2 * util/net_help.c - implementation of the network helper code
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
6 * This software is open source.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37 * Implementation of net_help.h.
41 #include "util/net_help.h"
43 #include "util/data/dname.h"
44 #include "util/module.h"
45 #include "util/regional.h"
46 #include "sldns/parseutil.h"
47 #include "sldns/wire2str.h"
49 #ifdef HAVE_OPENSSL_SSL_H
50 #include <openssl/ssl.h>
52 #ifdef HAVE_OPENSSL_ERR_H
53 #include <openssl/err.h>
56 /** max length of an IP address (the address portion) that we allow */
57 #define MAX_ADDR_STRLEN 128 /* characters */
58 /** default value for EDNS ADVERTISED size */
59 uint16_t EDNS_ADVERTISED_SIZE = 4096;
61 /** minimal responses when positive answer: default is no */
62 int MINIMAL_RESPONSES = 0;
64 /** rrset order roundrobin: default is no */
65 int RRSET_ROUNDROBIN = 0;
67 /* returns true is string addr is an ip6 specced address */
69 str_is_ip6(const char* str)
77 fd_set_nonblock(int s)
81 if((flag = fcntl(s, F_GETFL)) == -1) {
82 log_err("can't fcntl F_GETFL: %s", strerror(errno));
86 if(fcntl(s, F_SETFL, flag) == -1) {
87 log_err("can't fcntl F_SETFL: %s", strerror(errno));
90 #elif defined(HAVE_IOCTLSOCKET)
92 if(ioctlsocket(s, FIONBIO, &on) != 0) {
93 log_err("can't ioctlsocket FIONBIO on: %s",
94 wsa_strerror(WSAGetLastError()));
105 if((flag = fcntl(s, F_GETFL)) == -1) {
106 log_err("cannot fcntl F_GETFL: %s", strerror(errno));
110 if(fcntl(s, F_SETFL, flag) == -1) {
111 log_err("cannot fcntl F_SETFL: %s", strerror(errno));
114 #elif defined(HAVE_IOCTLSOCKET)
115 unsigned long off = 0;
116 if(ioctlsocket(s, FIONBIO, &off) != 0) {
117 if(WSAGetLastError() != WSAEINVAL || verbosity >= 4)
118 log_err("can't ioctlsocket FIONBIO off: %s",
119 wsa_strerror(WSAGetLastError()));
128 if(num == 0) return 1;
129 return (num & (num-1)) == 0;
133 memdup(void* data, size_t len)
136 if(!data) return NULL;
137 if(len == 0) return NULL;
140 memcpy(d, data, len);
145 log_addr(enum verbosity_value v, const char* str,
146 struct sockaddr_storage* addr, socklen_t addrlen)
149 const char* family = "unknown";
151 int af = (int)((struct sockaddr_in*)addr)->sin_family;
152 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
156 case AF_INET: family="ip4"; break;
157 case AF_INET6: family="ip6";
158 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
162 (void)inet_ntop(af, sinaddr, dest,
163 (socklen_t)sizeof(dest));
164 verbose(v, "%s local %s", str, dest);
165 return; /* do not continue and try to get port */
168 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
169 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
171 dest[sizeof(dest)-1] = 0;
172 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
174 verbose(v, "%s %s %s port %d (len %d)", str, family, dest,
175 (int)port, (int)addrlen);
176 else verbose(v, "%s %s port %d", str, dest, (int)port);
180 extstrtoaddr(const char* str, struct sockaddr_storage* addr,
184 int port = UNBOUND_DNS_PORT;
185 if((s=strchr(str, '@'))) {
186 char buf[MAX_ADDR_STRLEN];
187 if(s-str >= MAX_ADDR_STRLEN) {
190 (void)strlcpy(buf, str, sizeof(buf));
193 if(port == 0 && strcmp(s+1,"0")!=0) {
196 return ipstrtoaddr(buf, port, addr, addrlen);
198 return ipstrtoaddr(str, port, addr, addrlen);
203 ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr,
210 char buf[MAX_ADDR_STRLEN];
212 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
213 *addrlen = (socklen_t)sizeof(struct sockaddr_in6);
214 memset(sa, 0, *addrlen);
215 sa->sin6_family = AF_INET6;
216 sa->sin6_port = (in_port_t)htons(p);
217 if((s=strchr(ip, '%'))) { /* ip6%interface, rfc 4007 */
218 if(s-ip >= MAX_ADDR_STRLEN)
220 (void)strlcpy(buf, ip, sizeof(buf));
222 sa->sin6_scope_id = (uint32_t)atoi(s+1);
225 if(inet_pton((int)sa->sin6_family, ip, &sa->sin6_addr) <= 0) {
229 struct sockaddr_in* sa = (struct sockaddr_in*)addr;
230 *addrlen = (socklen_t)sizeof(struct sockaddr_in);
231 memset(sa, 0, *addrlen);
232 sa->sin_family = AF_INET;
233 sa->sin_port = (in_port_t)htons(p);
234 if(inet_pton((int)sa->sin_family, ip, &sa->sin_addr) <= 0) {
241 int netblockstrtoaddr(const char* str, int port, struct sockaddr_storage* addr,
242 socklen_t* addrlen, int* net)
246 *net = (str_is_ip6(str)?128:32);
247 if((s=strchr(str, '/'))) {
248 if(atoi(s+1) > *net) {
249 log_err("netblock too large: %s", str);
253 if(*net == 0 && strcmp(s+1, "0") != 0) {
254 log_err("cannot parse netblock: '%s'", str);
257 strlcpy(buf, str, sizeof(buf));
258 s = strchr(buf, '/');
262 if(!ipstrtoaddr(s?s:str, port, addr, addrlen)) {
263 log_err("cannot parse ip address: '%s'", str);
267 addr_mask(addr, *addrlen, *net);
272 int authextstrtoaddr(char* str, struct sockaddr_storage* addr,
273 socklen_t* addrlen, char** auth_name)
276 int port = UNBOUND_DNS_PORT;
277 if((s=strchr(str, '@'))) {
278 char buf[MAX_ADDR_STRLEN];
279 size_t len = (size_t)(s-str);
280 char* hash = strchr(s+1, '#');
286 if(len >= MAX_ADDR_STRLEN) {
289 (void)strlcpy(buf, str, sizeof(buf));
293 if(!hash && strcmp(s+1,"0")!=0)
295 if(hash && strncmp(s+1,"0#",2)!=0)
298 return ipstrtoaddr(buf, port, addr, addrlen);
300 if((s=strchr(str, '#'))) {
301 char buf[MAX_ADDR_STRLEN];
302 size_t len = (size_t)(s-str);
303 if(len >= MAX_ADDR_STRLEN) {
306 (void)strlcpy(buf, str, sizeof(buf));
308 port = UNBOUND_DNS_OVER_TLS_PORT;
310 return ipstrtoaddr(buf, port, addr, addrlen);
313 return ipstrtoaddr(str, port, addr, addrlen);
316 /** store port number into sockaddr structure */
318 sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen, int port)
320 if(addr_is_ip6(addr, addrlen)) {
321 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
322 sa->sin6_port = (in_port_t)htons((uint16_t)port);
324 struct sockaddr_in* sa = (struct sockaddr_in*)addr;
325 sa->sin_port = (in_port_t)htons((uint16_t)port);
330 log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name,
331 uint16_t type, uint16_t dclass)
333 char buf[LDNS_MAX_DOMAINLEN+1];
338 dname_str(name, buf);
339 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG";
340 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR";
341 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR";
342 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB";
343 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA";
344 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY";
345 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name)
346 ts = sldns_rr_descript(type)->_name;
348 snprintf(t, sizeof(t), "TYPE%d", (int)type);
351 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) &&
352 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name)
353 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name;
355 snprintf(c, sizeof(c), "CLASS%d", (int)dclass);
358 log_info("%s %s %s %s", str, buf, ts, cs);
361 void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone,
362 struct sockaddr_storage* addr, socklen_t addrlen)
365 const char* family = "unknown_family ";
366 char namebuf[LDNS_MAX_DOMAINLEN+1];
368 int af = (int)((struct sockaddr_in*)addr)->sin_family;
369 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
373 case AF_INET: family=""; break;
374 case AF_INET6: family="";
375 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
377 case AF_LOCAL: family="local "; break;
380 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
381 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
383 dest[sizeof(dest)-1] = 0;
384 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
385 dname_str(zone, namebuf);
386 if(af != AF_INET && af != AF_INET6)
387 verbose(v, "%s <%s> %s%s#%d (addrlen %d)",
388 str, namebuf, family, dest, (int)port, (int)addrlen);
389 else verbose(v, "%s <%s> %s%s#%d",
390 str, namebuf, family, dest, (int)port);
393 void log_err_addr(const char* str, const char* err,
394 struct sockaddr_storage* addr, socklen_t addrlen)
398 int af = (int)((struct sockaddr_in*)addr)->sin_family;
399 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
401 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
402 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
403 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
405 dest[sizeof(dest)-1] = 0;
406 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
408 log_err("%s: %s for %s port %d (len %d)", str, err, dest,
409 (int)port, (int)addrlen);
410 else log_err("%s: %s for %s", str, err, dest);
414 sockaddr_cmp(struct sockaddr_storage* addr1, socklen_t len1,
415 struct sockaddr_storage* addr2, socklen_t len2)
417 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
418 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
419 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
420 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
425 log_assert(len1 == len2);
426 if( p1_in->sin_family < p2_in->sin_family)
428 if( p1_in->sin_family > p2_in->sin_family)
430 log_assert( p1_in->sin_family == p2_in->sin_family );
432 if( p1_in->sin_family == AF_INET ) {
433 /* just order it, ntohs not required */
434 if(p1_in->sin_port < p2_in->sin_port)
436 if(p1_in->sin_port > p2_in->sin_port)
438 log_assert(p1_in->sin_port == p2_in->sin_port);
439 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
440 } else if (p1_in6->sin6_family == AF_INET6) {
441 /* just order it, ntohs not required */
442 if(p1_in6->sin6_port < p2_in6->sin6_port)
444 if(p1_in6->sin6_port > p2_in6->sin6_port)
446 log_assert(p1_in6->sin6_port == p2_in6->sin6_port);
447 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
450 /* eek unknown type, perform this comparison for sanity. */
451 return memcmp(addr1, addr2, len1);
456 sockaddr_cmp_addr(struct sockaddr_storage* addr1, socklen_t len1,
457 struct sockaddr_storage* addr2, socklen_t len2)
459 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
460 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
461 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
462 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
467 log_assert(len1 == len2);
468 if( p1_in->sin_family < p2_in->sin_family)
470 if( p1_in->sin_family > p2_in->sin_family)
472 log_assert( p1_in->sin_family == p2_in->sin_family );
474 if( p1_in->sin_family == AF_INET ) {
475 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
476 } else if (p1_in6->sin6_family == AF_INET6) {
477 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
480 /* eek unknown type, perform this comparison for sanity. */
481 return memcmp(addr1, addr2, len1);
486 addr_is_ip6(struct sockaddr_storage* addr, socklen_t len)
488 if(len == (socklen_t)sizeof(struct sockaddr_in6) &&
489 ((struct sockaddr_in6*)addr)->sin6_family == AF_INET6)
495 addr_mask(struct sockaddr_storage* addr, socklen_t len, int net)
497 uint8_t mask[8] = {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe};
500 if(addr_is_ip6(addr, len)) {
501 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr;
504 s = (uint8_t*)&((struct sockaddr_in*)addr)->sin_addr;
509 for(i=net/8+1; i<max/8; i++) {
512 s[net/8] &= mask[net&0x7];
516 addr_in_common(struct sockaddr_storage* addr1, int net1,
517 struct sockaddr_storage* addr2, int net2, socklen_t addrlen)
519 int min = (net1<net2)?net1:net2;
523 if(addr_is_ip6(addr1, addrlen)) {
524 s1 = (uint8_t*)&((struct sockaddr_in6*)addr1)->sin6_addr;
525 s2 = (uint8_t*)&((struct sockaddr_in6*)addr2)->sin6_addr;
528 s1 = (uint8_t*)&((struct sockaddr_in*)addr1)->sin_addr;
529 s2 = (uint8_t*)&((struct sockaddr_in*)addr2)->sin_addr;
532 /* match = bits_in_common(s1, s2, to); */
533 for(i=0; i<to; i++) {
537 uint8_t z = s1[i]^s2[i];
546 if(match > min) match = min;
551 addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen,
552 char* buf, size_t len)
554 int af = (int)((struct sockaddr_in*)addr)->sin_family;
555 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
556 if(addr_is_ip6(addr, addrlen))
557 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
558 if(inet_ntop(af, sinaddr, buf, (socklen_t)len) == 0) {
559 snprintf(buf, len, "(inet_ntop_error)");
564 addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen)
566 /* prefix for ipv4 into ipv6 mapping is ::ffff:x.x.x.x */
567 const uint8_t map_prefix[16] =
568 {0,0,0,0, 0,0,0,0, 0,0,0xff,0xff, 0,0,0,0};
570 if(!addr_is_ip6(addr, addrlen))
572 /* s is 16 octet ipv6 address string */
573 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr;
574 return (memcmp(s, map_prefix, 12) == 0);
577 int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen)
579 int af = (int)((struct sockaddr_in*)addr)->sin_family;
580 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
581 return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
582 && memcmp(sinaddr, "\377\377\377\377", 4) == 0;
585 int addr_is_any(struct sockaddr_storage* addr, socklen_t addrlen)
587 int af = (int)((struct sockaddr_in*)addr)->sin_family;
588 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
589 void* sin6addr = &((struct sockaddr_in6*)addr)->sin6_addr;
590 if(af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
591 && memcmp(sinaddr, "\000\000\000\000", 4) == 0)
593 else if(af==AF_INET6 && addrlen>=(socklen_t)sizeof(struct sockaddr_in6)
594 && memcmp(sin6addr, "\000\000\000\000\000\000\000\000"
595 "\000\000\000\000\000\000\000\000", 16) == 0)
600 void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr,
601 socklen_t len, struct regional* region)
603 struct sock_list* add = (struct sock_list*)regional_alloc(region,
604 sizeof(*add) - sizeof(add->addr) + (size_t)len);
606 log_err("out of memory in socketlist insert");
613 if(len) memmove(&add->addr, addr, len);
616 void sock_list_prepend(struct sock_list** list, struct sock_list* add)
618 struct sock_list* last = add;
627 int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr,
631 if(len == list->len) {
632 if(len == 0 || sockaddr_cmp_addr(addr, len,
633 &list->addr, list->len) == 0)
641 void sock_list_merge(struct sock_list** list, struct regional* region,
642 struct sock_list* add)
645 for(p=add; p; p=p->next) {
646 if(!sock_list_find(*list, &p->addr, p->len))
647 sock_list_insert(list, &p->addr, p->len, region);
652 log_crypto_err(const char* str)
655 /* error:[error code]:[library name]:[function name]:[reason string] */
658 ERR_error_string_n(ERR_get_error(), buf, sizeof(buf));
659 log_err("%s crypto %s", str, buf);
660 while( (e=ERR_get_error()) ) {
661 ERR_error_string_n(e, buf, sizeof(buf));
662 log_err("and additionally crypto %s", buf);
666 #endif /* HAVE_SSL */
670 listen_sslctx_setup(void* ctxt)
673 SSL_CTX* ctx = (SSL_CTX*)ctxt;
674 /* no SSLv2, SSLv3 because has defects */
675 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
677 log_crypto_err("could not set SSL_OP_NO_SSLv2");
680 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
682 log_crypto_err("could not set SSL_OP_NO_SSLv3");
685 #if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
686 /* if we have tls 1.1 disable 1.0 */
687 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
689 log_crypto_err("could not set SSL_OP_NO_TLSv1");
693 #if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
694 /* if we have tls 1.2 disable 1.1 */
695 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
696 != SSL_OP_NO_TLSv1_1){
697 log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
701 #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
702 /* if we have sha256, set the cipher list to have no known vulns */
703 if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
704 log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
707 if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) &
708 SSL_OP_CIPHER_SERVER_PREFERENCE) !=
709 SSL_OP_CIPHER_SERVER_PREFERENCE) {
710 log_crypto_err("could not set SSL_OP_CIPHER_SERVER_PREFERENCE");
714 #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
715 SSL_CTX_set_security_level(ctx, 0);
719 #endif /* HAVE_SSL */
724 listen_sslctx_setup_2(void* ctxt)
727 SSL_CTX* ctx = (SSL_CTX*)ctxt;
729 #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
730 if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
731 log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
733 #elif defined(USE_ECDSA)
735 EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
737 log_crypto_err("could not find p256, not enabling ECDHE");
739 if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
740 log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
748 #endif /* HAVE_SSL */
751 void* listen_sslctx_create(char* key, char* pem, char* verifypem)
754 SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
756 log_crypto_err("could not SSL_CTX_new");
759 if(!listen_sslctx_setup(ctx)) {
763 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
764 log_err("error for cert file: %s", pem);
765 log_crypto_err("error in SSL_CTX use_certificate_chain_file");
769 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
770 log_err("error for private key file: %s", key);
771 log_crypto_err("Error in SSL_CTX use_PrivateKey_file");
775 if(!SSL_CTX_check_private_key(ctx)) {
776 log_err("error for key file: %s", key);
777 log_crypto_err("Error in SSL_CTX check_private_key");
781 listen_sslctx_setup_2(ctx);
782 if(verifypem && verifypem[0]) {
783 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
784 log_crypto_err("Error in SSL_CTX verify locations");
788 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(
790 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
794 (void)key; (void)pem; (void)verifypem;
799 void* connect_sslctx_create(char* key, char* pem, char* verifypem)
802 SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());
804 log_crypto_err("could not allocate SSL_CTX pointer");
807 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
808 != SSL_OP_NO_SSLv2) {
809 log_crypto_err("could not set SSL_OP_NO_SSLv2");
813 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
814 != SSL_OP_NO_SSLv3) {
815 log_crypto_err("could not set SSL_OP_NO_SSLv3");
820 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
821 log_err("error in client certificate %s", pem);
822 log_crypto_err("error in certificate file");
826 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
827 log_err("error in client private key %s", key);
828 log_crypto_err("error in key file");
832 if(!SSL_CTX_check_private_key(ctx)) {
833 log_err("error in client key %s", key);
834 log_crypto_err("error in SSL_CTX_check_private_key");
839 if(verifypem && verifypem[0]) {
840 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
841 log_crypto_err("error in SSL_CTX verify");
845 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
849 (void)key; (void)pem; (void)verifypem;
854 void* incoming_ssl_fd(void* sslctx, int fd)
857 SSL* ssl = SSL_new((SSL_CTX*)sslctx);
859 log_crypto_err("could not SSL_new");
862 SSL_set_accept_state(ssl);
863 (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
864 if(!SSL_set_fd(ssl, fd)) {
865 log_crypto_err("could not SSL_set_fd");
871 (void)sslctx; (void)fd;
876 void* outgoing_ssl_fd(void* sslctx, int fd)
879 SSL* ssl = SSL_new((SSL_CTX*)sslctx);
881 log_crypto_err("could not SSL_new");
884 SSL_set_connect_state(ssl);
885 (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
886 if(!SSL_set_fd(ssl, fd)) {
887 log_crypto_err("could not SSL_set_fd");
893 (void)sslctx; (void)fd;
898 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
899 /** global lock list for openssl locks */
900 static lock_basic_type *ub_openssl_locks = NULL;
902 /** callback that gets thread id for openssl */
904 ub_crypto_id_cb(void)
906 return (unsigned long)log_thread_get();
910 ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
911 int ATTR_UNUSED(line))
913 if((mode&CRYPTO_LOCK)) {
914 lock_basic_lock(&ub_openssl_locks[type]);
916 lock_basic_unlock(&ub_openssl_locks[type]);
919 #endif /* OPENSSL_THREADS */
921 int ub_openssl_lock_init(void)
923 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
925 ub_openssl_locks = (lock_basic_type*)reallocarray(
926 NULL, (size_t)CRYPTO_num_locks(), sizeof(lock_basic_type));
927 if(!ub_openssl_locks)
929 for(i=0; i<CRYPTO_num_locks(); i++) {
930 lock_basic_init(&ub_openssl_locks[i]);
932 CRYPTO_set_id_callback(&ub_crypto_id_cb);
933 CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
934 #endif /* OPENSSL_THREADS */
938 void ub_openssl_lock_delete(void)
940 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
942 if(!ub_openssl_locks)
944 CRYPTO_set_id_callback(NULL);
945 CRYPTO_set_locking_callback(NULL);
946 for(i=0; i<CRYPTO_num_locks(); i++) {
947 lock_basic_destroy(&ub_openssl_locks[i]);
949 free(ub_openssl_locks);
950 #endif /* OPENSSL_THREADS */