2 * util/net_help.c - implementation of the network helper code
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
6 * This software is open source.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37 * Implementation of net_help.h.
41 #include "util/net_help.h"
43 #include "util/data/dname.h"
44 #include "util/module.h"
45 #include "util/regional.h"
46 #include "sldns/parseutil.h"
47 #include "sldns/wire2str.h"
49 #ifdef HAVE_OPENSSL_SSL_H
50 #include <openssl/ssl.h>
52 #ifdef HAVE_OPENSSL_ERR_H
53 #include <openssl/err.h>
59 /** max length of an IP address (the address portion) that we allow */
60 #define MAX_ADDR_STRLEN 128 /* characters */
61 /** default value for EDNS ADVERTISED size */
62 uint16_t EDNS_ADVERTISED_SIZE = 4096;
64 /** minimal responses when positive answer: default is no */
65 int MINIMAL_RESPONSES = 0;
67 /** rrset order roundrobin: default is no */
68 int RRSET_ROUNDROBIN = 0;
70 /* returns true is string addr is an ip6 specced address */
72 str_is_ip6(const char* str)
80 fd_set_nonblock(int s)
84 if((flag = fcntl(s, F_GETFL)) == -1) {
85 log_err("can't fcntl F_GETFL: %s", strerror(errno));
89 if(fcntl(s, F_SETFL, flag) == -1) {
90 log_err("can't fcntl F_SETFL: %s", strerror(errno));
93 #elif defined(HAVE_IOCTLSOCKET)
95 if(ioctlsocket(s, FIONBIO, &on) != 0) {
96 log_err("can't ioctlsocket FIONBIO on: %s",
97 wsa_strerror(WSAGetLastError()));
108 if((flag = fcntl(s, F_GETFL)) == -1) {
109 log_err("cannot fcntl F_GETFL: %s", strerror(errno));
113 if(fcntl(s, F_SETFL, flag) == -1) {
114 log_err("cannot fcntl F_SETFL: %s", strerror(errno));
117 #elif defined(HAVE_IOCTLSOCKET)
118 unsigned long off = 0;
119 if(ioctlsocket(s, FIONBIO, &off) != 0) {
120 if(WSAGetLastError() != WSAEINVAL || verbosity >= 4)
121 log_err("can't ioctlsocket FIONBIO off: %s",
122 wsa_strerror(WSAGetLastError()));
131 if(num == 0) return 1;
132 return (num & (num-1)) == 0;
136 memdup(void* data, size_t len)
139 if(!data) return NULL;
140 if(len == 0) return NULL;
143 memcpy(d, data, len);
148 log_addr(enum verbosity_value v, const char* str,
149 struct sockaddr_storage* addr, socklen_t addrlen)
152 const char* family = "unknown";
154 int af = (int)((struct sockaddr_in*)addr)->sin_family;
155 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
159 case AF_INET: family="ip4"; break;
160 case AF_INET6: family="ip6";
161 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
165 (void)inet_ntop(af, sinaddr, dest,
166 (socklen_t)sizeof(dest));
167 verbose(v, "%s local %s", str, dest);
168 return; /* do not continue and try to get port */
171 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
172 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
174 dest[sizeof(dest)-1] = 0;
175 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
177 verbose(v, "%s %s %s port %d (len %d)", str, family, dest,
178 (int)port, (int)addrlen);
179 else verbose(v, "%s %s port %d", str, dest, (int)port);
183 extstrtoaddr(const char* str, struct sockaddr_storage* addr,
187 int port = UNBOUND_DNS_PORT;
188 if((s=strchr(str, '@'))) {
189 char buf[MAX_ADDR_STRLEN];
190 if(s-str >= MAX_ADDR_STRLEN) {
193 (void)strlcpy(buf, str, sizeof(buf));
196 if(port == 0 && strcmp(s+1,"0")!=0) {
199 return ipstrtoaddr(buf, port, addr, addrlen);
201 return ipstrtoaddr(str, port, addr, addrlen);
206 ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr,
213 char buf[MAX_ADDR_STRLEN];
215 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
216 *addrlen = (socklen_t)sizeof(struct sockaddr_in6);
217 memset(sa, 0, *addrlen);
218 sa->sin6_family = AF_INET6;
219 sa->sin6_port = (in_port_t)htons(p);
220 if((s=strchr(ip, '%'))) { /* ip6%interface, rfc 4007 */
221 if(s-ip >= MAX_ADDR_STRLEN)
223 (void)strlcpy(buf, ip, sizeof(buf));
225 sa->sin6_scope_id = (uint32_t)atoi(s+1);
228 if(inet_pton((int)sa->sin6_family, ip, &sa->sin6_addr) <= 0) {
232 struct sockaddr_in* sa = (struct sockaddr_in*)addr;
233 *addrlen = (socklen_t)sizeof(struct sockaddr_in);
234 memset(sa, 0, *addrlen);
235 sa->sin_family = AF_INET;
236 sa->sin_port = (in_port_t)htons(p);
237 if(inet_pton((int)sa->sin_family, ip, &sa->sin_addr) <= 0) {
244 int netblockstrtoaddr(const char* str, int port, struct sockaddr_storage* addr,
245 socklen_t* addrlen, int* net)
249 *net = (str_is_ip6(str)?128:32);
250 if((s=strchr(str, '/'))) {
251 if(atoi(s+1) > *net) {
252 log_err("netblock too large: %s", str);
256 if(*net == 0 && strcmp(s+1, "0") != 0) {
257 log_err("cannot parse netblock: '%s'", str);
260 strlcpy(buf, str, sizeof(buf));
261 s = strchr(buf, '/');
265 if(!ipstrtoaddr(s?s:str, port, addr, addrlen)) {
266 log_err("cannot parse ip address: '%s'", str);
270 addr_mask(addr, *addrlen, *net);
275 int authextstrtoaddr(char* str, struct sockaddr_storage* addr,
276 socklen_t* addrlen, char** auth_name)
279 int port = UNBOUND_DNS_PORT;
280 if((s=strchr(str, '@'))) {
281 char buf[MAX_ADDR_STRLEN];
282 size_t len = (size_t)(s-str);
283 char* hash = strchr(s+1, '#');
289 if(len >= MAX_ADDR_STRLEN) {
292 (void)strlcpy(buf, str, sizeof(buf));
296 if(!hash && strcmp(s+1,"0")!=0)
298 if(hash && strncmp(s+1,"0#",2)!=0)
301 return ipstrtoaddr(buf, port, addr, addrlen);
303 if((s=strchr(str, '#'))) {
304 char buf[MAX_ADDR_STRLEN];
305 size_t len = (size_t)(s-str);
306 if(len >= MAX_ADDR_STRLEN) {
309 (void)strlcpy(buf, str, sizeof(buf));
311 port = UNBOUND_DNS_OVER_TLS_PORT;
313 return ipstrtoaddr(buf, port, addr, addrlen);
316 return ipstrtoaddr(str, port, addr, addrlen);
319 /** store port number into sockaddr structure */
321 sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen, int port)
323 if(addr_is_ip6(addr, addrlen)) {
324 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
325 sa->sin6_port = (in_port_t)htons((uint16_t)port);
327 struct sockaddr_in* sa = (struct sockaddr_in*)addr;
328 sa->sin_port = (in_port_t)htons((uint16_t)port);
333 log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name,
334 uint16_t type, uint16_t dclass)
336 char buf[LDNS_MAX_DOMAINLEN+1];
341 dname_str(name, buf);
342 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG";
343 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR";
344 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR";
345 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB";
346 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA";
347 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY";
348 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name)
349 ts = sldns_rr_descript(type)->_name;
351 snprintf(t, sizeof(t), "TYPE%d", (int)type);
354 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) &&
355 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name)
356 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name;
358 snprintf(c, sizeof(c), "CLASS%d", (int)dclass);
361 log_info("%s %s %s %s", str, buf, ts, cs);
364 void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone,
365 struct sockaddr_storage* addr, socklen_t addrlen)
368 const char* family = "unknown_family ";
369 char namebuf[LDNS_MAX_DOMAINLEN+1];
371 int af = (int)((struct sockaddr_in*)addr)->sin_family;
372 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
376 case AF_INET: family=""; break;
377 case AF_INET6: family="";
378 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
380 case AF_LOCAL: family="local "; break;
383 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
384 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
386 dest[sizeof(dest)-1] = 0;
387 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
388 dname_str(zone, namebuf);
389 if(af != AF_INET && af != AF_INET6)
390 verbose(v, "%s <%s> %s%s#%d (addrlen %d)",
391 str, namebuf, family, dest, (int)port, (int)addrlen);
392 else verbose(v, "%s <%s> %s%s#%d",
393 str, namebuf, family, dest, (int)port);
396 void log_err_addr(const char* str, const char* err,
397 struct sockaddr_storage* addr, socklen_t addrlen)
401 int af = (int)((struct sockaddr_in*)addr)->sin_family;
402 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
404 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
405 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
406 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
408 dest[sizeof(dest)-1] = 0;
409 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
411 log_err("%s: %s for %s port %d (len %d)", str, err, dest,
412 (int)port, (int)addrlen);
413 else log_err("%s: %s for %s", str, err, dest);
417 sockaddr_cmp(struct sockaddr_storage* addr1, socklen_t len1,
418 struct sockaddr_storage* addr2, socklen_t len2)
420 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
421 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
422 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
423 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
428 log_assert(len1 == len2);
429 if( p1_in->sin_family < p2_in->sin_family)
431 if( p1_in->sin_family > p2_in->sin_family)
433 log_assert( p1_in->sin_family == p2_in->sin_family );
435 if( p1_in->sin_family == AF_INET ) {
436 /* just order it, ntohs not required */
437 if(p1_in->sin_port < p2_in->sin_port)
439 if(p1_in->sin_port > p2_in->sin_port)
441 log_assert(p1_in->sin_port == p2_in->sin_port);
442 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
443 } else if (p1_in6->sin6_family == AF_INET6) {
444 /* just order it, ntohs not required */
445 if(p1_in6->sin6_port < p2_in6->sin6_port)
447 if(p1_in6->sin6_port > p2_in6->sin6_port)
449 log_assert(p1_in6->sin6_port == p2_in6->sin6_port);
450 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
453 /* eek unknown type, perform this comparison for sanity. */
454 return memcmp(addr1, addr2, len1);
459 sockaddr_cmp_addr(struct sockaddr_storage* addr1, socklen_t len1,
460 struct sockaddr_storage* addr2, socklen_t len2)
462 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
463 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
464 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
465 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
470 log_assert(len1 == len2);
471 if( p1_in->sin_family < p2_in->sin_family)
473 if( p1_in->sin_family > p2_in->sin_family)
475 log_assert( p1_in->sin_family == p2_in->sin_family );
477 if( p1_in->sin_family == AF_INET ) {
478 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
479 } else if (p1_in6->sin6_family == AF_INET6) {
480 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
483 /* eek unknown type, perform this comparison for sanity. */
484 return memcmp(addr1, addr2, len1);
489 addr_is_ip6(struct sockaddr_storage* addr, socklen_t len)
491 if(len == (socklen_t)sizeof(struct sockaddr_in6) &&
492 ((struct sockaddr_in6*)addr)->sin6_family == AF_INET6)
498 addr_mask(struct sockaddr_storage* addr, socklen_t len, int net)
500 uint8_t mask[8] = {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe};
503 if(addr_is_ip6(addr, len)) {
504 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr;
507 s = (uint8_t*)&((struct sockaddr_in*)addr)->sin_addr;
512 for(i=net/8+1; i<max/8; i++) {
515 s[net/8] &= mask[net&0x7];
519 addr_in_common(struct sockaddr_storage* addr1, int net1,
520 struct sockaddr_storage* addr2, int net2, socklen_t addrlen)
522 int min = (net1<net2)?net1:net2;
526 if(addr_is_ip6(addr1, addrlen)) {
527 s1 = (uint8_t*)&((struct sockaddr_in6*)addr1)->sin6_addr;
528 s2 = (uint8_t*)&((struct sockaddr_in6*)addr2)->sin6_addr;
531 s1 = (uint8_t*)&((struct sockaddr_in*)addr1)->sin_addr;
532 s2 = (uint8_t*)&((struct sockaddr_in*)addr2)->sin_addr;
535 /* match = bits_in_common(s1, s2, to); */
536 for(i=0; i<to; i++) {
540 uint8_t z = s1[i]^s2[i];
549 if(match > min) match = min;
554 addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen,
555 char* buf, size_t len)
557 int af = (int)((struct sockaddr_in*)addr)->sin_family;
558 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
559 if(addr_is_ip6(addr, addrlen))
560 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
561 if(inet_ntop(af, sinaddr, buf, (socklen_t)len) == 0) {
562 snprintf(buf, len, "(inet_ntop_error)");
567 addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen)
569 /* prefix for ipv4 into ipv6 mapping is ::ffff:x.x.x.x */
570 const uint8_t map_prefix[16] =
571 {0,0,0,0, 0,0,0,0, 0,0,0xff,0xff, 0,0,0,0};
573 if(!addr_is_ip6(addr, addrlen))
575 /* s is 16 octet ipv6 address string */
576 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr;
577 return (memcmp(s, map_prefix, 12) == 0);
580 int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen)
582 int af = (int)((struct sockaddr_in*)addr)->sin_family;
583 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
584 return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
585 && memcmp(sinaddr, "\377\377\377\377", 4) == 0;
588 int addr_is_any(struct sockaddr_storage* addr, socklen_t addrlen)
590 int af = (int)((struct sockaddr_in*)addr)->sin_family;
591 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
592 void* sin6addr = &((struct sockaddr_in6*)addr)->sin6_addr;
593 if(af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
594 && memcmp(sinaddr, "\000\000\000\000", 4) == 0)
596 else if(af==AF_INET6 && addrlen>=(socklen_t)sizeof(struct sockaddr_in6)
597 && memcmp(sin6addr, "\000\000\000\000\000\000\000\000"
598 "\000\000\000\000\000\000\000\000", 16) == 0)
603 void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr,
604 socklen_t len, struct regional* region)
606 struct sock_list* add = (struct sock_list*)regional_alloc(region,
607 sizeof(*add) - sizeof(add->addr) + (size_t)len);
609 log_err("out of memory in socketlist insert");
616 if(len) memmove(&add->addr, addr, len);
619 void sock_list_prepend(struct sock_list** list, struct sock_list* add)
621 struct sock_list* last = add;
630 int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr,
634 if(len == list->len) {
635 if(len == 0 || sockaddr_cmp_addr(addr, len,
636 &list->addr, list->len) == 0)
644 void sock_list_merge(struct sock_list** list, struct regional* region,
645 struct sock_list* add)
648 for(p=add; p; p=p->next) {
649 if(!sock_list_find(*list, &p->addr, p->len))
650 sock_list_insert(list, &p->addr, p->len, region);
655 log_crypto_err(const char* str)
658 /* error:[error code]:[library name]:[function name]:[reason string] */
661 ERR_error_string_n(ERR_get_error(), buf, sizeof(buf));
662 log_err("%s crypto %s", str, buf);
663 while( (e=ERR_get_error()) ) {
664 ERR_error_string_n(e, buf, sizeof(buf));
665 log_err("and additionally crypto %s", buf);
669 #endif /* HAVE_SSL */
673 listen_sslctx_setup(void* ctxt)
676 SSL_CTX* ctx = (SSL_CTX*)ctxt;
677 /* no SSLv2, SSLv3 because has defects */
678 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
680 log_crypto_err("could not set SSL_OP_NO_SSLv2");
683 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
685 log_crypto_err("could not set SSL_OP_NO_SSLv3");
688 #if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
689 /* if we have tls 1.1 disable 1.0 */
690 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
692 log_crypto_err("could not set SSL_OP_NO_TLSv1");
696 #if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
697 /* if we have tls 1.2 disable 1.1 */
698 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
699 != SSL_OP_NO_TLSv1_1){
700 log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
704 #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
705 /* if we have sha256, set the cipher list to have no known vulns */
706 if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
707 log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
710 if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) &
711 SSL_OP_CIPHER_SERVER_PREFERENCE) !=
712 SSL_OP_CIPHER_SERVER_PREFERENCE) {
713 log_crypto_err("could not set SSL_OP_CIPHER_SERVER_PREFERENCE");
717 #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
718 SSL_CTX_set_security_level(ctx, 0);
722 #endif /* HAVE_SSL */
727 listen_sslctx_setup_2(void* ctxt)
730 SSL_CTX* ctx = (SSL_CTX*)ctxt;
732 #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
733 if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
734 log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
736 #elif defined(USE_ECDSA)
738 EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
740 log_crypto_err("could not find p256, not enabling ECDHE");
742 if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
743 log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
751 #endif /* HAVE_SSL */
754 void* listen_sslctx_create(char* key, char* pem, char* verifypem)
757 SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
759 log_crypto_err("could not SSL_CTX_new");
762 if(!listen_sslctx_setup(ctx)) {
766 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
767 log_err("error for cert file: %s", pem);
768 log_crypto_err("error in SSL_CTX use_certificate_chain_file");
772 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
773 log_err("error for private key file: %s", key);
774 log_crypto_err("Error in SSL_CTX use_PrivateKey_file");
778 if(!SSL_CTX_check_private_key(ctx)) {
779 log_err("error for key file: %s", key);
780 log_crypto_err("Error in SSL_CTX check_private_key");
784 listen_sslctx_setup_2(ctx);
785 if(verifypem && verifypem[0]) {
786 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
787 log_crypto_err("Error in SSL_CTX verify locations");
791 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(
793 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
797 (void)key; (void)pem; (void)verifypem;
803 /* For windows, the CA trust store is not read by openssl.
804 Add code to open the trust store using wincrypt API and add
805 the root certs into openssl trust store */
807 add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
809 HCERTSTORE hSystemStore;
810 PCCERT_CONTEXT pTargetCert = NULL;
813 verbose(VERB_ALGO, "Adding Windows certificates from system root store to CA store");
815 /* load just once per context lifetime for this version
816 TODO: dynamically update CA trust changes as they are available */
820 /* Call wincrypt's CertOpenStore to open the CA root store. */
822 if ((hSystemStore = CertOpenStore(
823 CERT_STORE_PROV_SYSTEM,
826 /* NOTE: mingw does not have this const: replace with 1 << 16 from code
827 CERT_SYSTEM_STORE_CURRENT_USER, */
834 store = SSL_CTX_get_cert_store(tls_ctx);
838 /* failure if the CA store is empty or the call fails */
839 if ((pTargetCert = CertEnumCertificatesInStore(
840 hSystemStore, pTargetCert)) == 0) {
841 verbose(VERB_ALGO, "CA certificate store for Windows is empty.");
844 /* iterate over the windows cert store and add to openssl store */
847 X509 *cert1 = d2i_X509(NULL,
848 (const unsigned char **)&pTargetCert->pbCertEncoded,
849 pTargetCert->cbCertEncoded);
851 /* return error if a cert fails */
852 verbose(VERB_ALGO, "%s %d:%s",
853 "Unable to parse certificate in memory",
854 (int)ERR_get_error(), ERR_error_string(ERR_get_error(), NULL));
858 /* return error if a cert add to store fails */
859 if (X509_STORE_add_cert(store, cert1) == 0) {
860 unsigned long error = ERR_peek_last_error();
862 /* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the
863 * certificate is already in the store. */
864 if(ERR_GET_LIB(error) != ERR_LIB_X509 ||
865 ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
866 verbose(VERB_ALGO, "%s %d:%s\n",
867 "Error adding certificate", (int)ERR_get_error(),
868 ERR_error_string(ERR_get_error(), NULL));
875 } while ((pTargetCert = CertEnumCertificatesInStore(
876 hSystemStore, pTargetCert)) != 0);
878 /* Clean up memory and quit. */
880 CertFreeCertificateContext(pTargetCert);
887 verbose(VERB_ALGO, "Completed adding Windows certificates to CA store successfully");
890 #endif /* USE_WINSOCK */
892 void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
895 SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());
897 log_crypto_err("could not allocate SSL_CTX pointer");
900 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
901 != SSL_OP_NO_SSLv2) {
902 log_crypto_err("could not set SSL_OP_NO_SSLv2");
906 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
907 != SSL_OP_NO_SSLv3) {
908 log_crypto_err("could not set SSL_OP_NO_SSLv3");
913 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
914 log_err("error in client certificate %s", pem);
915 log_crypto_err("error in certificate file");
919 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
920 log_err("error in client private key %s", key);
921 log_crypto_err("error in key file");
925 if(!SSL_CTX_check_private_key(ctx)) {
926 log_err("error in client key %s", key);
927 log_crypto_err("error in SSL_CTX_check_private_key");
932 if((verifypem && verifypem[0]) || wincert) {
933 if(verifypem && verifypem[0]) {
934 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
935 log_crypto_err("error in SSL_CTX verify");
942 if(!add_WIN_cacerts_to_openssl_store(ctx)) {
943 log_crypto_err("error in add_WIN_cacerts_to_openssl_store");
951 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
955 (void)key; (void)pem; (void)verifypem; (void)wincert;
960 void* incoming_ssl_fd(void* sslctx, int fd)
963 SSL* ssl = SSL_new((SSL_CTX*)sslctx);
965 log_crypto_err("could not SSL_new");
968 SSL_set_accept_state(ssl);
969 (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
970 if(!SSL_set_fd(ssl, fd)) {
971 log_crypto_err("could not SSL_set_fd");
977 (void)sslctx; (void)fd;
982 void* outgoing_ssl_fd(void* sslctx, int fd)
985 SSL* ssl = SSL_new((SSL_CTX*)sslctx);
987 log_crypto_err("could not SSL_new");
990 SSL_set_connect_state(ssl);
991 (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
992 if(!SSL_set_fd(ssl, fd)) {
993 log_crypto_err("could not SSL_set_fd");
999 (void)sslctx; (void)fd;
1004 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
1005 /** global lock list for openssl locks */
1006 static lock_basic_type *ub_openssl_locks = NULL;
1008 /** callback that gets thread id for openssl */
1009 static unsigned long
1010 ub_crypto_id_cb(void)
1012 return (unsigned long)log_thread_get();
1016 ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
1017 int ATTR_UNUSED(line))
1019 if((mode&CRYPTO_LOCK)) {
1020 lock_basic_lock(&ub_openssl_locks[type]);
1022 lock_basic_unlock(&ub_openssl_locks[type]);
1025 #endif /* OPENSSL_THREADS */
1027 int ub_openssl_lock_init(void)
1029 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
1031 ub_openssl_locks = (lock_basic_type*)reallocarray(
1032 NULL, (size_t)CRYPTO_num_locks(), sizeof(lock_basic_type));
1033 if(!ub_openssl_locks)
1035 for(i=0; i<CRYPTO_num_locks(); i++) {
1036 lock_basic_init(&ub_openssl_locks[i]);
1038 CRYPTO_set_id_callback(&ub_crypto_id_cb);
1039 CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
1040 #endif /* OPENSSL_THREADS */
1044 void ub_openssl_lock_delete(void)
1046 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
1048 if(!ub_openssl_locks)
1050 CRYPTO_set_id_callback(NULL);
1051 CRYPTO_set_locking_callback(NULL);
1052 for(i=0; i<CRYPTO_num_locks(); i++) {
1053 lock_basic_destroy(&ub_openssl_locks[i]);
1055 free(ub_openssl_locks);
1056 #endif /* OPENSSL_THREADS */