12be9e038Ssthen #ifndef UNBOUND_DNSCRYPT_H
22be9e038Ssthen #define UNBOUND_DNSCRYPT_H
32be9e038Ssthen 
42be9e038Ssthen /**
52be9e038Ssthen  * \file
62be9e038Ssthen  * dnscrypt functions for encrypting DNS packets.
72be9e038Ssthen  */
82be9e038Ssthen 
92be9e038Ssthen #include "dnscrypt/dnscrypt_config.h"
102be9e038Ssthen #ifdef USE_DNSCRYPT
112be9e038Ssthen 
122be9e038Ssthen #define DNSCRYPT_MAGIC_HEADER_LEN 8U
132be9e038Ssthen #define DNSCRYPT_MAGIC_RESPONSE  "r6fnvWj8"
142be9e038Ssthen 
152be9e038Ssthen #ifndef DNSCRYPT_MAX_PADDING
162be9e038Ssthen # define DNSCRYPT_MAX_PADDING 256U
172be9e038Ssthen #endif
182be9e038Ssthen #ifndef DNSCRYPT_BLOCK_SIZE
192be9e038Ssthen # define DNSCRYPT_BLOCK_SIZE 64U
202be9e038Ssthen #endif
212be9e038Ssthen #ifndef DNSCRYPT_MIN_PAD_LEN
222be9e038Ssthen # define DNSCRYPT_MIN_PAD_LEN 8U
232be9e038Ssthen #endif
242be9e038Ssthen 
252be9e038Ssthen #define crypto_box_HALF_NONCEBYTES (crypto_box_NONCEBYTES / 2U)
262be9e038Ssthen 
272be9e038Ssthen #include "config.h"
282be9e038Ssthen #include "dnscrypt/cert.h"
297191de28Ssthen #include "util/locks.h"
302be9e038Ssthen 
312be9e038Ssthen #define DNSCRYPT_QUERY_HEADER_SIZE \
322be9e038Ssthen     (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_PUBLICKEYBYTES + crypto_box_HALF_NONCEBYTES + crypto_box_MACBYTES)
332be9e038Ssthen #define DNSCRYPT_RESPONSE_HEADER_SIZE \
342be9e038Ssthen     (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_NONCEBYTES + crypto_box_MACBYTES)
352be9e038Ssthen 
362be9e038Ssthen #define DNSCRYPT_REPLY_HEADER_SIZE \
372be9e038Ssthen     (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_HALF_NONCEBYTES * 2 + crypto_box_MACBYTES)
382be9e038Ssthen 
392be9e038Ssthen struct sldns_buffer;
402be9e038Ssthen struct config_file;
412be9e038Ssthen struct comm_reply;
427191de28Ssthen struct slabhash;
432be9e038Ssthen 
442be9e038Ssthen typedef struct KeyPair_ {
452be9e038Ssthen     uint8_t crypt_publickey[crypto_box_PUBLICKEYBYTES];
462be9e038Ssthen     uint8_t crypt_secretkey[crypto_box_SECRETKEYBYTES];
472be9e038Ssthen } KeyPair;
482be9e038Ssthen 
492be9e038Ssthen typedef struct cert_ {
502be9e038Ssthen     uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN];
512be9e038Ssthen     uint8_t es_version[2];
522be9e038Ssthen     KeyPair *keypair;
532be9e038Ssthen } dnsccert;
542be9e038Ssthen 
552be9e038Ssthen struct dnsc_env {
562be9e038Ssthen 	struct SignedCert *signed_certs;
57bdfc4d55Sflorian 	struct SignedCert **rotated_certs;
582be9e038Ssthen 	dnsccert *certs;
592be9e038Ssthen 	size_t signed_certs_count;
60bdfc4d55Sflorian 	size_t rotated_certs_count;
612be9e038Ssthen 	uint8_t provider_publickey[crypto_sign_ed25519_PUBLICKEYBYTES];
622be9e038Ssthen 	uint8_t provider_secretkey[crypto_sign_ed25519_SECRETKEYBYTES];
632be9e038Ssthen 	KeyPair *keypairs;
642be9e038Ssthen 	size_t keypairs_count;
652be9e038Ssthen 	uint64_t nonce_ts_last;
662be9e038Ssthen 	unsigned char hash_key[crypto_shorthash_KEYBYTES];
672be9e038Ssthen 	char * provider_name;
68bdfc4d55Sflorian 
69bdfc4d55Sflorian     /** Caches */
707191de28Ssthen 	struct slabhash *shared_secrets_cache;
717191de28Ssthen 	/** lock on shared secret cache counters */
727191de28Ssthen 	lock_basic_type shared_secrets_cache_lock;
737191de28Ssthen 	/** number of misses from shared_secrets_cache */
747191de28Ssthen 	size_t num_query_dnscrypt_secret_missed_cache;
75bdfc4d55Sflorian 
76bdfc4d55Sflorian 	/** slabhash keeping track of nonce/cient pk/server sk pairs. */
77bdfc4d55Sflorian 	struct slabhash *nonces_cache;
78bdfc4d55Sflorian 	/** lock on nonces_cache, used to avoid race condition in updating the hash */
79bdfc4d55Sflorian 	lock_basic_type nonces_cache_lock;
80bdfc4d55Sflorian 	/** number of replayed queries */
81bdfc4d55Sflorian 	size_t num_query_dnscrypt_replay;
822be9e038Ssthen };
832be9e038Ssthen 
842be9e038Ssthen struct dnscrypt_query_header {
852be9e038Ssthen     uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN];
862be9e038Ssthen     uint8_t publickey[crypto_box_PUBLICKEYBYTES];
872be9e038Ssthen     uint8_t nonce[crypto_box_HALF_NONCEBYTES];
882be9e038Ssthen     uint8_t mac[crypto_box_MACBYTES];
892be9e038Ssthen };
902be9e038Ssthen 
912be9e038Ssthen /**
927191de28Ssthen  * Initialize DNSCrypt environment.
932be9e038Ssthen  * Initialize sodium library and allocate the dnsc_env structure.
942be9e038Ssthen  * \return an uninitialized struct dnsc_env.
952be9e038Ssthen  */
962be9e038Ssthen struct dnsc_env * dnsc_create(void);
972be9e038Ssthen 
982be9e038Ssthen /**
992be9e038Ssthen  * Apply configuration.
1002be9e038Ssthen  * Read certificates and secret keys from configuration. Initialize hashkey and
1012be9e038Ssthen  * provider name as well as loading cert TXT records.
1022be9e038Ssthen  * In case of issue applying configuration, this function fatals.
1032be9e038Ssthen  * \param[in] env the struct dnsc_env to populate.
1042be9e038Ssthen  * \param[in] cfg the config_file struct with dnscrypt options.
1052be9e038Ssthen  * \return 0 on success.
1062be9e038Ssthen  */
1072be9e038Ssthen int dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg);
1082be9e038Ssthen 
1092be9e038Ssthen /**
1107191de28Ssthen  * Delete DNSCrypt environment
1117191de28Ssthen  *
1127191de28Ssthen  */
1137191de28Ssthen void dnsc_delete(struct dnsc_env *env);
1147191de28Ssthen 
1157191de28Ssthen /**
1162be9e038Ssthen  * handle a crypted dnscrypt request.
117*e21c60efSsthen  * Determine whether or not a query is coming over the dnscrypt listener and
1182be9e038Ssthen  * attempt to uncurve it or detect if it is a certificate query.
1192be9e038Ssthen  * return 0 in case of failure.
1202be9e038Ssthen  */
1212be9e038Ssthen int dnsc_handle_curved_request(struct dnsc_env* dnscenv,
1222be9e038Ssthen                                struct comm_reply* repinfo);
1232be9e038Ssthen /**
1242be9e038Ssthen  * handle an unencrypted dnscrypt request.
125*e21c60efSsthen  * Determine whether or not a query is going over the dnscrypt channel and
1262be9e038Ssthen  * attempt to curve it unless it was not crypted like when  it is a
1272be9e038Ssthen  * certificate query.
1282be9e038Ssthen  * \return 0 in case of failure.
1292be9e038Ssthen  */
1302be9e038Ssthen 
1312be9e038Ssthen int dnsc_handle_uncurved_request(struct comm_reply *repinfo);
1327191de28Ssthen 
1337191de28Ssthen /**
1347191de28Ssthen  * Computes the size of the shared secret cache entry.
1357191de28Ssthen  */
1367191de28Ssthen size_t dnsc_shared_secrets_sizefunc(void *k, void *d);
1377191de28Ssthen 
1387191de28Ssthen /**
1397191de28Ssthen  * Compares two shared secret cache keys.
1407191de28Ssthen  */
1417191de28Ssthen int dnsc_shared_secrets_compfunc(void *m1, void *m2);
1427191de28Ssthen 
1437191de28Ssthen /**
1447191de28Ssthen  * Function to delete a shared secret cache key.
1457191de28Ssthen  */
1467191de28Ssthen void dnsc_shared_secrets_delkeyfunc(void *k, void* arg);
1477191de28Ssthen 
1487191de28Ssthen /**
1497191de28Ssthen  * Function to delete a share secret cache value.
1507191de28Ssthen  */
1517191de28Ssthen void dnsc_shared_secrets_deldatafunc(void* d, void* arg);
1527191de28Ssthen 
153bdfc4d55Sflorian /**
154bdfc4d55Sflorian  * Computes the size of the nonce cache entry.
155bdfc4d55Sflorian  */
156bdfc4d55Sflorian size_t dnsc_nonces_sizefunc(void *k, void *d);
157bdfc4d55Sflorian 
158bdfc4d55Sflorian /**
159bdfc4d55Sflorian  * Compares two nonce cache keys.
160bdfc4d55Sflorian  */
161bdfc4d55Sflorian int dnsc_nonces_compfunc(void *m1, void *m2);
162bdfc4d55Sflorian 
163bdfc4d55Sflorian /**
164bdfc4d55Sflorian  * Function to delete a nonce cache key.
165bdfc4d55Sflorian  */
166bdfc4d55Sflorian void dnsc_nonces_delkeyfunc(void *k, void* arg);
167bdfc4d55Sflorian 
168bdfc4d55Sflorian /**
169bdfc4d55Sflorian  * Function to delete a nonce cache value.
170bdfc4d55Sflorian  */
171bdfc4d55Sflorian void dnsc_nonces_deldatafunc(void* d, void* arg);
172bdfc4d55Sflorian 
173bdfc4d55Sflorian 
1742be9e038Ssthen #endif /* USE_DNSCRYPT */
1752be9e038Ssthen #endif
176