* s;
858 if(!addr_is_ip6(addr, addrlen))
859 return 0;
860 /* s is 16 octet ipv6 address string */
861 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr;
862 return (memcmp(s, map_prefix, 12) == 0);
863 }
864
addr_is_broadcast(struct sockaddr_storage * addr,socklen_t addrlen)865 int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen)
866 {
867 int af = (int)((struct sockaddr_in*)addr)->sin_family;
868 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
869 return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
870 && memcmp(sinaddr, "\377\377\377\377", 4) == 0;
871 }
872
addr_is_any(struct sockaddr_storage * addr,socklen_t addrlen)873 int addr_is_any(struct sockaddr_storage* addr, socklen_t addrlen)
874 {
875 int af = (int)((struct sockaddr_in*)addr)->sin_family;
876 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
877 void* sin6addr = &((struct sockaddr_in6*)addr)->sin6_addr;
878 if(af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
879 && memcmp(sinaddr, "\000\000\000\000", 4) == 0)
880 return 1;
881 else if(af==AF_INET6 && addrlen>=(socklen_t)sizeof(struct sockaddr_in6)
882 && memcmp(sin6addr, "\000\000\000\000\000\000\000\000"
883 "\000\000\000\000\000\000\000\000", 16) == 0)
884 return 1;
885 return 0;
886 }
887
sock_list_insert(struct sock_list ** list,struct sockaddr_storage * addr,socklen_t len,struct regional * region)888 void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr,
889 socklen_t len, struct regional* region)
890 {
891 struct sock_list* add = (struct sock_list*)regional_alloc(region,
892 sizeof(*add) - sizeof(add->addr) + (size_t)len);
893 if(!add) {
894 log_err("out of memory in socketlist insert");
895 return;
896 }
897 log_assert(list);
898 add->next = *list;
899 add->len = len;
900 *list = add;
901 if(len) memmove(&add->addr, addr, len);
902 }
903
sock_list_prepend(struct sock_list ** list,struct sock_list * add)904 void sock_list_prepend(struct sock_list** list, struct sock_list* add)
905 {
906 struct sock_list* last = add;
907 if(!last)
908 return;
909 while(last->next)
910 last = last->next;
911 last->next = *list;
912 *list = add;
913 }
914
sock_list_find(struct sock_list * list,struct sockaddr_storage * addr,socklen_t len)915 int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr,
916 socklen_t len)
917 {
918 while(list) {
919 if(len == list->len) {
920 if(len == 0 || sockaddr_cmp_addr(addr, len,
921 &list->addr, list->len) == 0)
922 return 1;
923 }
924 list = list->next;
925 }
926 return 0;
927 }
928
sock_list_merge(struct sock_list ** list,struct regional * region,struct sock_list * add)929 void sock_list_merge(struct sock_list** list, struct regional* region,
930 struct sock_list* add)
931 {
932 struct sock_list* p;
933 for(p=add; p; p=p->next) {
934 if(!sock_list_find(*list, &p->addr, p->len))
935 sock_list_insert(list, &p->addr, p->len, region);
936 }
937 }
938
939 void
log_crypto_err(const char * str)940 log_crypto_err(const char* str)
941 {
942 #ifdef HAVE_SSL
943 log_crypto_err_code(str, ERR_get_error());
944 #else
945 (void)str;
946 #endif /* HAVE_SSL */
947 }
948
log_crypto_err_code(const char * str,unsigned long err)949 void log_crypto_err_code(const char* str, unsigned long err)
950 {
951 #ifdef HAVE_SSL
952 /* error:[error code]:[library name]:[function name]:[reason string] */
953 char buf[128];
954 unsigned long e;
955 ERR_error_string_n(err, buf, sizeof(buf));
956 log_err("%s crypto %s", str, buf);
957 while( (e=ERR_get_error()) ) {
958 ERR_error_string_n(e, buf, sizeof(buf));
959 log_err("and additionally crypto %s", buf);
960 }
961 #else
962 (void)str;
963 (void)err;
964 #endif /* HAVE_SSL */
965 }
966
967 #ifdef HAVE_SSL
968 /** Print crypt erro with SSL_get_error want code and err_get_error code */
log_crypto_err_io_code_arg(const char * str,int r,unsigned long err,int err_present)969 static void log_crypto_err_io_code_arg(const char* str, int r,
970 unsigned long err, int err_present)
971 {
972 int print_errno = 0, print_crypto_err = 0;
973 const char* inf = NULL;
974
975 switch(r) {
976 case SSL_ERROR_NONE:
977 inf = "no error";
978 break;
979 case SSL_ERROR_ZERO_RETURN:
980 inf = "channel closed";
981 break;
982 case SSL_ERROR_WANT_READ:
983 inf = "want read";
984 break;
985 case SSL_ERROR_WANT_WRITE:
986 inf = "want write";
987 break;
988 case SSL_ERROR_WANT_CONNECT:
989 inf = "want connect";
990 break;
991 case SSL_ERROR_WANT_ACCEPT:
992 inf = "want accept";
993 break;
994 case SSL_ERROR_WANT_X509_LOOKUP:
995 inf = "want X509 lookup";
996 break;
997 #ifdef SSL_ERROR_WANT_ASYNC
998 case SSL_ERROR_WANT_ASYNC:
999 inf = "want async";
1000 break;
1001 #endif
1002 #ifdef SSL_ERROR_WANT_ASYNC_JOB
1003 case SSL_ERROR_WANT_ASYNC_JOB:
1004 inf = "want async job";
1005 break;
1006 #endif
1007 #ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB
1008 case SSL_ERROR_WANT_CLIENT_HELLO_CB:
1009 inf = "want client hello cb";
1010 break;
1011 #endif
1012 case SSL_ERROR_SYSCALL:
1013 print_errno = 1;
1014 inf = "syscall";
1015 break;
1016 case SSL_ERROR_SSL:
1017 print_crypto_err = 1;
1018 inf = "SSL, usually protocol, error";
1019 break;
1020 default:
1021 inf = "unknown SSL_get_error result code";
1022 print_errno = 1;
1023 print_crypto_err = 1;
1024 }
1025 if(print_crypto_err) {
1026 if(print_errno) {
1027 char buf[1024];
1028 snprintf(buf, sizeof(buf), "%s with errno %s",
1029 str, strerror(errno));
1030 if(err_present)
1031 log_crypto_err_code(buf, err);
1032 else log_crypto_err(buf);
1033 } else {
1034 if(err_present)
1035 log_crypto_err_code(str, err);
1036 else log_crypto_err(str);
1037 }
1038 } else {
1039 if(print_errno) {
1040 if(errno == 0)
1041 log_err("%s: syscall error with errno %s",
1042 str, strerror(errno));
1043 else log_err("%s: %s", str, strerror(errno));
1044 } else {
1045 log_err("%s: %s", str, inf);
1046 }
1047 }
1048 }
1049 #endif /* HAVE_SSL */
1050
log_crypto_err_io(const char * str,int r)1051 void log_crypto_err_io(const char* str, int r)
1052 {
1053 #ifdef HAVE_SSL
1054 log_crypto_err_io_code_arg(str, r, 0, 0);
1055 #else
1056 (void)str;
1057 (void)r;
1058 #endif /* HAVE_SSL */
1059 }
1060
log_crypto_err_io_code(const char * str,int r,unsigned long err)1061 void log_crypto_err_io_code(const char* str, int r, unsigned long err)
1062 {
1063 #ifdef HAVE_SSL
1064 log_crypto_err_io_code_arg(str, r, err, 1);
1065 #else
1066 (void)str;
1067 (void)r;
1068 (void)err;
1069 #endif /* HAVE_SSL */
1070 }
1071
1072 #ifdef HAVE_SSL
1073 /** log certificate details */
1074 void
log_cert(unsigned level,const char * str,void * cert)1075 log_cert(unsigned level, const char* str, void* cert)
1076 {
1077 BIO* bio;
1078 char nul = 0;
1079 char* pp = NULL;
1080 long len;
1081 if(verbosity < level) return;
1082 bio = BIO_new(BIO_s_mem());
1083 if(!bio) return;
1084 X509_print_ex(bio, (X509*)cert, 0, (unsigned long)-1
1085 ^(X509_FLAG_NO_SUBJECT
1086 |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY
1087 |X509_FLAG_NO_EXTENSIONS|X509_FLAG_NO_AUX
1088 |X509_FLAG_NO_ATTRIBUTES));
1089 BIO_write(bio, &nul, (int)sizeof(nul));
1090 len = BIO_get_mem_data(bio, &pp);
1091 if(len != 0 && pp) {
1092 /* reduce size of cert printout */
1093 char* s;
1094 while((s=strstr(pp, " "))!=NULL)
1095 memmove(s, s+1, strlen(s+1)+1);
1096 while((s=strstr(pp, "\t\t"))!=NULL)
1097 memmove(s, s+1, strlen(s+1)+1);
1098 verbose(level, "%s: \n%s", str, pp);
1099 }
1100 BIO_free(bio);
1101 }
1102 #endif /* HAVE_SSL */
1103
1104 #if defined(HAVE_SSL) && defined(HAVE_NGHTTP2) && defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
alpn_select_cb(SSL * ATTR_UNUSED (ssl),const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * ATTR_UNUSED (arg))1105 static int alpn_select_cb(SSL* ATTR_UNUSED(ssl), const unsigned char** out,
1106 unsigned char* outlen, const unsigned char* in, unsigned int inlen,
1107 void* ATTR_UNUSED(arg))
1108 {
1109 int rv = nghttp2_select_next_protocol((unsigned char **)out, outlen, in,
1110 inlen);
1111 if(rv == -1) {
1112 return SSL_TLSEXT_ERR_NOACK;
1113 }
1114 /* either http/1.1 or h2 selected */
1115 return SSL_TLSEXT_ERR_OK;
1116 }
1117 #endif
1118
1119 int
listen_sslctx_setup(void * ctxt)1120 listen_sslctx_setup(void* ctxt)
1121 {
1122 #ifdef HAVE_SSL
1123 SSL_CTX* ctx = (SSL_CTX*)ctxt;
1124 /* no SSLv2, SSLv3 because has defects */
1125 #if SSL_OP_NO_SSLv2 != 0
1126 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
1127 != SSL_OP_NO_SSLv2){
1128 log_crypto_err("could not set SSL_OP_NO_SSLv2");
1129 return 0;
1130 }
1131 #endif
1132 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
1133 != SSL_OP_NO_SSLv3){
1134 log_crypto_err("could not set SSL_OP_NO_SSLv3");
1135 return 0;
1136 }
1137 #if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
1138 /* if we have tls 1.1 disable 1.0 */
1139 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
1140 != SSL_OP_NO_TLSv1){
1141 log_crypto_err("could not set SSL_OP_NO_TLSv1");
1142 return 0;
1143 }
1144 #endif
1145 #if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
1146 /* if we have tls 1.2 disable 1.1 */
1147 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
1148 != SSL_OP_NO_TLSv1_1){
1149 log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
1150 return 0;
1151 }
1152 #endif
1153 #if defined(SSL_OP_NO_RENEGOTIATION)
1154 /* disable client renegotiation */
1155 if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
1156 SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
1157 log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
1158 return 0;
1159 }
1160 #endif
1161 #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
1162 /* if we detect system-wide crypto policies, use those */
1163 if (access( "/etc/crypto-policies/config", F_OK ) != 0 ) {
1164 /* if we have sha256, set the cipher list to have no known vulns */
1165 if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
1166 log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
1167 }
1168 #endif
1169 #if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
1170 /* ignore errors when peers do not send the mandatory close_notify
1171 * alert on shutdown.
1172 * Relevant for openssl >= 3 */
1173 if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) &
1174 SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) {
1175 log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF");
1176 return 0;
1177 }
1178 #endif
1179
1180 if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) &
1181 SSL_OP_CIPHER_SERVER_PREFERENCE) !=
1182 SSL_OP_CIPHER_SERVER_PREFERENCE) {
1183 log_crypto_err("could not set SSL_OP_CIPHER_SERVER_PREFERENCE");
1184 return 0;
1185 }
1186
1187 #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
1188 SSL_CTX_set_security_level(ctx, 0);
1189 #endif
1190 #if defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB) && defined(HAVE_NGHTTP2)
1191 SSL_CTX_set_alpn_select_cb(ctx, alpn_select_cb, NULL);
1192 #endif
1193 #else
1194 (void)ctxt;
1195 #endif /* HAVE_SSL */
1196 return 1;
1197 }
1198
1199 void
listen_sslctx_setup_2(void * ctxt)1200 listen_sslctx_setup_2(void* ctxt)
1201 {
1202 #ifdef HAVE_SSL
1203 SSL_CTX* ctx = (SSL_CTX*)ctxt;
1204 (void)ctx;
1205 #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
1206 if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
1207 log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
1208 }
1209 #elif defined(USE_ECDSA)
1210 if(1) {
1211 EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
1212 if (!ecdh) {
1213 log_crypto_err("could not find p256, not enabling ECDHE");
1214 } else {
1215 if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
1216 log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
1217 }
1218 EC_KEY_free (ecdh);
1219 }
1220 }
1221 #endif
1222 #else
1223 (void)ctxt;
1224 #endif /* HAVE_SSL */
1225 }
1226
listen_sslctx_create(char * key,char * pem,char * verifypem)1227 void* listen_sslctx_create(char* key, char* pem, char* verifypem)
1228 {
1229 #ifdef HAVE_SSL
1230 SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
1231 if(!ctx) {
1232 log_crypto_err("could not SSL_CTX_new");
1233 return NULL;
1234 }
1235 if(!key || key[0] == 0) {
1236 log_err("error: no tls-service-key file specified");
1237 SSL_CTX_free(ctx);
1238 return NULL;
1239 }
1240 if(!pem || pem[0] == 0) {
1241 log_err("error: no tls-service-pem file specified");
1242 SSL_CTX_free(ctx);
1243 return NULL;
1244 }
1245 if(!listen_sslctx_setup(ctx)) {
1246 SSL_CTX_free(ctx);
1247 return NULL;
1248 }
1249 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
1250 log_err("error for cert file: %s", pem);
1251 log_crypto_err("error in SSL_CTX use_certificate_chain_file");
1252 SSL_CTX_free(ctx);
1253 return NULL;
1254 }
1255 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
1256 log_err("error for private key file: %s", key);
1257 log_crypto_err("Error in SSL_CTX use_PrivateKey_file");
1258 SSL_CTX_free(ctx);
1259 return NULL;
1260 }
1261 if(!SSL_CTX_check_private_key(ctx)) {
1262 log_err("error for key file: %s", key);
1263 log_crypto_err("Error in SSL_CTX check_private_key");
1264 SSL_CTX_free(ctx);
1265 return NULL;
1266 }
1267 listen_sslctx_setup_2(ctx);
1268 if(verifypem && verifypem[0]) {
1269 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
1270 log_crypto_err("Error in SSL_CTX verify locations");
1271 SSL_CTX_free(ctx);
1272 return NULL;
1273 }
1274 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(
1275 verifypem));
1276 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
1277 }
1278 return ctx;
1279 #else
1280 (void)key; (void)pem; (void)verifypem;
1281 return NULL;
1282 #endif
1283 }
1284
1285 #ifdef USE_WINSOCK
1286 /* For windows, the CA trust store is not read by openssl.
1287 Add code to open the trust store using wincrypt API and add
1288 the root certs into openssl trust store */
1289 static int
add_WIN_cacerts_to_openssl_store(SSL_CTX * tls_ctx)1290 add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
1291 {
1292 HCERTSTORE hSystemStore;
1293 PCCERT_CONTEXT pTargetCert = NULL;
1294 X509_STORE* store;
1295
1296 verbose(VERB_ALGO, "Adding Windows certificates from system root store to CA store");
1297
1298 /* load just once per context lifetime for this version
1299 TODO: dynamically update CA trust changes as they are available */
1300 if (!tls_ctx)
1301 return 0;
1302
1303 /* Call wincrypt's CertOpenStore to open the CA root store. */
1304
1305 if ((hSystemStore = CertOpenStore(
1306 CERT_STORE_PROV_SYSTEM,
1307 0,
1308 0,
1309 /* NOTE: mingw does not have this const: replace with 1 << 16 from code
1310 CERT_SYSTEM_STORE_CURRENT_USER, */
1311 1 << 16,
1312 L"root")) == 0)
1313 {
1314 return 0;
1315 }
1316
1317 store = SSL_CTX_get_cert_store(tls_ctx);
1318 if (!store)
1319 return 0;
1320
1321 /* failure if the CA store is empty or the call fails */
1322 if ((pTargetCert = CertEnumCertificatesInStore(
1323 hSystemStore, pTargetCert)) == 0) {
1324 verbose(VERB_ALGO, "CA certificate store for Windows is empty.");
1325 return 0;
1326 }
1327 /* iterate over the windows cert store and add to openssl store */
1328 do
1329 {
1330 X509 *cert1 = d2i_X509(NULL,
1331 (const unsigned char **)&pTargetCert->pbCertEncoded,
1332 pTargetCert->cbCertEncoded);
1333 if (!cert1) {
1334 unsigned long error = ERR_get_error();
1335 /* return error if a cert fails */
1336 verbose(VERB_ALGO, "%s %d:%s",
1337 "Unable to parse certificate in memory",
1338 (int)error, ERR_error_string(error, NULL));
1339 return 0;
1340 }
1341 else {
1342 /* return error if a cert add to store fails */
1343 if (X509_STORE_add_cert(store, cert1) == 0) {
1344 unsigned long error = ERR_peek_last_error();
1345
1346 /* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the
1347 * certificate is already in the store. */
1348 if(ERR_GET_LIB(error) != ERR_LIB_X509 ||
1349 ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
1350 error = ERR_get_error();
1351 verbose(VERB_ALGO, "%s %d:%s\n",
1352 "Error adding certificate", (int)error,
1353 ERR_error_string(error, NULL));
1354 X509_free(cert1);
1355 return 0;
1356 }
1357 }
1358 X509_free(cert1);
1359 }
1360 } while ((pTargetCert = CertEnumCertificatesInStore(
1361 hSystemStore, pTargetCert)) != 0);
1362
1363 /* Clean up memory and quit. */
1364 if (pTargetCert)
1365 CertFreeCertificateContext(pTargetCert);
1366 if (hSystemStore)
1367 {
1368 if (!CertCloseStore(
1369 hSystemStore, 0))
1370 return 0;
1371 }
1372 verbose(VERB_ALGO, "Completed adding Windows certificates to CA store successfully");
1373 return 1;
1374 }
1375 #endif /* USE_WINSOCK */
1376
connect_sslctx_create(char * key,char * pem,char * verifypem,int wincert)1377 void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
1378 {
1379 #ifdef HAVE_SSL
1380 SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());
1381 if(!ctx) {
1382 log_crypto_err("could not allocate SSL_CTX pointer");
1383 return NULL;
1384 }
1385 #if SSL_OP_NO_SSLv2 != 0
1386 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
1387 != SSL_OP_NO_SSLv2) {
1388 log_crypto_err("could not set SSL_OP_NO_SSLv2");
1389 SSL_CTX_free(ctx);
1390 return NULL;
1391 }
1392 #endif
1393 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
1394 != SSL_OP_NO_SSLv3) {
1395 log_crypto_err("could not set SSL_OP_NO_SSLv3");
1396 SSL_CTX_free(ctx);
1397 return NULL;
1398 }
1399 #if defined(SSL_OP_NO_RENEGOTIATION)
1400 /* disable client renegotiation */
1401 if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
1402 SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
1403 log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
1404 SSL_CTX_free(ctx);
1405 return 0;
1406 }
1407 #endif
1408 #if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
1409 /* ignore errors when peers do not send the mandatory close_notify
1410 * alert on shutdown.
1411 * Relevant for openssl >= 3 */
1412 if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) &
1413 SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) {
1414 log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF");
1415 SSL_CTX_free(ctx);
1416 return 0;
1417 }
1418 #endif
1419 if(key && key[0]) {
1420 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
1421 log_err("error in client certificate %s", pem);
1422 log_crypto_err("error in certificate file");
1423 SSL_CTX_free(ctx);
1424 return NULL;
1425 }
1426 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
1427 log_err("error in client private key %s", key);
1428 log_crypto_err("error in key file");
1429 SSL_CTX_free(ctx);
1430 return NULL;
1431 }
1432 if(!SSL_CTX_check_private_key(ctx)) {
1433 log_err("error in client key %s", key);
1434 log_crypto_err("error in SSL_CTX_check_private_key");
1435 SSL_CTX_free(ctx);
1436 return NULL;
1437 }
1438 }
1439 if((verifypem && verifypem[0]) || wincert) {
1440 if(verifypem && verifypem[0]) {
1441 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
1442 log_crypto_err("error in SSL_CTX verify");
1443 SSL_CTX_free(ctx);
1444 return NULL;
1445 }
1446 }
1447 #ifdef USE_WINSOCK
1448 if(wincert) {
1449 if(!add_WIN_cacerts_to_openssl_store(ctx)) {
1450 log_crypto_err("error in add_WIN_cacerts_to_openssl_store");
1451 SSL_CTX_free(ctx);
1452 return NULL;
1453 }
1454 }
1455 #else
1456 if(wincert) {
1457 if(!SSL_CTX_set_default_verify_paths(ctx)) {
1458 log_crypto_err("error in default_verify_paths");
1459 SSL_CTX_free(ctx);
1460 return NULL;
1461 }
1462 }
1463 #endif
1464 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
1465 }
1466 return ctx;
1467 #else
1468 (void)key; (void)pem; (void)verifypem; (void)wincert;
1469 return NULL;
1470 #endif
1471 }
1472
incoming_ssl_fd(void * sslctx,int fd)1473 void* incoming_ssl_fd(void* sslctx, int fd)
1474 {
1475 #ifdef HAVE_SSL
1476 SSL* ssl = SSL_new((SSL_CTX*)sslctx);
1477 if(!ssl) {
1478 log_crypto_err("could not SSL_new");
1479 return NULL;
1480 }
1481 SSL_set_accept_state(ssl);
1482 (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY);
1483 if(!SSL_set_fd(ssl, fd)) {
1484 log_crypto_err("could not SSL_set_fd");
1485 SSL_free(ssl);
1486 return NULL;
1487 }
1488 return ssl;
1489 #else
1490 (void)sslctx; (void)fd;
1491 return NULL;
1492 #endif
1493 }
1494
outgoing_ssl_fd(void * sslctx,int fd)1495 void* outgoing_ssl_fd(void* sslctx, int fd)
1496 {
1497 #ifdef HAVE_SSL
1498 SSL* ssl = SSL_new((SSL_CTX*)sslctx);
1499 if(!ssl) {
1500 log_crypto_err("could not SSL_new");
1501 return NULL;
1502 }
1503 SSL_set_connect_state(ssl);
1504 (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY);
1505 if(!SSL_set_fd(ssl, fd)) {
1506 log_crypto_err("could not SSL_set_fd");
1507 SSL_free(ssl);
1508 return NULL;
1509 }
1510 return ssl;
1511 #else
1512 (void)sslctx; (void)fd;
1513 return NULL;
1514 #endif
1515 }
1516
check_auth_name_for_ssl(char * auth_name)1517 int check_auth_name_for_ssl(char* auth_name)
1518 {
1519 if(!auth_name) return 1;
1520 #if defined(HAVE_SSL) && !defined(HAVE_SSL_SET1_HOST) && !defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
1521 log_err("the query has an auth_name %s, but libssl has no call to "
1522 "perform TLS authentication. Remove that name from config "
1523 "or upgrade the ssl crypto library.", auth_name);
1524 return 0;
1525 #else
1526 return 1;
1527 #endif
1528 }
1529
1530 /** set the authname on an SSL structure, SSL* ssl */
set_auth_name_on_ssl(void * ssl,char * auth_name,int use_sni)1531 int set_auth_name_on_ssl(void* ssl, char* auth_name, int use_sni)
1532 {
1533 if(!auth_name) return 1;
1534 #ifdef HAVE_SSL
1535 if(use_sni) {
1536 (void)SSL_set_tlsext_host_name(ssl, auth_name);
1537 }
1538 #else
1539 (void)ssl;
1540 (void)use_sni;
1541 #endif
1542 #ifdef HAVE_SSL_SET1_HOST
1543 SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
1544 /* setting the hostname makes openssl verify the
1545 * host name in the x509 certificate in the
1546 * SSL connection*/
1547 if(!SSL_set1_host(ssl, auth_name)) {
1548 log_err("SSL_set1_host failed");
1549 return 0;
1550 }
1551 #elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
1552 /* openssl 1.0.2 has this function that can be used for
1553 * set1_host like verification */
1554 if(auth_name) {
1555 X509_VERIFY_PARAM* param = SSL_get0_param(ssl);
1556 # ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
1557 X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
1558 # endif
1559 if(!X509_VERIFY_PARAM_set1_host(param, auth_name, strlen(auth_name))) {
1560 log_err("X509_VERIFY_PARAM_set1_host failed");
1561 return 0;
1562 }
1563 SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
1564 }
1565 #else
1566 verbose(VERB_ALGO, "the query has an auth_name, but libssl has no call to perform TLS authentication");
1567 #endif /* HAVE_SSL_SET1_HOST */
1568 return 1;
1569 }
1570
1571 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
1572 /** global lock list for openssl locks */
1573 static lock_basic_type *ub_openssl_locks = NULL;
1574
1575 /** callback that gets thread id for openssl */
1576 #ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK
1577 static void
ub_crypto_id_cb(CRYPTO_THREADID * id)1578 ub_crypto_id_cb(CRYPTO_THREADID *id)
1579 {
1580 CRYPTO_THREADID_set_numeric(id, (unsigned long)log_thread_get());
1581 }
1582 #else
1583 static unsigned long
ub_crypto_id_cb(void)1584 ub_crypto_id_cb(void)
1585 {
1586 return (unsigned long)log_thread_get();
1587 }
1588 #endif
1589
1590 static void
ub_crypto_lock_cb(int mode,int type,const char * ATTR_UNUSED (file),int ATTR_UNUSED (line))1591 ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
1592 int ATTR_UNUSED(line))
1593 {
1594 if((mode&CRYPTO_LOCK)) {
1595 lock_basic_lock(&ub_openssl_locks[type]);
1596 } else {
1597 lock_basic_unlock(&ub_openssl_locks[type]);
1598 }
1599 }
1600 #endif /* OPENSSL_THREADS */
1601
ub_openssl_lock_init(void)1602 int ub_openssl_lock_init(void)
1603 {
1604 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
1605 int i;
1606 ub_openssl_locks = (lock_basic_type*)reallocarray(
1607 NULL, (size_t)CRYPTO_num_locks(), sizeof(lock_basic_type));
1608 if(!ub_openssl_locks)
1609 return 0;
1610 for(i=0; i<CRYPTO_num_locks(); i++) {
1611 lock_basic_init(&ub_openssl_locks[i]);
1612 }
1613 # ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK
1614 CRYPTO_THREADID_set_callback(&ub_crypto_id_cb);
1615 # else
1616 CRYPTO_set_id_callback(&ub_crypto_id_cb);
1617 # endif
1618 CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
1619 #endif /* OPENSSL_THREADS */
1620 return 1;
1621 }
1622
ub_openssl_lock_delete(void)1623 void ub_openssl_lock_delete(void)
1624 {
1625 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
1626 int i;
1627 if(!ub_openssl_locks)
1628 return;
1629 # ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK
1630 CRYPTO_THREADID_set_callback(NULL);
1631 # else
1632 CRYPTO_set_id_callback(NULL);
1633 # endif
1634 CRYPTO_set_locking_callback(NULL);
1635 for(i=0; i<CRYPTO_num_locks(); i++) {
1636 lock_basic_destroy(&ub_openssl_locks[i]);
1637 }
1638 free(ub_openssl_locks);
1639 #endif /* OPENSSL_THREADS */
1640 }
1641
listen_sslctx_setup_ticket_keys(void * sslctx,struct config_strlist * tls_session_ticket_keys)1642 int listen_sslctx_setup_ticket_keys(void* sslctx, struct config_strlist* tls_session_ticket_keys) {
1643 #ifdef HAVE_SSL
1644 size_t s = 1;
1645 struct config_strlist* p;
1646 struct tls_session_ticket_key *keys;
1647 for(p = tls_session_ticket_keys; p; p = p->next) {
1648 s++;
1649 }
1650 keys = calloc(s, sizeof(struct tls_session_ticket_key));
1651 if(!keys)
1652 return 0;
1653 memset(keys, 0, s*sizeof(*keys));
1654 ticket_keys = keys;
1655
1656 for(p = tls_session_ticket_keys; p; p = p->next) {
1657 size_t n;
1658 unsigned char *data;
1659 FILE *f;
1660
1661 data = (unsigned char *)malloc(80);
1662 if(!data)
1663 return 0;
1664
1665 f = fopen(p->str, "rb");
1666 if(!f) {
1667 log_err("could not read tls-session-ticket-key %s: %s", p->str, strerror(errno));
1668 free(data);
1669 return 0;
1670 }
1671 n = fread(data, 1, 80, f);
1672 fclose(f);
1673
1674 if(n != 80) {
1675 log_err("tls-session-ticket-key %s is %d bytes, must be 80 bytes", p->str, (int)n);
1676 free(data);
1677 return 0;
1678 }
1679 verbose(VERB_OPS, "read tls-session-ticket-key: %s", p->str);
1680
1681 keys->key_name = data;
1682 keys->aes_key = data + 16;
1683 keys->hmac_key = data + 48;
1684 keys++;
1685 }
1686 /* terminate array with NULL key name entry */
1687 keys->key_name = NULL;
1688 # ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1689 if(SSL_CTX_set_tlsext_ticket_key_evp_cb(sslctx, tls_session_ticket_key_cb) == 0) {
1690 log_err("no support for TLS session ticket");
1691 return 0;
1692 }
1693 # else
1694 if(SSL_CTX_set_tlsext_ticket_key_cb(sslctx, tls_session_ticket_key_cb) == 0) {
1695 log_err("no support for TLS session ticket");
1696 return 0;
1697 }
1698 # endif
1699 return 1;
1700 #else
1701 (void)sslctx;
1702 (void)tls_session_ticket_keys;
1703 return 0;
1704 #endif
1705
1706 }
1707
1708 #ifdef HAVE_SSL
tls_session_ticket_key_cb(SSL * ATTR_UNUSED (sslctx),unsigned char * key_name,unsigned char * iv,EVP_CIPHER_CTX * evp_sctx,EVP_MAC_CTX * hmac_ctx,int enc)1709 int tls_session_ticket_key_cb(SSL *ATTR_UNUSED(sslctx), unsigned char* key_name,
1710 unsigned char* iv, EVP_CIPHER_CTX *evp_sctx,
1711 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1712 EVP_MAC_CTX *hmac_ctx,
1713 #else
1714 HMAC_CTX* hmac_ctx,
1715 #endif
1716 int enc)
1717 {
1718 #ifdef HAVE_SSL
1719 # ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1720 OSSL_PARAM params[3];
1721 # else
1722 const EVP_MD *digest;
1723 # endif
1724 const EVP_CIPHER *cipher;
1725 int evp_cipher_length;
1726 # ifndef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1727 digest = EVP_sha256();
1728 # endif
1729 cipher = EVP_aes_256_cbc();
1730 evp_cipher_length = EVP_CIPHER_iv_length(cipher);
1731 if( enc == 1 ) {
1732 /* encrypt */
1733 verbose(VERB_CLIENT, "start session encrypt");
1734 memcpy(key_name, ticket_keys->key_name, 16);
1735 if (RAND_bytes(iv, evp_cipher_length) != 1) {
1736 verbose(VERB_CLIENT, "RAND_bytes failed");
1737 return -1;
1738 }
1739 if (EVP_EncryptInit_ex(evp_sctx, cipher, NULL, ticket_keys->aes_key, iv) != 1) {
1740 verbose(VERB_CLIENT, "EVP_EncryptInit_ex failed");
1741 return -1;
1742 }
1743 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1744 params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
1745 ticket_keys->hmac_key, 32);
1746 params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
1747 "sha256", 0);
1748 params[2] = OSSL_PARAM_construct_end();
1749 #ifdef HAVE_EVP_MAC_CTX_SET_PARAMS
1750 EVP_MAC_CTX_set_params(hmac_ctx, params);
1751 #else
1752 EVP_MAC_set_ctx_params(hmac_ctx, params);
1753 #endif
1754 #elif !defined(HMAC_INIT_EX_RETURNS_VOID)
1755 if (HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL) != 1) {
1756 verbose(VERB_CLIENT, "HMAC_Init_ex failed");
1757 return -1;
1758 }
1759 #else
1760 HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL);
1761 #endif
1762 return 1;
1763 } else if (enc == 0) {
1764 /* decrypt */
1765 struct tls_session_ticket_key *key;
1766 verbose(VERB_CLIENT, "start session decrypt");
1767 for(key = ticket_keys; key->key_name != NULL; key++) {
1768 if (!memcmp(key_name, key->key_name, 16)) {
1769 verbose(VERB_CLIENT, "Found session_key");
1770 break;
1771 }
1772 }
1773 if(key->key_name == NULL) {
1774 verbose(VERB_CLIENT, "Not found session_key");
1775 return 0;
1776 }
1777
1778 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
1779 params[0] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
1780 key->hmac_key, 32);
1781 params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
1782 "sha256", 0);
1783 params[2] = OSSL_PARAM_construct_end();
1784 #ifdef HAVE_EVP_MAC_CTX_SET_PARAMS
1785 EVP_MAC_CTX_set_params(hmac_ctx, params);
1786 #else
1787 EVP_MAC_set_ctx_params(hmac_ctx, params);
1788 #endif
1789 #elif !defined(HMAC_INIT_EX_RETURNS_VOID)
1790 if (HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL) != 1) {
1791 verbose(VERB_CLIENT, "HMAC_Init_ex failed");
1792 return -1;
1793 }
1794 #else
1795 HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL);
1796 #endif
1797 if (EVP_DecryptInit_ex(evp_sctx, cipher, NULL, key->aes_key, iv) != 1) {
1798 log_err("EVP_DecryptInit_ex failed");
1799 return -1;
1800 }
1801
1802 return (key == ticket_keys) ? 1 : 2;
1803 }
1804 return -1;
1805 #else
1806 (void)key_name;
1807 (void)iv;
1808 (void)evp_sctx;
1809 (void)hmac_ctx;
1810 (void)enc;
1811 return 0;
1812 #endif
1813 }
1814 #endif /* HAVE_SSL */
1815
1816 void
listen_sslctx_delete_ticket_keys(void)1817 listen_sslctx_delete_ticket_keys(void)
1818 {
1819 struct tls_session_ticket_key *key;
1820 if(!ticket_keys) return;
1821 for(key = ticket_keys; key->key_name != NULL; key++) {
1822 /* wipe key data from memory*/
1823 #ifdef HAVE_EXPLICIT_BZERO
1824 explicit_bzero(key->key_name, 80);
1825 #else
1826 memset(key->key_name, 0xdd, 80);
1827 #endif
1828 free(key->key_name);
1829 }
1830 free(ticket_keys);
1831 ticket_keys = NULL;
1832 }
1833
1834 # ifndef USE_WINSOCK
1835 char*
sock_strerror(int errn)1836 sock_strerror(int errn)
1837 {
1838 return strerror(errn);
1839 }
1840
1841 void
sock_close(int socket)1842 sock_close(int socket)
1843 {
1844 close(socket);
1845 }
1846
1847 # else
1848 char*
sock_strerror(int ATTR_UNUSED (errn))1849 sock_strerror(int ATTR_UNUSED(errn))
1850 {
1851 return wsa_strerror(WSAGetLastError());
1852 }
1853
1854 void
sock_close(int socket)1855 sock_close(int socket)
1856 {
1857 closesocket(socket);
1858 }
1859 # endif /* USE_WINSOCK */
1860