1 /* 2 * util/net_help.h - network help functions 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains functions to perform network related tasks. 40 */ 41 42 #ifndef NET_HELP_H 43 #define NET_HELP_H 44 #include "util/log.h" 45 #include "util/random.h" 46 struct sock_list; 47 struct regional; 48 struct config_strlist; 49 50 /** DNS constants for uint16_t style flag manipulation. host byteorder. 51 * 1 1 1 1 1 1 52 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 53 * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 54 * |QR| Opcode |AA|TC|RD|RA| Z|AD|CD| RCODE | 55 * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 56 */ 57 /** CD flag */ 58 #define BIT_CD 0x0010 59 /** AD flag */ 60 #define BIT_AD 0x0020 61 /** Z flag */ 62 #define BIT_Z 0x0040 63 /** RA flag */ 64 #define BIT_RA 0x0080 65 /** RD flag */ 66 #define BIT_RD 0x0100 67 /** TC flag */ 68 #define BIT_TC 0x0200 69 /** AA flag */ 70 #define BIT_AA 0x0400 71 /** QR flag */ 72 #define BIT_QR 0x8000 73 /** get RCODE bits from uint16 flags */ 74 #define FLAGS_GET_RCODE(f) ((f) & 0xf) 75 /** set RCODE bits in uint16 flags */ 76 #define FLAGS_SET_RCODE(f, r) (f = (((f) & 0xfff0) | (r))) 77 78 /** timeout in milliseconds for UDP queries to auth servers. */ 79 #define UDP_AUTH_QUERY_TIMEOUT 3000 80 /** Advertised version of EDNS capabilities */ 81 #define EDNS_ADVERTISED_VERSION 0 82 /** Advertised size of EDNS capabilities */ 83 extern uint16_t EDNS_ADVERTISED_SIZE; 84 /** bits for EDNS bitfield */ 85 #define EDNS_DO 0x8000 /* Dnssec Ok */ 86 /** byte size of ip4 address */ 87 #define INET_SIZE 4 88 /** byte size of ip6 address */ 89 #define INET6_SIZE 16 90 91 /** DNSKEY zone sign key flag */ 92 #define DNSKEY_BIT_ZSK 0x0100 93 /** DNSKEY secure entry point, KSK flag */ 94 #define DNSKEY_BIT_SEP 0x0001 95 96 /** return a random 16-bit number given a random source */ 97 #define GET_RANDOM_ID(rnd) (((unsigned)ub_random(rnd)>>8) & 0xffff) 98 99 /** minimal responses when positive answer */ 100 extern int MINIMAL_RESPONSES; 101 102 /** rrset order roundrobin */ 103 extern int RRSET_ROUNDROBIN; 104 105 /** log tag queries with name instead of 'info' for filtering */ 106 extern int LOG_TAG_QUERYREPLY; 107 108 /** 109 * See if string is ip4 or ip6. 110 * @param str: IP specification. 111 * @return: true if string addr is an ip6 specced address. 112 */ 113 int str_is_ip6(const char* str); 114 115 /** 116 * Set fd nonblocking. 117 * @param s: file descriptor. 118 * @return: 0 on error (error is printed to log). 119 */ 120 int fd_set_nonblock(int s); 121 122 /** 123 * Set fd (back to) blocking. 124 * @param s: file descriptor. 125 * @return: 0 on error (error is printed to log). 126 */ 127 int fd_set_block(int s); 128 129 /** 130 * See if number is a power of 2. 131 * @param num: the value. 132 * @return: true if the number is a power of 2. 133 */ 134 int is_pow2(size_t num); 135 136 /** 137 * Allocate memory and copy over contents. 138 * @param data: what to copy over. 139 * @param len: length of data. 140 * @return: NULL on malloc failure, or newly malloced data. 141 */ 142 void* memdup(void* data, size_t len); 143 144 /** 145 * Prints the sockaddr in readable format with log_info. Debug helper. 146 * @param v: at what verbosity level to print this. 147 * @param str: descriptive string printed with it. 148 * @param addr: the sockaddr to print. Can be ip4 or ip6. 149 * @param addrlen: length of addr. 150 */ 151 void log_addr(enum verbosity_value v, const char* str, 152 struct sockaddr_storage* addr, socklen_t addrlen); 153 154 /** 155 * Prints zone name and sockaddr in readable format with log_info. Debug. 156 * @param v: at what verbosity level to print this. 157 * @param str: descriptive string printed with it. 158 * @param zone: DNS domain name, uncompressed wireformat. 159 * @param addr: the sockaddr to print. Can be ip4 or ip6. 160 * @param addrlen: length of addr. 161 */ 162 void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone, 163 struct sockaddr_storage* addr, socklen_t addrlen); 164 165 /** 166 * Log errno and addr. 167 * @param str: descriptive string printed with it. 168 * @param err: errno string to print, i.e. strerror(errno). 169 * @param addr: the sockaddr to print. Can be ip4 or ip6. 170 * @param addrlen: length of addr. 171 */ 172 void log_err_addr(const char* str, const char* err, 173 struct sockaddr_storage* addr, socklen_t addrlen); 174 175 /** 176 * Convert address string, with "@port" appendix, to sockaddr. 177 * Uses DNS port by default. 178 * @param str: the string 179 * @param addr: where to store sockaddr. 180 * @param addrlen: length of stored sockaddr is returned. 181 * @return 0 on error. 182 */ 183 int extstrtoaddr(const char* str, struct sockaddr_storage* addr, 184 socklen_t* addrlen); 185 186 /** 187 * Convert ip address string and port to sockaddr. 188 * @param ip: ip4 or ip6 address string. 189 * @param port: port number, host format. 190 * @param addr: where to store sockaddr. 191 * @param addrlen: length of stored sockaddr is returned. 192 * @return 0 on error. 193 */ 194 int ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr, 195 socklen_t* addrlen); 196 197 /** 198 * Convert ip netblock (ip/netsize) string and port to sockaddr. 199 * performs a copy internally to avoid writing over 'ip' string. 200 * @param ip: ip4 or ip6 address string. 201 * @param port: port number, host format. 202 * @param addr: where to store sockaddr. 203 * @param addrlen: length of stored sockaddr is returned. 204 * @param net: netblock size is returned. 205 * @return 0 on error. 206 */ 207 int netblockstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr, 208 socklen_t* addrlen, int* net); 209 210 /** 211 * Convert address string, with "@port" appendix, to sockaddr. 212 * It can also have an "#tls-auth-name" appendix (after the port). 213 * The returned auth_name string is a pointer into the input string. 214 * Uses DNS port by default; TLS port when a "#tls-auth-name" is configured. 215 * @param str: the string 216 * @param addr: where to store sockaddr. 217 * @param addrlen: length of stored sockaddr is returned. 218 * @param auth_name: returned pointer to tls_auth_name, or NULL if none. 219 * @return 0 on error. 220 */ 221 int authextstrtoaddr(char* str, struct sockaddr_storage* addr, 222 socklen_t* addrlen, char** auth_name); 223 224 /** 225 * Convert domain string, with "@port" appendix, to dname. 226 * It can also have an "#tls-auth-name" appendix (after the port). 227 * The return port is the parsed port. 228 * Uses DNS port by default; TLS port when a "#tls-auth-name" is configured. 229 * The returned auth_name string is a pointer into the input string. 230 * @param str: the string 231 * @param port: pointer to be assigned the parsed port value. 232 * @param auth_name: returned pointer to tls_auth_name, or NULL if none. 233 * @return pointer to the dname. 234 */ 235 uint8_t* authextstrtodname(char* str, int* port, char** auth_name); 236 237 /** 238 * Store port number into sockaddr structure 239 * @param addr: sockaddr structure, ip4 or ip6. 240 * @param addrlen: length of addr. 241 * @param port: port number to put into the addr. 242 */ 243 void sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen, 244 int port); 245 246 /** 247 * Print string with neat domain name, type and class. 248 * @param v: at what verbosity level to print this. 249 * @param str: string of message. 250 * @param name: domain name uncompressed wireformat. 251 * @param type: host format RR type. 252 * @param dclass: host format RR class. 253 */ 254 void log_nametypeclass(enum verbosity_value v, const char* str, 255 uint8_t* name, uint16_t type, uint16_t dclass); 256 257 /** 258 * Like log_nametypeclass, but logs with log_query for query logging 259 */ 260 void log_query_in(const char* str, uint8_t* name, uint16_t type, 261 uint16_t dclass); 262 263 /** 264 * Compare two sockaddrs. Imposes an ordering on the addresses. 265 * Compares address and port. 266 * @param addr1: address 1. 267 * @param len1: lengths of addr1. 268 * @param addr2: address 2. 269 * @param len2: lengths of addr2. 270 * @return: 0 if addr1 == addr2. -1 if addr1 is smaller, +1 if larger. 271 */ 272 int sockaddr_cmp(struct sockaddr_storage* addr1, socklen_t len1, 273 struct sockaddr_storage* addr2, socklen_t len2); 274 275 /** 276 * Compare two sockaddrs. Compares address, not the port. 277 * @param addr1: address 1. 278 * @param len1: lengths of addr1. 279 * @param addr2: address 2. 280 * @param len2: lengths of addr2. 281 * @return: 0 if addr1 == addr2. -1 if addr1 is smaller, +1 if larger. 282 */ 283 int sockaddr_cmp_addr(struct sockaddr_storage* addr1, socklen_t len1, 284 struct sockaddr_storage* addr2, socklen_t len2); 285 286 /** 287 * Checkout address family. 288 * @param addr: the sockaddr to examine. 289 * @param len: the length of addr. 290 * @return: true if sockaddr is ip6. 291 */ 292 int addr_is_ip6(struct sockaddr_storage* addr, socklen_t len); 293 294 /** 295 * Make sure the sockaddr ends in zeroes. For tree insertion and subsequent 296 * comparison. 297 * @param addr: the ip4 or ip6 addr. 298 * @param len: length of addr. 299 * @param net: number of bits to leave untouched, the rest of the netblock 300 * address is zeroed. 301 */ 302 void addr_mask(struct sockaddr_storage* addr, socklen_t len, int net); 303 304 /** 305 * See how many bits are shared, equal, between two addrs. 306 * @param addr1: first addr. 307 * @param net1: netblock size of first addr. 308 * @param addr2: second addr. 309 * @param net2: netblock size of second addr. 310 * @param addrlen: length of first addr and of second addr. 311 * They must be of the same length (i.e. same type IP4, IP6). 312 * @return: number of bits the same. 313 */ 314 int addr_in_common(struct sockaddr_storage* addr1, int net1, 315 struct sockaddr_storage* addr2, int net2, socklen_t addrlen); 316 317 /** 318 * Put address into string, works for IPv4 and IPv6. 319 * @param addr: address 320 * @param addrlen: length of address 321 * @param buf: result string stored here 322 * @param len: length of buf. 323 * On failure a string with "error" is stored inside. 324 */ 325 void addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen, 326 char* buf, size_t len); 327 328 /** 329 * See if sockaddr is an ipv6 mapped ipv4 address, "::ffff:0.0.0.0" 330 * @param addr: address 331 * @param addrlen: length of address 332 * @return true if so 333 */ 334 int addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen); 335 336 /** 337 * See if sockaddr is 255.255.255.255. 338 * @param addr: address 339 * @param addrlen: length of address 340 * @return true if so 341 */ 342 int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen); 343 344 /** 345 * See if sockaddr is 0.0.0.0 or ::0. 346 * @param addr: address 347 * @param addrlen: length of address 348 * @return true if so 349 */ 350 int addr_is_any(struct sockaddr_storage* addr, socklen_t addrlen); 351 352 /** 353 * Insert new socket list item. If fails logs error. 354 * @param list: pointer to pointer to first item. 355 * @param addr: address or NULL if 'cache'. 356 * @param len: length of addr, or 0 if 'cache'. 357 * @param region: where to allocate 358 */ 359 void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr, 360 socklen_t len, struct regional* region); 361 362 /** 363 * Append one list to another. Must both be from same qstate(regional). 364 * @param list: pointer to result list that is modified. 365 * @param add: item(s) to add. They are prepended to list. 366 */ 367 void sock_list_prepend(struct sock_list** list, struct sock_list* add); 368 369 /** 370 * Find addr in list. 371 * @param list: to search in 372 * @param addr: address to look for. 373 * @param len: length. Can be 0, look for 'cache entry'. 374 * @return true if found. 375 */ 376 int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr, 377 socklen_t len); 378 379 /** 380 * Merge socklist into another socket list. Allocates the new entries 381 * freshly and copies them over, so also performs a region switchover. 382 * Allocation failures are logged. 383 * @param list: the destination list (checked for duplicates) 384 * @param region: where to allocate 385 * @param add: the list of entries to add. 386 */ 387 void sock_list_merge(struct sock_list** list, struct regional* region, 388 struct sock_list* add); 389 390 /** 391 * Log libcrypto error with descriptive string. Calls log_err(). 392 * @param str: what failed. 393 */ 394 void log_crypto_err(const char* str); 395 396 /** 397 * Log libcrypto error from errcode with descriptive string, calls log_err. 398 * @param str: what failed. 399 * @param err: error code from ERR_get_error. 400 */ 401 void log_crypto_err_code(const char* str, unsigned long err); 402 403 /** 404 * Log certificate details verbosity, string, of X509 cert 405 * @param level: verbosity level 406 * @param str: string to prefix on output 407 * @param cert: X509* structure. 408 */ 409 void log_cert(unsigned level, const char* str, void* cert); 410 411 /** 412 * Set SSL_OP_NOxxx options on SSL context to disable bad crypto 413 * @param ctxt: SSL_CTX* 414 * @return false on failure. 415 */ 416 int listen_sslctx_setup(void* ctxt); 417 418 /** 419 * Further setup of listening SSL context, after keys loaded. 420 * @param ctxt: SSL_CTX* 421 */ 422 void listen_sslctx_setup_2(void* ctxt); 423 424 /** 425 * create SSL listen context 426 * @param key: private key file. 427 * @param pem: public key cert. 428 * @param verifypem: if nonNULL, verifylocation file. 429 * return SSL_CTX* or NULL on failure (logged). 430 */ 431 void* listen_sslctx_create(char* key, char* pem, char* verifypem); 432 433 /** 434 * create SSL connect context 435 * @param key: if nonNULL (also pem nonNULL), the client private key. 436 * @param pem: client public key (or NULL if key is NULL). 437 * @param verifypem: if nonNULL used for verifylocation file. 438 * @param wincert: add system certificate store to ctx (add to verifypem ca 439 * certs). 440 * @return SSL_CTX* or NULL on failure (logged). 441 */ 442 void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert); 443 444 /** 445 * accept a new fd and wrap it in a BIO in SSL 446 * @param sslctx: the SSL_CTX to use (from listen_sslctx_create()). 447 * @param fd: from accept, nonblocking. 448 * @return SSL or NULL on alloc failure. 449 */ 450 void* incoming_ssl_fd(void* sslctx, int fd); 451 452 /** 453 * connect a new fd and wrap it in a BIO in SSL 454 * @param sslctx: the SSL_CTX to use (from connect_sslctx_create()) 455 * @param fd: from connect. 456 * @return SSL or NULL on alloc failure 457 */ 458 void* outgoing_ssl_fd(void* sslctx, int fd); 459 460 /** 461 * check if authname SSL functionality is available, false if not 462 * @param auth_name: the name for the remote server, used for error print. 463 * @return false if SSL functionality to check the SSL name is not available. 464 */ 465 int check_auth_name_for_ssl(char* auth_name); 466 467 /** 468 * set auth name on SSL for verification 469 * @param ssl: SSL* to set 470 * @param auth_name: if NULL nothing happens, otherwise the name to check. 471 * @param use_sni: if SNI will be used. 472 * @return 1 on success or NULL auth_name, 0 on failure. 473 */ 474 int set_auth_name_on_ssl(void* ssl, char* auth_name, int use_sni); 475 476 /** 477 * Initialize openssl locking for thread safety 478 * @return false on failure (alloc failure). 479 */ 480 int ub_openssl_lock_init(void); 481 482 /** 483 * De-init the allocated openssl locks 484 */ 485 void ub_openssl_lock_delete(void); 486 487 /** 488 * setup TLS session ticket 489 * @param sslctx: the SSL_CTX to use (from connect_sslctx_create()) 490 * @param tls_session_ticket_keys: TLS ticket secret filenames 491 * @return false on failure (alloc failure). 492 */ 493 int listen_sslctx_setup_ticket_keys(void* sslctx, 494 struct config_strlist* tls_session_ticket_keys); 495 496 /** Free memory used for TLS session ticket keys */ 497 void listen_sslctx_delete_ticket_keys(void); 498 499 /** 500 * RPZ format netblock to network byte order address and netblock 501 * example RPZ netblock format dnames: 502 * - 24.10.100.51.198.rpz-ip -> 198.51.100.10/24 503 * - 32.10.zz.db8.2001.rpz-ip -> 2001:db8:0:0:0:0:0:10/32 504 * @param dname: the dname containing RPZ format netblock 505 * @param dnamelen: length of dname 506 * @param addr: where to store sockaddr. 507 * @param addrlen: length of stored sockaddr is returned. 508 * @param net: where to store netmask 509 * @param af: where to store address family. 510 * @return 0 on error. 511 */ 512 int netblockdnametoaddr(uint8_t* dname, size_t dnamelen, 513 struct sockaddr_storage* addr, socklen_t* addrlen, int* net, int* af); 514 515 /** Return strerror or wsastrerror for socket error printout */ 516 char* sock_strerror(int errn); 517 /** close the socket with close, or wsa closesocket */ 518 void sock_close(int socket); 519 520 #endif /* NET_HELP_H */ 521