1 /* 2 * util/net_help.c - implementation of the network helper code 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 /** 36 * \file 37 * Implementation of net_help.h. 38 */ 39 40 #include "config.h" 41 #ifdef HAVE_SYS_TYPES_H 42 # include <sys/types.h> 43 #endif 44 #ifdef HAVE_NET_IF_H 45 #include <net/if.h> 46 #endif 47 #ifdef HAVE_NETIOAPI_H 48 #include <netioapi.h> 49 #endif 50 #include "util/net_help.h" 51 #include "util/log.h" 52 #include "util/data/dname.h" 53 #include "util/module.h" 54 #include "util/regional.h" 55 #include "util/config_file.h" 56 #include "sldns/parseutil.h" 57 #include "sldns/wire2str.h" 58 #include "sldns/str2wire.h" 59 #include <fcntl.h> 60 #ifdef HAVE_OPENSSL_SSL_H 61 #include <openssl/ssl.h> 62 #include <openssl/evp.h> 63 #include <openssl/rand.h> 64 #endif 65 #ifdef HAVE_OPENSSL_ERR_H 66 #include <openssl/err.h> 67 #endif 68 #ifdef HAVE_OPENSSL_CORE_NAMES_H 69 #include <openssl/core_names.h> 70 #endif 71 #ifdef USE_WINSOCK 72 #include <wincrypt.h> 73 #endif 74 #ifdef HAVE_NGHTTP2_NGHTTP2_H 75 #include <nghttp2/nghttp2.h> 76 #endif 77 78 /** max length of an IP address (the address portion) that we allow */ 79 #define MAX_ADDR_STRLEN 128 /* characters */ 80 /** default value for EDNS ADVERTISED size */ 81 uint16_t EDNS_ADVERTISED_SIZE = 4096; 82 83 /** minimal responses when positive answer: default is no */ 84 int MINIMAL_RESPONSES = 0; 85 86 /** rrset order roundrobin: default is yes */ 87 int RRSET_ROUNDROBIN = 1; 88 89 /** log tag queries with name instead of 'info' for filtering */ 90 int LOG_TAG_QUERYREPLY = 0; 91 92 static struct tls_session_ticket_key { 93 unsigned char *key_name; 94 unsigned char *aes_key; 95 unsigned char *hmac_key; 96 } *ticket_keys; 97 98 #ifdef HAVE_SSL 99 /** 100 * callback TLS session ticket encrypt and decrypt 101 * For use with SSL_CTX_set_tlsext_ticket_key_cb or 102 * SSL_CTX_set_tlsext_ticket_key_evp_cb 103 * @param s: the SSL_CTX to use (from connect_sslctx_create()) 104 * @param key_name: secret name, 16 bytes 105 * @param iv: up to EVP_MAX_IV_LENGTH. 106 * @param evp_ctx: the evp cipher context, function sets this. 107 * @param hmac_ctx: the hmac context, function sets this. 108 * with ..key_cb it is of type HMAC_CTX* 109 * with ..key_evp_cb it is of type EVP_MAC_CTX* 110 * @param enc: 1 is encrypt, 0 is decrypt 111 * @return 0 on no ticket, 1 for okay, and 2 for okay but renew the ticket 112 * (the ticket is decrypt only). and <0 for failures. 113 */ 114 int tls_session_ticket_key_cb(SSL *s, unsigned char* key_name, 115 unsigned char* iv, EVP_CIPHER_CTX *evp_ctx, 116 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 117 EVP_MAC_CTX *hmac_ctx, 118 #else 119 HMAC_CTX* hmac_ctx, 120 #endif 121 int enc); 122 #endif /* HAVE_SSL */ 123 124 /* returns true is string addr is an ip6 specced address */ 125 int 126 str_is_ip6(const char* str) 127 { 128 if(strchr(str, ':')) 129 return 1; 130 else return 0; 131 } 132 133 int 134 fd_set_nonblock(int s) 135 { 136 #ifdef HAVE_FCNTL 137 int flag; 138 if((flag = fcntl(s, F_GETFL)) == -1) { 139 log_err("can't fcntl F_GETFL: %s", strerror(errno)); 140 flag = 0; 141 } 142 flag |= O_NONBLOCK; 143 if(fcntl(s, F_SETFL, flag) == -1) { 144 log_err("can't fcntl F_SETFL: %s", strerror(errno)); 145 return 0; 146 } 147 #elif defined(HAVE_IOCTLSOCKET) 148 unsigned long on = 1; 149 if(ioctlsocket(s, FIONBIO, &on) != 0) { 150 log_err("can't ioctlsocket FIONBIO on: %s", 151 wsa_strerror(WSAGetLastError())); 152 } 153 #endif 154 return 1; 155 } 156 157 int 158 fd_set_block(int s) 159 { 160 #ifdef HAVE_FCNTL 161 int flag; 162 if((flag = fcntl(s, F_GETFL)) == -1) { 163 log_err("cannot fcntl F_GETFL: %s", strerror(errno)); 164 flag = 0; 165 } 166 flag &= ~O_NONBLOCK; 167 if(fcntl(s, F_SETFL, flag) == -1) { 168 log_err("cannot fcntl F_SETFL: %s", strerror(errno)); 169 return 0; 170 } 171 #elif defined(HAVE_IOCTLSOCKET) 172 unsigned long off = 0; 173 if(ioctlsocket(s, FIONBIO, &off) != 0) { 174 if(WSAGetLastError() != WSAEINVAL || verbosity >= 4) 175 log_err("can't ioctlsocket FIONBIO off: %s", 176 wsa_strerror(WSAGetLastError())); 177 } 178 #endif 179 return 1; 180 } 181 182 int 183 is_pow2(size_t num) 184 { 185 if(num == 0) return 1; 186 return (num & (num-1)) == 0; 187 } 188 189 void* 190 memdup(void* data, size_t len) 191 { 192 void* d; 193 if(!data) return NULL; 194 if(len == 0) return NULL; 195 d = malloc(len); 196 if(!d) return NULL; 197 memcpy(d, data, len); 198 return d; 199 } 200 201 void 202 log_addr(enum verbosity_value v, const char* str, 203 struct sockaddr_storage* addr, socklen_t addrlen) 204 { 205 uint16_t port; 206 const char* family = "unknown"; 207 char dest[100]; 208 int af = (int)((struct sockaddr_in*)addr)->sin_family; 209 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 210 if(verbosity < v) 211 return; 212 switch(af) { 213 case AF_INET: family="ip4"; break; 214 case AF_INET6: family="ip6"; 215 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; 216 break; 217 case AF_LOCAL: 218 dest[0]=0; 219 (void)inet_ntop(af, sinaddr, dest, 220 (socklen_t)sizeof(dest)); 221 verbose(v, "%s local %s", str, dest); 222 return; /* do not continue and try to get port */ 223 default: break; 224 } 225 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { 226 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); 227 } 228 dest[sizeof(dest)-1] = 0; 229 port = ntohs(((struct sockaddr_in*)addr)->sin_port); 230 if(verbosity >= 4) 231 verbose(v, "%s %s %s port %d (len %d)", str, family, dest, 232 (int)port, (int)addrlen); 233 else verbose(v, "%s %s port %d", str, dest, (int)port); 234 } 235 236 int 237 extstrtoaddr(const char* str, struct sockaddr_storage* addr, 238 socklen_t* addrlen, int port) 239 { 240 char* s; 241 if((s=strchr(str, '@'))) { 242 char buf[MAX_ADDR_STRLEN]; 243 if(s-str >= MAX_ADDR_STRLEN) { 244 return 0; 245 } 246 (void)strlcpy(buf, str, sizeof(buf)); 247 buf[s-str] = 0; 248 port = atoi(s+1); 249 if(port == 0 && strcmp(s+1,"0")!=0) { 250 return 0; 251 } 252 return ipstrtoaddr(buf, port, addr, addrlen); 253 } 254 return ipstrtoaddr(str, port, addr, addrlen); 255 } 256 257 int 258 ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr, 259 socklen_t* addrlen) 260 { 261 uint16_t p; 262 if(!ip) return 0; 263 p = (uint16_t) port; 264 if(str_is_ip6(ip)) { 265 char buf[MAX_ADDR_STRLEN]; 266 char* s; 267 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr; 268 *addrlen = (socklen_t)sizeof(struct sockaddr_in6); 269 memset(sa, 0, *addrlen); 270 sa->sin6_family = AF_INET6; 271 sa->sin6_port = (in_port_t)htons(p); 272 if((s=strchr(ip, '%'))) { /* ip6%interface, rfc 4007 */ 273 if(s-ip >= MAX_ADDR_STRLEN) 274 return 0; 275 (void)strlcpy(buf, ip, sizeof(buf)); 276 buf[s-ip]=0; 277 #ifdef HAVE_IF_NAMETOINDEX 278 if (!(sa->sin6_scope_id = if_nametoindex(s+1))) 279 #endif /* HAVE_IF_NAMETOINDEX */ 280 sa->sin6_scope_id = (uint32_t)atoi(s+1); 281 ip = buf; 282 } 283 if(inet_pton((int)sa->sin6_family, ip, &sa->sin6_addr) <= 0) { 284 return 0; 285 } 286 } else { /* ip4 */ 287 struct sockaddr_in* sa = (struct sockaddr_in*)addr; 288 *addrlen = (socklen_t)sizeof(struct sockaddr_in); 289 memset(sa, 0, *addrlen); 290 sa->sin_family = AF_INET; 291 sa->sin_port = (in_port_t)htons(p); 292 if(inet_pton((int)sa->sin_family, ip, &sa->sin_addr) <= 0) { 293 return 0; 294 } 295 } 296 return 1; 297 } 298 299 int netblockstrtoaddr(const char* str, int port, struct sockaddr_storage* addr, 300 socklen_t* addrlen, int* net) 301 { 302 char buf[64]; 303 char* s; 304 *net = (str_is_ip6(str)?128:32); 305 if((s=strchr(str, '/'))) { 306 if(atoi(s+1) > *net) { 307 log_err("netblock too large: %s", str); 308 return 0; 309 } 310 *net = atoi(s+1); 311 if(*net == 0 && strcmp(s+1, "0") != 0) { 312 log_err("cannot parse netblock: '%s'", str); 313 return 0; 314 } 315 strlcpy(buf, str, sizeof(buf)); 316 s = strchr(buf, '/'); 317 if(s) *s = 0; 318 s = buf; 319 } 320 if(!ipstrtoaddr(s?s:str, port, addr, addrlen)) { 321 log_err("cannot parse ip address: '%s'", str); 322 return 0; 323 } 324 if(s) { 325 addr_mask(addr, *addrlen, *net); 326 } 327 return 1; 328 } 329 330 /* RPZ format address dname to network byte order address */ 331 static int ipdnametoaddr(uint8_t* dname, size_t dnamelen, 332 struct sockaddr_storage* addr, socklen_t* addrlen, int* af) 333 { 334 uint8_t* ia; 335 int dnamelabs = dname_count_labels(dname); 336 uint8_t lablen; 337 char* e = NULL; 338 int z = 0; 339 size_t len = 0; 340 int i; 341 *af = AF_INET; 342 343 /* need 1 byte for label length */ 344 if(dnamelen < 1) 345 return 0; 346 347 if(dnamelabs > 6 || 348 dname_has_label(dname, dnamelen, (uint8_t*)"\002zz")) { 349 *af = AF_INET6; 350 } 351 len = *dname; 352 lablen = *dname++; 353 i = (*af == AF_INET) ? 3 : 15; 354 if(*af == AF_INET6) { 355 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr; 356 *addrlen = (socklen_t)sizeof(struct sockaddr_in6); 357 memset(sa, 0, *addrlen); 358 sa->sin6_family = AF_INET6; 359 ia = (uint8_t*)&sa->sin6_addr; 360 } else { /* ip4 */ 361 struct sockaddr_in* sa = (struct sockaddr_in*)addr; 362 *addrlen = (socklen_t)sizeof(struct sockaddr_in); 363 memset(sa, 0, *addrlen); 364 sa->sin_family = AF_INET; 365 ia = (uint8_t*)&sa->sin_addr; 366 } 367 while(lablen && i >= 0 && len <= dnamelen) { 368 char buff[LDNS_MAX_LABELLEN+1]; 369 uint16_t chunk; /* big enough to not overflow on IPv6 hextet */ 370 if((*af == AF_INET && (lablen > 3 || dnamelabs > 6)) || 371 (*af == AF_INET6 && (lablen > 4 || dnamelabs > 10))) { 372 return 0; 373 } 374 if(memcmp(dname, "zz", 2) == 0 && *af == AF_INET6) { 375 /* Add one or more 0 labels. Address is initialised at 376 * 0, so just skip the zero part. */ 377 int zl = 11 - dnamelabs; 378 if(z || zl < 0) 379 return 0; 380 z = 1; 381 i -= (zl*2); 382 } else { 383 memcpy(buff, dname, lablen); 384 buff[lablen] = '\0'; 385 chunk = strtol(buff, &e, (*af == AF_INET) ? 10 : 16); 386 if(!e || *e != '\0' || (*af == AF_INET && chunk > 255)) 387 return 0; 388 if(*af == AF_INET) { 389 log_assert(i < 4 && i >= 0); 390 ia[i] = (uint8_t)chunk; 391 i--; 392 } else { 393 log_assert(i < 16 && i >= 1); 394 /* ia in network byte order */ 395 ia[i-1] = (uint8_t)(chunk >> 8); 396 ia[i] = (uint8_t)(chunk & 0x00FF); 397 i -= 2; 398 } 399 } 400 dname += lablen; 401 lablen = *dname++; 402 len += lablen; 403 } 404 if(i != -1) 405 /* input too short */ 406 return 0; 407 return 1; 408 } 409 410 int netblockdnametoaddr(uint8_t* dname, size_t dnamelen, 411 struct sockaddr_storage* addr, socklen_t* addrlen, int* net, int* af) 412 { 413 char buff[3 /* 3 digit netblock */ + 1]; 414 size_t nlablen; 415 if(dnamelen < 1 || *dname > 3) 416 /* netblock invalid */ 417 return 0; 418 nlablen = *dname; 419 420 if(dnamelen < 1 + nlablen) 421 return 0; 422 423 memcpy(buff, dname+1, nlablen); 424 buff[nlablen] = '\0'; 425 *net = atoi(buff); 426 if(*net == 0 && strcmp(buff, "0") != 0) 427 return 0; 428 dname += nlablen; 429 dname++; 430 if(!ipdnametoaddr(dname, dnamelen-1-nlablen, addr, addrlen, af)) 431 return 0; 432 if((*af == AF_INET6 && *net > 128) || (*af == AF_INET && *net > 32)) 433 return 0; 434 return 1; 435 } 436 437 int authextstrtoaddr(char* str, struct sockaddr_storage* addr, 438 socklen_t* addrlen, char** auth_name) 439 { 440 char* s; 441 int port = UNBOUND_DNS_PORT; 442 if((s=strchr(str, '@'))) { 443 char buf[MAX_ADDR_STRLEN]; 444 size_t len = (size_t)(s-str); 445 char* hash = strchr(s+1, '#'); 446 if(hash) { 447 *auth_name = hash+1; 448 } else { 449 *auth_name = NULL; 450 } 451 if(len >= MAX_ADDR_STRLEN) { 452 return 0; 453 } 454 (void)strlcpy(buf, str, sizeof(buf)); 455 buf[len] = 0; 456 port = atoi(s+1); 457 if(port == 0) { 458 if(!hash && strcmp(s+1,"0")!=0) 459 return 0; 460 if(hash && strncmp(s+1,"0#",2)!=0) 461 return 0; 462 } 463 return ipstrtoaddr(buf, port, addr, addrlen); 464 } 465 if((s=strchr(str, '#'))) { 466 char buf[MAX_ADDR_STRLEN]; 467 size_t len = (size_t)(s-str); 468 if(len >= MAX_ADDR_STRLEN) { 469 return 0; 470 } 471 (void)strlcpy(buf, str, sizeof(buf)); 472 buf[len] = 0; 473 port = UNBOUND_DNS_OVER_TLS_PORT; 474 *auth_name = s+1; 475 return ipstrtoaddr(buf, port, addr, addrlen); 476 } 477 *auth_name = NULL; 478 return ipstrtoaddr(str, port, addr, addrlen); 479 } 480 481 uint8_t* authextstrtodname(char* str, int* port, char** auth_name) 482 { 483 char* s; 484 uint8_t* dname; 485 size_t dname_len; 486 *port = UNBOUND_DNS_PORT; 487 *auth_name = NULL; 488 if((s=strchr(str, '@'))) { 489 char* hash = strchr(s+1, '#'); 490 if(hash) { 491 *auth_name = hash+1; 492 } else { 493 *auth_name = NULL; 494 } 495 *port = atoi(s+1); 496 if(*port == 0) { 497 if(!hash && strcmp(s+1,"0")!=0) 498 return 0; 499 if(hash && strncmp(s+1,"0#",2)!=0) 500 return 0; 501 } 502 *s = 0; 503 dname = sldns_str2wire_dname(str, &dname_len); 504 *s = '@'; 505 } else if((s=strchr(str, '#'))) { 506 *port = UNBOUND_DNS_OVER_TLS_PORT; 507 *auth_name = s+1; 508 *s = 0; 509 dname = sldns_str2wire_dname(str, &dname_len); 510 *s = '#'; 511 } else { 512 dname = sldns_str2wire_dname(str, &dname_len); 513 } 514 return dname; 515 } 516 517 /** store port number into sockaddr structure */ 518 void 519 sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen, int port) 520 { 521 if(addr_is_ip6(addr, addrlen)) { 522 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr; 523 sa->sin6_port = (in_port_t)htons((uint16_t)port); 524 } else { 525 struct sockaddr_in* sa = (struct sockaddr_in*)addr; 526 sa->sin_port = (in_port_t)htons((uint16_t)port); 527 } 528 } 529 530 void 531 log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name, 532 uint16_t type, uint16_t dclass) 533 { 534 char buf[LDNS_MAX_DOMAINLEN+1]; 535 char t[12], c[12]; 536 const char *ts, *cs; 537 if(verbosity < v) 538 return; 539 dname_str(name, buf); 540 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG"; 541 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR"; 542 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR"; 543 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB"; 544 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA"; 545 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY"; 546 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name) 547 ts = sldns_rr_descript(type)->_name; 548 else { 549 snprintf(t, sizeof(t), "TYPE%d", (int)type); 550 ts = t; 551 } 552 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) && 553 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name) 554 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name; 555 else { 556 snprintf(c, sizeof(c), "CLASS%d", (int)dclass); 557 cs = c; 558 } 559 log_info("%s %s %s %s", str, buf, ts, cs); 560 } 561 562 void 563 log_query_in(const char* str, uint8_t* name, uint16_t type, uint16_t dclass) 564 { 565 char buf[LDNS_MAX_DOMAINLEN+1]; 566 char t[12], c[12]; 567 const char *ts, *cs; 568 dname_str(name, buf); 569 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG"; 570 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR"; 571 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR"; 572 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB"; 573 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA"; 574 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY"; 575 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name) 576 ts = sldns_rr_descript(type)->_name; 577 else { 578 snprintf(t, sizeof(t), "TYPE%d", (int)type); 579 ts = t; 580 } 581 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) && 582 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name) 583 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name; 584 else { 585 snprintf(c, sizeof(c), "CLASS%d", (int)dclass); 586 cs = c; 587 } 588 if(LOG_TAG_QUERYREPLY) 589 log_query("%s %s %s %s", str, buf, ts, cs); 590 else log_info("%s %s %s %s", str, buf, ts, cs); 591 } 592 593 void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone, 594 struct sockaddr_storage* addr, socklen_t addrlen) 595 { 596 uint16_t port; 597 const char* family = "unknown_family "; 598 char namebuf[LDNS_MAX_DOMAINLEN+1]; 599 char dest[100]; 600 int af = (int)((struct sockaddr_in*)addr)->sin_family; 601 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 602 if(verbosity < v) 603 return; 604 switch(af) { 605 case AF_INET: family=""; break; 606 case AF_INET6: family=""; 607 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; 608 break; 609 case AF_LOCAL: family="local "; break; 610 default: break; 611 } 612 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { 613 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); 614 } 615 dest[sizeof(dest)-1] = 0; 616 port = ntohs(((struct sockaddr_in*)addr)->sin_port); 617 dname_str(zone, namebuf); 618 if(af != AF_INET && af != AF_INET6) 619 verbose(v, "%s <%s> %s%s#%d (addrlen %d)", 620 str, namebuf, family, dest, (int)port, (int)addrlen); 621 else verbose(v, "%s <%s> %s%s#%d", 622 str, namebuf, family, dest, (int)port); 623 } 624 625 void log_err_addr(const char* str, const char* err, 626 struct sockaddr_storage* addr, socklen_t addrlen) 627 { 628 uint16_t port; 629 char dest[100]; 630 int af = (int)((struct sockaddr_in*)addr)->sin_family; 631 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 632 if(af == AF_INET6) 633 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; 634 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { 635 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); 636 } 637 dest[sizeof(dest)-1] = 0; 638 port = ntohs(((struct sockaddr_in*)addr)->sin_port); 639 if(verbosity >= 4) 640 log_err("%s: %s for %s port %d (len %d)", str, err, dest, 641 (int)port, (int)addrlen); 642 else log_err("%s: %s for %s port %d", str, err, dest, (int)port); 643 } 644 645 int 646 sockaddr_cmp(struct sockaddr_storage* addr1, socklen_t len1, 647 struct sockaddr_storage* addr2, socklen_t len2) 648 { 649 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; 650 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; 651 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; 652 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; 653 if(len1 < len2) 654 return -1; 655 if(len1 > len2) 656 return 1; 657 log_assert(len1 == len2); 658 if( p1_in->sin_family < p2_in->sin_family) 659 return -1; 660 if( p1_in->sin_family > p2_in->sin_family) 661 return 1; 662 log_assert( p1_in->sin_family == p2_in->sin_family ); 663 /* compare ip4 */ 664 if( p1_in->sin_family == AF_INET ) { 665 /* just order it, ntohs not required */ 666 if(p1_in->sin_port < p2_in->sin_port) 667 return -1; 668 if(p1_in->sin_port > p2_in->sin_port) 669 return 1; 670 log_assert(p1_in->sin_port == p2_in->sin_port); 671 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE); 672 } else if (p1_in6->sin6_family == AF_INET6) { 673 /* just order it, ntohs not required */ 674 if(p1_in6->sin6_port < p2_in6->sin6_port) 675 return -1; 676 if(p1_in6->sin6_port > p2_in6->sin6_port) 677 return 1; 678 log_assert(p1_in6->sin6_port == p2_in6->sin6_port); 679 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, 680 INET6_SIZE); 681 } else { 682 /* eek unknown type, perform this comparison for sanity. */ 683 return memcmp(addr1, addr2, len1); 684 } 685 } 686 687 int 688 sockaddr_cmp_addr(struct sockaddr_storage* addr1, socklen_t len1, 689 struct sockaddr_storage* addr2, socklen_t len2) 690 { 691 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; 692 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; 693 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; 694 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; 695 if(len1 < len2) 696 return -1; 697 if(len1 > len2) 698 return 1; 699 log_assert(len1 == len2); 700 if( p1_in->sin_family < p2_in->sin_family) 701 return -1; 702 if( p1_in->sin_family > p2_in->sin_family) 703 return 1; 704 log_assert( p1_in->sin_family == p2_in->sin_family ); 705 /* compare ip4 */ 706 if( p1_in->sin_family == AF_INET ) { 707 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE); 708 } else if (p1_in6->sin6_family == AF_INET6) { 709 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, 710 INET6_SIZE); 711 } else { 712 /* eek unknown type, perform this comparison for sanity. */ 713 return memcmp(addr1, addr2, len1); 714 } 715 } 716 717 int 718 addr_is_ip6(struct sockaddr_storage* addr, socklen_t len) 719 { 720 if(len == (socklen_t)sizeof(struct sockaddr_in6) && 721 ((struct sockaddr_in6*)addr)->sin6_family == AF_INET6) 722 return 1; 723 else return 0; 724 } 725 726 void 727 addr_mask(struct sockaddr_storage* addr, socklen_t len, int net) 728 { 729 uint8_t mask[8] = {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe}; 730 int i, max; 731 uint8_t* s; 732 if(addr_is_ip6(addr, len)) { 733 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr; 734 max = 128; 735 } else { 736 s = (uint8_t*)&((struct sockaddr_in*)addr)->sin_addr; 737 max = 32; 738 } 739 if(net >= max) 740 return; 741 for(i=net/8+1; i<max/8; i++) { 742 s[i] = 0; 743 } 744 s[net/8] &= mask[net&0x7]; 745 } 746 747 int 748 addr_in_common(struct sockaddr_storage* addr1, int net1, 749 struct sockaddr_storage* addr2, int net2, socklen_t addrlen) 750 { 751 int min = (net1<net2)?net1:net2; 752 int i, to; 753 int match = 0; 754 uint8_t* s1, *s2; 755 if(addr_is_ip6(addr1, addrlen)) { 756 s1 = (uint8_t*)&((struct sockaddr_in6*)addr1)->sin6_addr; 757 s2 = (uint8_t*)&((struct sockaddr_in6*)addr2)->sin6_addr; 758 to = 16; 759 } else { 760 s1 = (uint8_t*)&((struct sockaddr_in*)addr1)->sin_addr; 761 s2 = (uint8_t*)&((struct sockaddr_in*)addr2)->sin_addr; 762 to = 4; 763 } 764 /* match = bits_in_common(s1, s2, to); */ 765 for(i=0; i<to; i++) { 766 if(s1[i] == s2[i]) { 767 match += 8; 768 } else { 769 uint8_t z = s1[i]^s2[i]; 770 log_assert(z); 771 while(!(z&0x80)) { 772 match++; 773 z<<=1; 774 } 775 break; 776 } 777 } 778 if(match > min) match = min; 779 return match; 780 } 781 782 void 783 addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen, 784 char* buf, size_t len) 785 { 786 int af = (int)((struct sockaddr_in*)addr)->sin_family; 787 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 788 if(addr_is_ip6(addr, addrlen)) 789 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; 790 if(inet_ntop(af, sinaddr, buf, (socklen_t)len) == 0) { 791 snprintf(buf, len, "(inet_ntop_error)"); 792 } 793 } 794 795 int 796 prefixnet_is_nat64(int prefixnet) 797 { 798 return (prefixnet == 32 || prefixnet == 40 || 799 prefixnet == 48 || prefixnet == 56 || 800 prefixnet == 64 || prefixnet == 96); 801 } 802 803 void 804 addr_to_nat64(const struct sockaddr_storage* addr, 805 const struct sockaddr_storage* nat64_prefix, 806 socklen_t nat64_prefixlen, int nat64_prefixnet, 807 struct sockaddr_storage* nat64_addr, socklen_t* nat64_addrlen) 808 { 809 struct sockaddr_in *sin = (struct sockaddr_in *)addr; 810 struct sockaddr_in6 *sin6; 811 uint8_t *v4_byte; 812 int i; 813 814 /* This needs to be checked by the caller */ 815 log_assert(addr->ss_family == AF_INET); 816 /* Current usage is only from config values; prefix lengths enforced 817 * during config validation */ 818 log_assert(prefixnet_is_nat64(nat64_prefixnet)); 819 820 *nat64_addr = *nat64_prefix; 821 *nat64_addrlen = nat64_prefixlen; 822 823 sin6 = (struct sockaddr_in6 *)nat64_addr; 824 sin6->sin6_flowinfo = 0; 825 sin6->sin6_port = sin->sin_port; 826 827 nat64_prefixnet = nat64_prefixnet / 8; 828 829 v4_byte = (uint8_t *)&sin->sin_addr.s_addr; 830 for(i = 0; i < 4; i++) { 831 if(nat64_prefixnet == 8) { 832 /* bits 64...71 are MBZ */ 833 sin6->sin6_addr.s6_addr[nat64_prefixnet++] = 0; 834 } 835 sin6->sin6_addr.s6_addr[nat64_prefixnet++] = *v4_byte++; 836 } 837 } 838 839 int 840 addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen) 841 { 842 /* prefix for ipv4 into ipv6 mapping is ::ffff:x.x.x.x */ 843 const uint8_t map_prefix[16] = 844 {0,0,0,0, 0,0,0,0, 0,0,0xff,0xff, 0,0,0,0}; 845 uint8_t* s; 846 if(!addr_is_ip6(addr, addrlen)) 847 return 0; 848 /* s is 16 octet ipv6 address string */ 849 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr; 850 return (memcmp(s, map_prefix, 12) == 0); 851 } 852 853 int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen) 854 { 855 int af = (int)((struct sockaddr_in*)addr)->sin_family; 856 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 857 return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in) 858 && memcmp(sinaddr, "\377\377\377\377", 4) == 0; 859 } 860 861 int addr_is_any(struct sockaddr_storage* addr, socklen_t addrlen) 862 { 863 int af = (int)((struct sockaddr_in*)addr)->sin_family; 864 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 865 void* sin6addr = &((struct sockaddr_in6*)addr)->sin6_addr; 866 if(af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in) 867 && memcmp(sinaddr, "\000\000\000\000", 4) == 0) 868 return 1; 869 else if(af==AF_INET6 && addrlen>=(socklen_t)sizeof(struct sockaddr_in6) 870 && memcmp(sin6addr, "\000\000\000\000\000\000\000\000" 871 "\000\000\000\000\000\000\000\000", 16) == 0) 872 return 1; 873 return 0; 874 } 875 876 void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr, 877 socklen_t len, struct regional* region) 878 { 879 struct sock_list* add = (struct sock_list*)regional_alloc(region, 880 sizeof(*add) - sizeof(add->addr) + (size_t)len); 881 if(!add) { 882 log_err("out of memory in socketlist insert"); 883 return; 884 } 885 log_assert(list); 886 add->next = *list; 887 add->len = len; 888 *list = add; 889 if(len) memmove(&add->addr, addr, len); 890 } 891 892 void sock_list_prepend(struct sock_list** list, struct sock_list* add) 893 { 894 struct sock_list* last = add; 895 if(!last) 896 return; 897 while(last->next) 898 last = last->next; 899 last->next = *list; 900 *list = add; 901 } 902 903 int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr, 904 socklen_t len) 905 { 906 while(list) { 907 if(len == list->len) { 908 if(len == 0 || sockaddr_cmp_addr(addr, len, 909 &list->addr, list->len) == 0) 910 return 1; 911 } 912 list = list->next; 913 } 914 return 0; 915 } 916 917 void sock_list_merge(struct sock_list** list, struct regional* region, 918 struct sock_list* add) 919 { 920 struct sock_list* p; 921 for(p=add; p; p=p->next) { 922 if(!sock_list_find(*list, &p->addr, p->len)) 923 sock_list_insert(list, &p->addr, p->len, region); 924 } 925 } 926 927 void 928 log_crypto_err(const char* str) 929 { 930 #ifdef HAVE_SSL 931 log_crypto_err_code(str, ERR_get_error()); 932 #else 933 (void)str; 934 #endif /* HAVE_SSL */ 935 } 936 937 void log_crypto_err_code(const char* str, unsigned long err) 938 { 939 #ifdef HAVE_SSL 940 /* error:[error code]:[library name]:[function name]:[reason string] */ 941 char buf[128]; 942 unsigned long e; 943 ERR_error_string_n(err, buf, sizeof(buf)); 944 log_err("%s crypto %s", str, buf); 945 while( (e=ERR_get_error()) ) { 946 ERR_error_string_n(e, buf, sizeof(buf)); 947 log_err("and additionally crypto %s", buf); 948 } 949 #else 950 (void)str; 951 (void)err; 952 #endif /* HAVE_SSL */ 953 } 954 955 #ifdef HAVE_SSL 956 /** log certificate details */ 957 void 958 log_cert(unsigned level, const char* str, void* cert) 959 { 960 BIO* bio; 961 char nul = 0; 962 char* pp = NULL; 963 long len; 964 if(verbosity < level) return; 965 bio = BIO_new(BIO_s_mem()); 966 if(!bio) return; 967 X509_print_ex(bio, (X509*)cert, 0, (unsigned long)-1 968 ^(X509_FLAG_NO_SUBJECT 969 |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY 970 |X509_FLAG_NO_EXTENSIONS|X509_FLAG_NO_AUX 971 |X509_FLAG_NO_ATTRIBUTES)); 972 BIO_write(bio, &nul, (int)sizeof(nul)); 973 len = BIO_get_mem_data(bio, &pp); 974 if(len != 0 && pp) { 975 /* reduce size of cert printout */ 976 char* s; 977 while((s=strstr(pp, " "))!=NULL) 978 memmove(s, s+1, strlen(s+1)+1); 979 while((s=strstr(pp, "\t\t"))!=NULL) 980 memmove(s, s+1, strlen(s+1)+1); 981 verbose(level, "%s: \n%s", str, pp); 982 } 983 BIO_free(bio); 984 } 985 #endif /* HAVE_SSL */ 986 987 #if defined(HAVE_SSL) && defined(HAVE_NGHTTP2) && defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB) 988 static int alpn_select_cb(SSL* ATTR_UNUSED(ssl), const unsigned char** out, 989 unsigned char* outlen, const unsigned char* in, unsigned int inlen, 990 void* ATTR_UNUSED(arg)) 991 { 992 int rv = nghttp2_select_next_protocol((unsigned char **)out, outlen, in, 993 inlen); 994 if(rv == -1) { 995 return SSL_TLSEXT_ERR_NOACK; 996 } 997 /* either http/1.1 or h2 selected */ 998 return SSL_TLSEXT_ERR_OK; 999 } 1000 #endif 1001 1002 int 1003 listen_sslctx_setup(void* ctxt) 1004 { 1005 #ifdef HAVE_SSL 1006 SSL_CTX* ctx = (SSL_CTX*)ctxt; 1007 /* no SSLv2, SSLv3 because has defects */ 1008 #if SSL_OP_NO_SSLv2 != 0 1009 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) 1010 != SSL_OP_NO_SSLv2){ 1011 log_crypto_err("could not set SSL_OP_NO_SSLv2"); 1012 return 0; 1013 } 1014 #endif 1015 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) 1016 != SSL_OP_NO_SSLv3){ 1017 log_crypto_err("could not set SSL_OP_NO_SSLv3"); 1018 return 0; 1019 } 1020 #if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1) 1021 /* if we have tls 1.1 disable 1.0 */ 1022 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1) 1023 != SSL_OP_NO_TLSv1){ 1024 log_crypto_err("could not set SSL_OP_NO_TLSv1"); 1025 return 0; 1026 } 1027 #endif 1028 #if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2) 1029 /* if we have tls 1.2 disable 1.1 */ 1030 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1) 1031 != SSL_OP_NO_TLSv1_1){ 1032 log_crypto_err("could not set SSL_OP_NO_TLSv1_1"); 1033 return 0; 1034 } 1035 #endif 1036 #if defined(SSL_OP_NO_RENEGOTIATION) 1037 /* disable client renegotiation */ 1038 if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) & 1039 SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) { 1040 log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION"); 1041 return 0; 1042 } 1043 #endif 1044 #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA) 1045 /* if we detect system-wide crypto policies, use those */ 1046 if (access( "/etc/crypto-policies/config", F_OK ) != 0 ) { 1047 /* if we have sha256, set the cipher list to have no known vulns */ 1048 if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256")) 1049 log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list"); 1050 } 1051 #endif 1052 #if defined(SSL_OP_IGNORE_UNEXPECTED_EOF) 1053 /* ignore errors when peers do not send the mandatory close_notify 1054 * alert on shutdown. 1055 * Relevant for openssl >= 3 */ 1056 if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) & 1057 SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) { 1058 log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF"); 1059 return 0; 1060 } 1061 #endif 1062 1063 if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) & 1064 SSL_OP_CIPHER_SERVER_PREFERENCE) != 1065 SSL_OP_CIPHER_SERVER_PREFERENCE) { 1066 log_crypto_err("could not set SSL_OP_CIPHER_SERVER_PREFERENCE"); 1067 return 0; 1068 } 1069 1070 #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL 1071 SSL_CTX_set_security_level(ctx, 0); 1072 #endif 1073 #if defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB) && defined(HAVE_NGHTTP2) 1074 SSL_CTX_set_alpn_select_cb(ctx, alpn_select_cb, NULL); 1075 #endif 1076 #else 1077 (void)ctxt; 1078 #endif /* HAVE_SSL */ 1079 return 1; 1080 } 1081 1082 void 1083 listen_sslctx_setup_2(void* ctxt) 1084 { 1085 #ifdef HAVE_SSL 1086 SSL_CTX* ctx = (SSL_CTX*)ctxt; 1087 (void)ctx; 1088 #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO 1089 if(!SSL_CTX_set_ecdh_auto(ctx,1)) { 1090 log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE"); 1091 } 1092 #elif defined(USE_ECDSA) 1093 if(1) { 1094 EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1); 1095 if (!ecdh) { 1096 log_crypto_err("could not find p256, not enabling ECDHE"); 1097 } else { 1098 if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) { 1099 log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE"); 1100 } 1101 EC_KEY_free (ecdh); 1102 } 1103 } 1104 #endif 1105 #else 1106 (void)ctxt; 1107 #endif /* HAVE_SSL */ 1108 } 1109 1110 void* listen_sslctx_create(char* key, char* pem, char* verifypem) 1111 { 1112 #ifdef HAVE_SSL 1113 SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method()); 1114 if(!ctx) { 1115 log_crypto_err("could not SSL_CTX_new"); 1116 return NULL; 1117 } 1118 if(!key || key[0] == 0) { 1119 log_err("error: no tls-service-key file specified"); 1120 SSL_CTX_free(ctx); 1121 return NULL; 1122 } 1123 if(!pem || pem[0] == 0) { 1124 log_err("error: no tls-service-pem file specified"); 1125 SSL_CTX_free(ctx); 1126 return NULL; 1127 } 1128 if(!listen_sslctx_setup(ctx)) { 1129 SSL_CTX_free(ctx); 1130 return NULL; 1131 } 1132 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { 1133 log_err("error for cert file: %s", pem); 1134 log_crypto_err("error in SSL_CTX use_certificate_chain_file"); 1135 SSL_CTX_free(ctx); 1136 return NULL; 1137 } 1138 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) { 1139 log_err("error for private key file: %s", key); 1140 log_crypto_err("Error in SSL_CTX use_PrivateKey_file"); 1141 SSL_CTX_free(ctx); 1142 return NULL; 1143 } 1144 if(!SSL_CTX_check_private_key(ctx)) { 1145 log_err("error for key file: %s", key); 1146 log_crypto_err("Error in SSL_CTX check_private_key"); 1147 SSL_CTX_free(ctx); 1148 return NULL; 1149 } 1150 listen_sslctx_setup_2(ctx); 1151 if(verifypem && verifypem[0]) { 1152 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) { 1153 log_crypto_err("Error in SSL_CTX verify locations"); 1154 SSL_CTX_free(ctx); 1155 return NULL; 1156 } 1157 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file( 1158 verifypem)); 1159 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); 1160 } 1161 return ctx; 1162 #else 1163 (void)key; (void)pem; (void)verifypem; 1164 return NULL; 1165 #endif 1166 } 1167 1168 #ifdef USE_WINSOCK 1169 /* For windows, the CA trust store is not read by openssl. 1170 Add code to open the trust store using wincrypt API and add 1171 the root certs into openssl trust store */ 1172 static int 1173 add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx) 1174 { 1175 HCERTSTORE hSystemStore; 1176 PCCERT_CONTEXT pTargetCert = NULL; 1177 X509_STORE* store; 1178 1179 verbose(VERB_ALGO, "Adding Windows certificates from system root store to CA store"); 1180 1181 /* load just once per context lifetime for this version 1182 TODO: dynamically update CA trust changes as they are available */ 1183 if (!tls_ctx) 1184 return 0; 1185 1186 /* Call wincrypt's CertOpenStore to open the CA root store. */ 1187 1188 if ((hSystemStore = CertOpenStore( 1189 CERT_STORE_PROV_SYSTEM, 1190 0, 1191 0, 1192 /* NOTE: mingw does not have this const: replace with 1 << 16 from code 1193 CERT_SYSTEM_STORE_CURRENT_USER, */ 1194 1 << 16, 1195 L"root")) == 0) 1196 { 1197 return 0; 1198 } 1199 1200 store = SSL_CTX_get_cert_store(tls_ctx); 1201 if (!store) 1202 return 0; 1203 1204 /* failure if the CA store is empty or the call fails */ 1205 if ((pTargetCert = CertEnumCertificatesInStore( 1206 hSystemStore, pTargetCert)) == 0) { 1207 verbose(VERB_ALGO, "CA certificate store for Windows is empty."); 1208 return 0; 1209 } 1210 /* iterate over the windows cert store and add to openssl store */ 1211 do 1212 { 1213 X509 *cert1 = d2i_X509(NULL, 1214 (const unsigned char **)&pTargetCert->pbCertEncoded, 1215 pTargetCert->cbCertEncoded); 1216 if (!cert1) { 1217 unsigned long error = ERR_get_error(); 1218 /* return error if a cert fails */ 1219 verbose(VERB_ALGO, "%s %d:%s", 1220 "Unable to parse certificate in memory", 1221 (int)error, ERR_error_string(error, NULL)); 1222 return 0; 1223 } 1224 else { 1225 /* return error if a cert add to store fails */ 1226 if (X509_STORE_add_cert(store, cert1) == 0) { 1227 unsigned long error = ERR_peek_last_error(); 1228 1229 /* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the 1230 * certificate is already in the store. */ 1231 if(ERR_GET_LIB(error) != ERR_LIB_X509 || 1232 ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) { 1233 error = ERR_get_error(); 1234 verbose(VERB_ALGO, "%s %d:%s\n", 1235 "Error adding certificate", (int)error, 1236 ERR_error_string(error, NULL)); 1237 X509_free(cert1); 1238 return 0; 1239 } 1240 } 1241 X509_free(cert1); 1242 } 1243 } while ((pTargetCert = CertEnumCertificatesInStore( 1244 hSystemStore, pTargetCert)) != 0); 1245 1246 /* Clean up memory and quit. */ 1247 if (pTargetCert) 1248 CertFreeCertificateContext(pTargetCert); 1249 if (hSystemStore) 1250 { 1251 if (!CertCloseStore( 1252 hSystemStore, 0)) 1253 return 0; 1254 } 1255 verbose(VERB_ALGO, "Completed adding Windows certificates to CA store successfully"); 1256 return 1; 1257 } 1258 #endif /* USE_WINSOCK */ 1259 1260 void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert) 1261 { 1262 #ifdef HAVE_SSL 1263 SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method()); 1264 if(!ctx) { 1265 log_crypto_err("could not allocate SSL_CTX pointer"); 1266 return NULL; 1267 } 1268 #if SSL_OP_NO_SSLv2 != 0 1269 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) 1270 != SSL_OP_NO_SSLv2) { 1271 log_crypto_err("could not set SSL_OP_NO_SSLv2"); 1272 SSL_CTX_free(ctx); 1273 return NULL; 1274 } 1275 #endif 1276 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) 1277 != SSL_OP_NO_SSLv3) { 1278 log_crypto_err("could not set SSL_OP_NO_SSLv3"); 1279 SSL_CTX_free(ctx); 1280 return NULL; 1281 } 1282 #if defined(SSL_OP_NO_RENEGOTIATION) 1283 /* disable client renegotiation */ 1284 if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) & 1285 SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) { 1286 log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION"); 1287 SSL_CTX_free(ctx); 1288 return 0; 1289 } 1290 #endif 1291 #if defined(SSL_OP_IGNORE_UNEXPECTED_EOF) 1292 /* ignore errors when peers do not send the mandatory close_notify 1293 * alert on shutdown. 1294 * Relevant for openssl >= 3 */ 1295 if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) & 1296 SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) { 1297 log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF"); 1298 SSL_CTX_free(ctx); 1299 return 0; 1300 } 1301 #endif 1302 if(key && key[0]) { 1303 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { 1304 log_err("error in client certificate %s", pem); 1305 log_crypto_err("error in certificate file"); 1306 SSL_CTX_free(ctx); 1307 return NULL; 1308 } 1309 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) { 1310 log_err("error in client private key %s", key); 1311 log_crypto_err("error in key file"); 1312 SSL_CTX_free(ctx); 1313 return NULL; 1314 } 1315 if(!SSL_CTX_check_private_key(ctx)) { 1316 log_err("error in client key %s", key); 1317 log_crypto_err("error in SSL_CTX_check_private_key"); 1318 SSL_CTX_free(ctx); 1319 return NULL; 1320 } 1321 } 1322 if((verifypem && verifypem[0]) || wincert) { 1323 if(verifypem && verifypem[0]) { 1324 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) { 1325 log_crypto_err("error in SSL_CTX verify"); 1326 SSL_CTX_free(ctx); 1327 return NULL; 1328 } 1329 } 1330 #ifdef USE_WINSOCK 1331 if(wincert) { 1332 if(!add_WIN_cacerts_to_openssl_store(ctx)) { 1333 log_crypto_err("error in add_WIN_cacerts_to_openssl_store"); 1334 SSL_CTX_free(ctx); 1335 return NULL; 1336 } 1337 } 1338 #else 1339 if(wincert) { 1340 if(!SSL_CTX_set_default_verify_paths(ctx)) { 1341 log_crypto_err("error in default_verify_paths"); 1342 SSL_CTX_free(ctx); 1343 return NULL; 1344 } 1345 } 1346 #endif 1347 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); 1348 } 1349 return ctx; 1350 #else 1351 (void)key; (void)pem; (void)verifypem; (void)wincert; 1352 return NULL; 1353 #endif 1354 } 1355 1356 void* incoming_ssl_fd(void* sslctx, int fd) 1357 { 1358 #ifdef HAVE_SSL 1359 SSL* ssl = SSL_new((SSL_CTX*)sslctx); 1360 if(!ssl) { 1361 log_crypto_err("could not SSL_new"); 1362 return NULL; 1363 } 1364 SSL_set_accept_state(ssl); 1365 (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY); 1366 if(!SSL_set_fd(ssl, fd)) { 1367 log_crypto_err("could not SSL_set_fd"); 1368 SSL_free(ssl); 1369 return NULL; 1370 } 1371 return ssl; 1372 #else 1373 (void)sslctx; (void)fd; 1374 return NULL; 1375 #endif 1376 } 1377 1378 void* outgoing_ssl_fd(void* sslctx, int fd) 1379 { 1380 #ifdef HAVE_SSL 1381 SSL* ssl = SSL_new((SSL_CTX*)sslctx); 1382 if(!ssl) { 1383 log_crypto_err("could not SSL_new"); 1384 return NULL; 1385 } 1386 SSL_set_connect_state(ssl); 1387 (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY); 1388 if(!SSL_set_fd(ssl, fd)) { 1389 log_crypto_err("could not SSL_set_fd"); 1390 SSL_free(ssl); 1391 return NULL; 1392 } 1393 return ssl; 1394 #else 1395 (void)sslctx; (void)fd; 1396 return NULL; 1397 #endif 1398 } 1399 1400 int check_auth_name_for_ssl(char* auth_name) 1401 { 1402 if(!auth_name) return 1; 1403 #if defined(HAVE_SSL) && !defined(HAVE_SSL_SET1_HOST) && !defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) 1404 log_err("the query has an auth_name %s, but libssl has no call to " 1405 "perform TLS authentication. Remove that name from config " 1406 "or upgrade the ssl crypto library.", auth_name); 1407 return 0; 1408 #else 1409 return 1; 1410 #endif 1411 } 1412 1413 /** set the authname on an SSL structure, SSL* ssl */ 1414 int set_auth_name_on_ssl(void* ssl, char* auth_name, int use_sni) 1415 { 1416 if(!auth_name) return 1; 1417 #ifdef HAVE_SSL 1418 if(use_sni) { 1419 (void)SSL_set_tlsext_host_name(ssl, auth_name); 1420 } 1421 #else 1422 (void)ssl; 1423 (void)use_sni; 1424 #endif 1425 #ifdef HAVE_SSL_SET1_HOST 1426 SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL); 1427 /* setting the hostname makes openssl verify the 1428 * host name in the x509 certificate in the 1429 * SSL connection*/ 1430 if(!SSL_set1_host(ssl, auth_name)) { 1431 log_err("SSL_set1_host failed"); 1432 return 0; 1433 } 1434 #elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) 1435 /* openssl 1.0.2 has this function that can be used for 1436 * set1_host like verification */ 1437 if(auth_name) { 1438 X509_VERIFY_PARAM* param = SSL_get0_param(ssl); 1439 # ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 1440 X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); 1441 # endif 1442 if(!X509_VERIFY_PARAM_set1_host(param, auth_name, strlen(auth_name))) { 1443 log_err("X509_VERIFY_PARAM_set1_host failed"); 1444 return 0; 1445 } 1446 SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL); 1447 } 1448 #else 1449 verbose(VERB_ALGO, "the query has an auth_name, but libssl has no call to perform TLS authentication"); 1450 #endif /* HAVE_SSL_SET1_HOST */ 1451 return 1; 1452 } 1453 1454 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L 1455 /** global lock list for openssl locks */ 1456 static lock_basic_type *ub_openssl_locks = NULL; 1457 1458 /** callback that gets thread id for openssl */ 1459 #ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK 1460 static void 1461 ub_crypto_id_cb(CRYPTO_THREADID *id) 1462 { 1463 CRYPTO_THREADID_set_numeric(id, (unsigned long)log_thread_get()); 1464 } 1465 #else 1466 static unsigned long 1467 ub_crypto_id_cb(void) 1468 { 1469 return (unsigned long)log_thread_get(); 1470 } 1471 #endif 1472 1473 static void 1474 ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file), 1475 int ATTR_UNUSED(line)) 1476 { 1477 if((mode&CRYPTO_LOCK)) { 1478 lock_basic_lock(&ub_openssl_locks[type]); 1479 } else { 1480 lock_basic_unlock(&ub_openssl_locks[type]); 1481 } 1482 } 1483 #endif /* OPENSSL_THREADS */ 1484 1485 int ub_openssl_lock_init(void) 1486 { 1487 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L 1488 int i; 1489 ub_openssl_locks = (lock_basic_type*)reallocarray( 1490 NULL, (size_t)CRYPTO_num_locks(), sizeof(lock_basic_type)); 1491 if(!ub_openssl_locks) 1492 return 0; 1493 for(i=0; i<CRYPTO_num_locks(); i++) { 1494 lock_basic_init(&ub_openssl_locks[i]); 1495 } 1496 # ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK 1497 CRYPTO_THREADID_set_callback(&ub_crypto_id_cb); 1498 # else 1499 CRYPTO_set_id_callback(&ub_crypto_id_cb); 1500 # endif 1501 CRYPTO_set_locking_callback(&ub_crypto_lock_cb); 1502 #endif /* OPENSSL_THREADS */ 1503 return 1; 1504 } 1505 1506 void ub_openssl_lock_delete(void) 1507 { 1508 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L 1509 int i; 1510 if(!ub_openssl_locks) 1511 return; 1512 # ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK 1513 CRYPTO_THREADID_set_callback(NULL); 1514 # else 1515 CRYPTO_set_id_callback(NULL); 1516 # endif 1517 CRYPTO_set_locking_callback(NULL); 1518 for(i=0; i<CRYPTO_num_locks(); i++) { 1519 lock_basic_destroy(&ub_openssl_locks[i]); 1520 } 1521 free(ub_openssl_locks); 1522 #endif /* OPENSSL_THREADS */ 1523 } 1524 1525 int listen_sslctx_setup_ticket_keys(void* sslctx, struct config_strlist* tls_session_ticket_keys) { 1526 #ifdef HAVE_SSL 1527 size_t s = 1; 1528 struct config_strlist* p; 1529 struct tls_session_ticket_key *keys; 1530 for(p = tls_session_ticket_keys; p; p = p->next) { 1531 s++; 1532 } 1533 keys = calloc(s, sizeof(struct tls_session_ticket_key)); 1534 if(!keys) 1535 return 0; 1536 memset(keys, 0, s*sizeof(*keys)); 1537 ticket_keys = keys; 1538 1539 for(p = tls_session_ticket_keys; p; p = p->next) { 1540 size_t n; 1541 unsigned char *data; 1542 FILE *f; 1543 1544 data = (unsigned char *)malloc(80); 1545 if(!data) 1546 return 0; 1547 1548 f = fopen(p->str, "rb"); 1549 if(!f) { 1550 log_err("could not read tls-session-ticket-key %s: %s", p->str, strerror(errno)); 1551 free(data); 1552 return 0; 1553 } 1554 n = fread(data, 1, 80, f); 1555 fclose(f); 1556 1557 if(n != 80) { 1558 log_err("tls-session-ticket-key %s is %d bytes, must be 80 bytes", p->str, (int)n); 1559 free(data); 1560 return 0; 1561 } 1562 verbose(VERB_OPS, "read tls-session-ticket-key: %s", p->str); 1563 1564 keys->key_name = data; 1565 keys->aes_key = data + 16; 1566 keys->hmac_key = data + 48; 1567 keys++; 1568 } 1569 /* terminate array with NULL key name entry */ 1570 keys->key_name = NULL; 1571 # ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1572 if(SSL_CTX_set_tlsext_ticket_key_evp_cb(sslctx, tls_session_ticket_key_cb) == 0) { 1573 log_err("no support for TLS session ticket"); 1574 return 0; 1575 } 1576 # else 1577 if(SSL_CTX_set_tlsext_ticket_key_cb(sslctx, tls_session_ticket_key_cb) == 0) { 1578 log_err("no support for TLS session ticket"); 1579 return 0; 1580 } 1581 # endif 1582 return 1; 1583 #else 1584 (void)sslctx; 1585 (void)tls_session_ticket_keys; 1586 return 0; 1587 #endif 1588 1589 } 1590 1591 #ifdef HAVE_SSL 1592 int tls_session_ticket_key_cb(SSL *ATTR_UNUSED(sslctx), unsigned char* key_name, 1593 unsigned char* iv, EVP_CIPHER_CTX *evp_sctx, 1594 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1595 EVP_MAC_CTX *hmac_ctx, 1596 #else 1597 HMAC_CTX* hmac_ctx, 1598 #endif 1599 int enc) 1600 { 1601 #ifdef HAVE_SSL 1602 # ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1603 OSSL_PARAM params[3]; 1604 # else 1605 const EVP_MD *digest; 1606 # endif 1607 const EVP_CIPHER *cipher; 1608 int evp_cipher_length; 1609 # ifndef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1610 digest = EVP_sha256(); 1611 # endif 1612 cipher = EVP_aes_256_cbc(); 1613 evp_cipher_length = EVP_CIPHER_iv_length(cipher); 1614 if( enc == 1 ) { 1615 /* encrypt */ 1616 verbose(VERB_CLIENT, "start session encrypt"); 1617 memcpy(key_name, ticket_keys->key_name, 16); 1618 if (RAND_bytes(iv, evp_cipher_length) != 1) { 1619 verbose(VERB_CLIENT, "RAND_bytes failed"); 1620 return -1; 1621 } 1622 if (EVP_EncryptInit_ex(evp_sctx, cipher, NULL, ticket_keys->aes_key, iv) != 1) { 1623 verbose(VERB_CLIENT, "EVP_EncryptInit_ex failed"); 1624 return -1; 1625 } 1626 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1627 params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, 1628 ticket_keys->hmac_key, 32); 1629 params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, 1630 "sha256", 0); 1631 params[2] = OSSL_PARAM_construct_end(); 1632 #ifdef HAVE_EVP_MAC_CTX_SET_PARAMS 1633 EVP_MAC_CTX_set_params(hmac_ctx, params); 1634 #else 1635 EVP_MAC_set_ctx_params(hmac_ctx, params); 1636 #endif 1637 #elif !defined(HMAC_INIT_EX_RETURNS_VOID) 1638 if (HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL) != 1) { 1639 verbose(VERB_CLIENT, "HMAC_Init_ex failed"); 1640 return -1; 1641 } 1642 #else 1643 HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL); 1644 #endif 1645 return 1; 1646 } else if (enc == 0) { 1647 /* decrypt */ 1648 struct tls_session_ticket_key *key; 1649 verbose(VERB_CLIENT, "start session decrypt"); 1650 for(key = ticket_keys; key->key_name != NULL; key++) { 1651 if (!memcmp(key_name, key->key_name, 16)) { 1652 verbose(VERB_CLIENT, "Found session_key"); 1653 break; 1654 } 1655 } 1656 if(key->key_name == NULL) { 1657 verbose(VERB_CLIENT, "Not found session_key"); 1658 return 0; 1659 } 1660 1661 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB 1662 params[0] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, 1663 key->hmac_key, 32); 1664 params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, 1665 "sha256", 0); 1666 params[2] = OSSL_PARAM_construct_end(); 1667 #ifdef HAVE_EVP_MAC_CTX_SET_PARAMS 1668 EVP_MAC_CTX_set_params(hmac_ctx, params); 1669 #else 1670 EVP_MAC_set_ctx_params(hmac_ctx, params); 1671 #endif 1672 #elif !defined(HMAC_INIT_EX_RETURNS_VOID) 1673 if (HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL) != 1) { 1674 verbose(VERB_CLIENT, "HMAC_Init_ex failed"); 1675 return -1; 1676 } 1677 #else 1678 HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL); 1679 #endif 1680 if (EVP_DecryptInit_ex(evp_sctx, cipher, NULL, key->aes_key, iv) != 1) { 1681 log_err("EVP_DecryptInit_ex failed"); 1682 return -1; 1683 } 1684 1685 return (key == ticket_keys) ? 1 : 2; 1686 } 1687 return -1; 1688 #else 1689 (void)key_name; 1690 (void)iv; 1691 (void)evp_sctx; 1692 (void)hmac_ctx; 1693 (void)enc; 1694 return 0; 1695 #endif 1696 } 1697 #endif /* HAVE_SSL */ 1698 1699 void 1700 listen_sslctx_delete_ticket_keys(void) 1701 { 1702 struct tls_session_ticket_key *key; 1703 if(!ticket_keys) return; 1704 for(key = ticket_keys; key->key_name != NULL; key++) { 1705 /* wipe key data from memory*/ 1706 #ifdef HAVE_EXPLICIT_BZERO 1707 explicit_bzero(key->key_name, 80); 1708 #else 1709 memset(key->key_name, 0xdd, 80); 1710 #endif 1711 free(key->key_name); 1712 } 1713 free(ticket_keys); 1714 ticket_keys = NULL; 1715 } 1716 1717 # ifndef USE_WINSOCK 1718 char* 1719 sock_strerror(int errn) 1720 { 1721 return strerror(errn); 1722 } 1723 1724 void 1725 sock_close(int socket) 1726 { 1727 close(socket); 1728 } 1729 1730 # else 1731 char* 1732 sock_strerror(int ATTR_UNUSED(errn)) 1733 { 1734 return wsa_strerror(WSAGetLastError()); 1735 } 1736 1737 void 1738 sock_close(int socket) 1739 { 1740 closesocket(socket); 1741 } 1742 # endif /* USE_WINSOCK */ 1743