2 * util/net_help.c - implementation of the network helper code
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
6 * This software is open source.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37 * Implementation of net_help.h.
41 #include "util/net_help.h"
43 #include "util/data/dname.h"
44 #include "util/module.h"
45 #include "util/regional.h"
46 #include "util/config_file.h"
47 #include "sldns/parseutil.h"
48 #include "sldns/wire2str.h"
50 #ifdef HAVE_OPENSSL_SSL_H
51 #include <openssl/ssl.h>
52 #include <openssl/evp.h>
53 #include <openssl/rand.h>
55 #ifdef HAVE_OPENSSL_ERR_H
56 #include <openssl/err.h>
62 /** max length of an IP address (the address portion) that we allow */
63 #define MAX_ADDR_STRLEN 128 /* characters */
64 /** default value for EDNS ADVERTISED size */
65 uint16_t EDNS_ADVERTISED_SIZE = 4096;
67 /** minimal responses when positive answer: default is no */
68 int MINIMAL_RESPONSES = 0;
70 /** rrset order roundrobin: default is no */
71 int RRSET_ROUNDROBIN = 0;
73 /** log tag queries with name instead of 'info' for filtering */
74 int LOG_TAG_QUERYREPLY = 0;
76 static struct tls_session_ticket_key {
77 unsigned char *key_name;
78 unsigned char *aes_key;
79 unsigned char *hmac_key;
82 /* returns true is string addr is an ip6 specced address */
84 str_is_ip6(const char* str)
92 fd_set_nonblock(int s)
96 if((flag = fcntl(s, F_GETFL)) == -1) {
97 log_err("can't fcntl F_GETFL: %s", strerror(errno));
101 if(fcntl(s, F_SETFL, flag) == -1) {
102 log_err("can't fcntl F_SETFL: %s", strerror(errno));
105 #elif defined(HAVE_IOCTLSOCKET)
106 unsigned long on = 1;
107 if(ioctlsocket(s, FIONBIO, &on) != 0) {
108 log_err("can't ioctlsocket FIONBIO on: %s",
109 wsa_strerror(WSAGetLastError()));
120 if((flag = fcntl(s, F_GETFL)) == -1) {
121 log_err("cannot fcntl F_GETFL: %s", strerror(errno));
125 if(fcntl(s, F_SETFL, flag) == -1) {
126 log_err("cannot fcntl F_SETFL: %s", strerror(errno));
129 #elif defined(HAVE_IOCTLSOCKET)
130 unsigned long off = 0;
131 if(ioctlsocket(s, FIONBIO, &off) != 0) {
132 if(WSAGetLastError() != WSAEINVAL || verbosity >= 4)
133 log_err("can't ioctlsocket FIONBIO off: %s",
134 wsa_strerror(WSAGetLastError()));
143 if(num == 0) return 1;
144 return (num & (num-1)) == 0;
148 memdup(void* data, size_t len)
151 if(!data) return NULL;
152 if(len == 0) return NULL;
155 memcpy(d, data, len);
160 log_addr(enum verbosity_value v, const char* str,
161 struct sockaddr_storage* addr, socklen_t addrlen)
164 const char* family = "unknown";
166 int af = (int)((struct sockaddr_in*)addr)->sin_family;
167 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
171 case AF_INET: family="ip4"; break;
172 case AF_INET6: family="ip6";
173 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
177 (void)inet_ntop(af, sinaddr, dest,
178 (socklen_t)sizeof(dest));
179 verbose(v, "%s local %s", str, dest);
180 return; /* do not continue and try to get port */
183 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
184 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
186 dest[sizeof(dest)-1] = 0;
187 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
189 verbose(v, "%s %s %s port %d (len %d)", str, family, dest,
190 (int)port, (int)addrlen);
191 else verbose(v, "%s %s port %d", str, dest, (int)port);
195 extstrtoaddr(const char* str, struct sockaddr_storage* addr,
199 int port = UNBOUND_DNS_PORT;
200 if((s=strchr(str, '@'))) {
201 char buf[MAX_ADDR_STRLEN];
202 if(s-str >= MAX_ADDR_STRLEN) {
205 (void)strlcpy(buf, str, sizeof(buf));
208 if(port == 0 && strcmp(s+1,"0")!=0) {
211 return ipstrtoaddr(buf, port, addr, addrlen);
213 return ipstrtoaddr(str, port, addr, addrlen);
218 ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr,
225 char buf[MAX_ADDR_STRLEN];
227 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
228 *addrlen = (socklen_t)sizeof(struct sockaddr_in6);
229 memset(sa, 0, *addrlen);
230 sa->sin6_family = AF_INET6;
231 sa->sin6_port = (in_port_t)htons(p);
232 if((s=strchr(ip, '%'))) { /* ip6%interface, rfc 4007 */
233 if(s-ip >= MAX_ADDR_STRLEN)
235 (void)strlcpy(buf, ip, sizeof(buf));
237 sa->sin6_scope_id = (uint32_t)atoi(s+1);
240 if(inet_pton((int)sa->sin6_family, ip, &sa->sin6_addr) <= 0) {
244 struct sockaddr_in* sa = (struct sockaddr_in*)addr;
245 *addrlen = (socklen_t)sizeof(struct sockaddr_in);
246 memset(sa, 0, *addrlen);
247 sa->sin_family = AF_INET;
248 sa->sin_port = (in_port_t)htons(p);
249 if(inet_pton((int)sa->sin_family, ip, &sa->sin_addr) <= 0) {
256 int netblockstrtoaddr(const char* str, int port, struct sockaddr_storage* addr,
257 socklen_t* addrlen, int* net)
261 *net = (str_is_ip6(str)?128:32);
262 if((s=strchr(str, '/'))) {
263 if(atoi(s+1) > *net) {
264 log_err("netblock too large: %s", str);
268 if(*net == 0 && strcmp(s+1, "0") != 0) {
269 log_err("cannot parse netblock: '%s'", str);
272 strlcpy(buf, str, sizeof(buf));
273 s = strchr(buf, '/');
277 if(!ipstrtoaddr(s?s:str, port, addr, addrlen)) {
278 log_err("cannot parse ip address: '%s'", str);
282 addr_mask(addr, *addrlen, *net);
287 int authextstrtoaddr(char* str, struct sockaddr_storage* addr,
288 socklen_t* addrlen, char** auth_name)
291 int port = UNBOUND_DNS_PORT;
292 if((s=strchr(str, '@'))) {
293 char buf[MAX_ADDR_STRLEN];
294 size_t len = (size_t)(s-str);
295 char* hash = strchr(s+1, '#');
301 if(len >= MAX_ADDR_STRLEN) {
304 (void)strlcpy(buf, str, sizeof(buf));
308 if(!hash && strcmp(s+1,"0")!=0)
310 if(hash && strncmp(s+1,"0#",2)!=0)
313 return ipstrtoaddr(buf, port, addr, addrlen);
315 if((s=strchr(str, '#'))) {
316 char buf[MAX_ADDR_STRLEN];
317 size_t len = (size_t)(s-str);
318 if(len >= MAX_ADDR_STRLEN) {
321 (void)strlcpy(buf, str, sizeof(buf));
323 port = UNBOUND_DNS_OVER_TLS_PORT;
325 return ipstrtoaddr(buf, port, addr, addrlen);
328 return ipstrtoaddr(str, port, addr, addrlen);
331 /** store port number into sockaddr structure */
333 sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen, int port)
335 if(addr_is_ip6(addr, addrlen)) {
336 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
337 sa->sin6_port = (in_port_t)htons((uint16_t)port);
339 struct sockaddr_in* sa = (struct sockaddr_in*)addr;
340 sa->sin_port = (in_port_t)htons((uint16_t)port);
345 log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name,
346 uint16_t type, uint16_t dclass)
348 char buf[LDNS_MAX_DOMAINLEN+1];
353 dname_str(name, buf);
354 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG";
355 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR";
356 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR";
357 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB";
358 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA";
359 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY";
360 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name)
361 ts = sldns_rr_descript(type)->_name;
363 snprintf(t, sizeof(t), "TYPE%d", (int)type);
366 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) &&
367 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name)
368 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name;
370 snprintf(c, sizeof(c), "CLASS%d", (int)dclass);
373 log_info("%s %s %s %s", str, buf, ts, cs);
377 log_query_in(const char* str, uint8_t* name, uint16_t type, uint16_t dclass)
379 char buf[LDNS_MAX_DOMAINLEN+1];
382 dname_str(name, buf);
383 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG";
384 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR";
385 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR";
386 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB";
387 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA";
388 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY";
389 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name)
390 ts = sldns_rr_descript(type)->_name;
392 snprintf(t, sizeof(t), "TYPE%d", (int)type);
395 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) &&
396 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name)
397 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name;
399 snprintf(c, sizeof(c), "CLASS%d", (int)dclass);
402 if(LOG_TAG_QUERYREPLY)
403 log_query("%s %s %s %s", str, buf, ts, cs);
404 else log_info("%s %s %s %s", str, buf, ts, cs);
407 void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone,
408 struct sockaddr_storage* addr, socklen_t addrlen)
411 const char* family = "unknown_family ";
412 char namebuf[LDNS_MAX_DOMAINLEN+1];
414 int af = (int)((struct sockaddr_in*)addr)->sin_family;
415 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
419 case AF_INET: family=""; break;
420 case AF_INET6: family="";
421 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
423 case AF_LOCAL: family="local "; break;
426 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
427 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
429 dest[sizeof(dest)-1] = 0;
430 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
431 dname_str(zone, namebuf);
432 if(af != AF_INET && af != AF_INET6)
433 verbose(v, "%s <%s> %s%s#%d (addrlen %d)",
434 str, namebuf, family, dest, (int)port, (int)addrlen);
435 else verbose(v, "%s <%s> %s%s#%d",
436 str, namebuf, family, dest, (int)port);
439 void log_err_addr(const char* str, const char* err,
440 struct sockaddr_storage* addr, socklen_t addrlen)
444 int af = (int)((struct sockaddr_in*)addr)->sin_family;
445 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
447 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
448 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
449 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
451 dest[sizeof(dest)-1] = 0;
452 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
454 log_err("%s: %s for %s port %d (len %d)", str, err, dest,
455 (int)port, (int)addrlen);
456 else log_err("%s: %s for %s port %d", str, err, dest, (int)port);
460 sockaddr_cmp(struct sockaddr_storage* addr1, socklen_t len1,
461 struct sockaddr_storage* addr2, socklen_t len2)
463 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
464 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
465 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
466 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
471 log_assert(len1 == len2);
472 if( p1_in->sin_family < p2_in->sin_family)
474 if( p1_in->sin_family > p2_in->sin_family)
476 log_assert( p1_in->sin_family == p2_in->sin_family );
478 if( p1_in->sin_family == AF_INET ) {
479 /* just order it, ntohs not required */
480 if(p1_in->sin_port < p2_in->sin_port)
482 if(p1_in->sin_port > p2_in->sin_port)
484 log_assert(p1_in->sin_port == p2_in->sin_port);
485 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
486 } else if (p1_in6->sin6_family == AF_INET6) {
487 /* just order it, ntohs not required */
488 if(p1_in6->sin6_port < p2_in6->sin6_port)
490 if(p1_in6->sin6_port > p2_in6->sin6_port)
492 log_assert(p1_in6->sin6_port == p2_in6->sin6_port);
493 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
496 /* eek unknown type, perform this comparison for sanity. */
497 return memcmp(addr1, addr2, len1);
502 sockaddr_cmp_addr(struct sockaddr_storage* addr1, socklen_t len1,
503 struct sockaddr_storage* addr2, socklen_t len2)
505 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
506 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
507 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
508 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
513 log_assert(len1 == len2);
514 if( p1_in->sin_family < p2_in->sin_family)
516 if( p1_in->sin_family > p2_in->sin_family)
518 log_assert( p1_in->sin_family == p2_in->sin_family );
520 if( p1_in->sin_family == AF_INET ) {
521 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
522 } else if (p1_in6->sin6_family == AF_INET6) {
523 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
526 /* eek unknown type, perform this comparison for sanity. */
527 return memcmp(addr1, addr2, len1);
532 addr_is_ip6(struct sockaddr_storage* addr, socklen_t len)
534 if(len == (socklen_t)sizeof(struct sockaddr_in6) &&
535 ((struct sockaddr_in6*)addr)->sin6_family == AF_INET6)
541 addr_mask(struct sockaddr_storage* addr, socklen_t len, int net)
543 uint8_t mask[8] = {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe};
546 if(addr_is_ip6(addr, len)) {
547 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr;
550 s = (uint8_t*)&((struct sockaddr_in*)addr)->sin_addr;
555 for(i=net/8+1; i<max/8; i++) {
558 s[net/8] &= mask[net&0x7];
562 addr_in_common(struct sockaddr_storage* addr1, int net1,
563 struct sockaddr_storage* addr2, int net2, socklen_t addrlen)
565 int min = (net1<net2)?net1:net2;
569 if(addr_is_ip6(addr1, addrlen)) {
570 s1 = (uint8_t*)&((struct sockaddr_in6*)addr1)->sin6_addr;
571 s2 = (uint8_t*)&((struct sockaddr_in6*)addr2)->sin6_addr;
574 s1 = (uint8_t*)&((struct sockaddr_in*)addr1)->sin_addr;
575 s2 = (uint8_t*)&((struct sockaddr_in*)addr2)->sin_addr;
578 /* match = bits_in_common(s1, s2, to); */
579 for(i=0; i<to; i++) {
583 uint8_t z = s1[i]^s2[i];
592 if(match > min) match = min;
597 addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen,
598 char* buf, size_t len)
600 int af = (int)((struct sockaddr_in*)addr)->sin_family;
601 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
602 if(addr_is_ip6(addr, addrlen))
603 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
604 if(inet_ntop(af, sinaddr, buf, (socklen_t)len) == 0) {
605 snprintf(buf, len, "(inet_ntop_error)");
610 addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen)
612 /* prefix for ipv4 into ipv6 mapping is ::ffff:x.x.x.x */
613 const uint8_t map_prefix[16] =
614 {0,0,0,0, 0,0,0,0, 0,0,0xff,0xff, 0,0,0,0};
616 if(!addr_is_ip6(addr, addrlen))
618 /* s is 16 octet ipv6 address string */
619 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr;
620 return (memcmp(s, map_prefix, 12) == 0);
623 int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen)
625 int af = (int)((struct sockaddr_in*)addr)->sin_family;
626 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
627 return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
628 && memcmp(sinaddr, "\377\377\377\377", 4) == 0;
631 int addr_is_any(struct sockaddr_storage* addr, socklen_t addrlen)
633 int af = (int)((struct sockaddr_in*)addr)->sin_family;
634 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
635 void* sin6addr = &((struct sockaddr_in6*)addr)->sin6_addr;
636 if(af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
637 && memcmp(sinaddr, "\000\000\000\000", 4) == 0)
639 else if(af==AF_INET6 && addrlen>=(socklen_t)sizeof(struct sockaddr_in6)
640 && memcmp(sin6addr, "\000\000\000\000\000\000\000\000"
641 "\000\000\000\000\000\000\000\000", 16) == 0)
646 void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr,
647 socklen_t len, struct regional* region)
649 struct sock_list* add = (struct sock_list*)regional_alloc(region,
650 sizeof(*add) - sizeof(add->addr) + (size_t)len);
652 log_err("out of memory in socketlist insert");
659 if(len) memmove(&add->addr, addr, len);
662 void sock_list_prepend(struct sock_list** list, struct sock_list* add)
664 struct sock_list* last = add;
673 int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr,
677 if(len == list->len) {
678 if(len == 0 || sockaddr_cmp_addr(addr, len,
679 &list->addr, list->len) == 0)
687 void sock_list_merge(struct sock_list** list, struct regional* region,
688 struct sock_list* add)
691 for(p=add; p; p=p->next) {
692 if(!sock_list_find(*list, &p->addr, p->len))
693 sock_list_insert(list, &p->addr, p->len, region);
698 log_crypto_err(const char* str)
701 /* error:[error code]:[library name]:[function name]:[reason string] */
704 ERR_error_string_n(ERR_get_error(), buf, sizeof(buf));
705 log_err("%s crypto %s", str, buf);
706 while( (e=ERR_get_error()) ) {
707 ERR_error_string_n(e, buf, sizeof(buf));
708 log_err("and additionally crypto %s", buf);
712 #endif /* HAVE_SSL */
716 listen_sslctx_setup(void* ctxt)
719 SSL_CTX* ctx = (SSL_CTX*)ctxt;
720 /* no SSLv2, SSLv3 because has defects */
721 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
723 log_crypto_err("could not set SSL_OP_NO_SSLv2");
726 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
728 log_crypto_err("could not set SSL_OP_NO_SSLv3");
731 #if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
732 /* if we have tls 1.1 disable 1.0 */
733 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
735 log_crypto_err("could not set SSL_OP_NO_TLSv1");
739 #if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
740 /* if we have tls 1.2 disable 1.1 */
741 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
742 != SSL_OP_NO_TLSv1_1){
743 log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
747 #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
748 /* if we have sha256, set the cipher list to have no known vulns */
749 if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
750 log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
753 if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) &
754 SSL_OP_CIPHER_SERVER_PREFERENCE) !=
755 SSL_OP_CIPHER_SERVER_PREFERENCE) {
756 log_crypto_err("could not set SSL_OP_CIPHER_SERVER_PREFERENCE");
760 #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
761 SSL_CTX_set_security_level(ctx, 0);
765 #endif /* HAVE_SSL */
770 listen_sslctx_setup_2(void* ctxt)
773 SSL_CTX* ctx = (SSL_CTX*)ctxt;
775 #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
776 if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
777 log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
779 #elif defined(USE_ECDSA)
781 EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
783 log_crypto_err("could not find p256, not enabling ECDHE");
785 if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
786 log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
794 #endif /* HAVE_SSL */
797 void* listen_sslctx_create(char* key, char* pem, char* verifypem)
800 SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
802 log_crypto_err("could not SSL_CTX_new");
805 if(!listen_sslctx_setup(ctx)) {
809 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
810 log_err("error for cert file: %s", pem);
811 log_crypto_err("error in SSL_CTX use_certificate_chain_file");
815 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
816 log_err("error for private key file: %s", key);
817 log_crypto_err("Error in SSL_CTX use_PrivateKey_file");
821 if(!SSL_CTX_check_private_key(ctx)) {
822 log_err("error for key file: %s", key);
823 log_crypto_err("Error in SSL_CTX check_private_key");
827 listen_sslctx_setup_2(ctx);
828 if(verifypem && verifypem[0]) {
829 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
830 log_crypto_err("Error in SSL_CTX verify locations");
834 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(
836 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
840 (void)key; (void)pem; (void)verifypem;
846 /* For windows, the CA trust store is not read by openssl.
847 Add code to open the trust store using wincrypt API and add
848 the root certs into openssl trust store */
850 add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
852 HCERTSTORE hSystemStore;
853 PCCERT_CONTEXT pTargetCert = NULL;
856 verbose(VERB_ALGO, "Adding Windows certificates from system root store to CA store");
858 /* load just once per context lifetime for this version
859 TODO: dynamically update CA trust changes as they are available */
863 /* Call wincrypt's CertOpenStore to open the CA root store. */
865 if ((hSystemStore = CertOpenStore(
866 CERT_STORE_PROV_SYSTEM,
869 /* NOTE: mingw does not have this const: replace with 1 << 16 from code
870 CERT_SYSTEM_STORE_CURRENT_USER, */
877 store = SSL_CTX_get_cert_store(tls_ctx);
881 /* failure if the CA store is empty or the call fails */
882 if ((pTargetCert = CertEnumCertificatesInStore(
883 hSystemStore, pTargetCert)) == 0) {
884 verbose(VERB_ALGO, "CA certificate store for Windows is empty.");
887 /* iterate over the windows cert store and add to openssl store */
890 X509 *cert1 = d2i_X509(NULL,
891 (const unsigned char **)&pTargetCert->pbCertEncoded,
892 pTargetCert->cbCertEncoded);
894 /* return error if a cert fails */
895 verbose(VERB_ALGO, "%s %d:%s",
896 "Unable to parse certificate in memory",
897 (int)ERR_get_error(), ERR_error_string(ERR_get_error(), NULL));
901 /* return error if a cert add to store fails */
902 if (X509_STORE_add_cert(store, cert1) == 0) {
903 unsigned long error = ERR_peek_last_error();
905 /* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the
906 * certificate is already in the store. */
907 if(ERR_GET_LIB(error) != ERR_LIB_X509 ||
908 ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
909 verbose(VERB_ALGO, "%s %d:%s\n",
910 "Error adding certificate", (int)ERR_get_error(),
911 ERR_error_string(ERR_get_error(), NULL));
918 } while ((pTargetCert = CertEnumCertificatesInStore(
919 hSystemStore, pTargetCert)) != 0);
921 /* Clean up memory and quit. */
923 CertFreeCertificateContext(pTargetCert);
930 verbose(VERB_ALGO, "Completed adding Windows certificates to CA store successfully");
933 #endif /* USE_WINSOCK */
935 void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
938 SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());
940 log_crypto_err("could not allocate SSL_CTX pointer");
943 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
944 != SSL_OP_NO_SSLv2) {
945 log_crypto_err("could not set SSL_OP_NO_SSLv2");
949 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
950 != SSL_OP_NO_SSLv3) {
951 log_crypto_err("could not set SSL_OP_NO_SSLv3");
956 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
957 log_err("error in client certificate %s", pem);
958 log_crypto_err("error in certificate file");
962 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
963 log_err("error in client private key %s", key);
964 log_crypto_err("error in key file");
968 if(!SSL_CTX_check_private_key(ctx)) {
969 log_err("error in client key %s", key);
970 log_crypto_err("error in SSL_CTX_check_private_key");
975 if((verifypem && verifypem[0]) || wincert) {
976 if(verifypem && verifypem[0]) {
977 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
978 log_crypto_err("error in SSL_CTX verify");
985 if(!add_WIN_cacerts_to_openssl_store(ctx)) {
986 log_crypto_err("error in add_WIN_cacerts_to_openssl_store");
994 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
998 (void)key; (void)pem; (void)verifypem; (void)wincert;
1003 void* incoming_ssl_fd(void* sslctx, int fd)
1006 SSL* ssl = SSL_new((SSL_CTX*)sslctx);
1008 log_crypto_err("could not SSL_new");
1011 SSL_set_accept_state(ssl);
1012 (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
1013 if(!SSL_set_fd(ssl, fd)) {
1014 log_crypto_err("could not SSL_set_fd");
1020 (void)sslctx; (void)fd;
1025 void* outgoing_ssl_fd(void* sslctx, int fd)
1028 SSL* ssl = SSL_new((SSL_CTX*)sslctx);
1030 log_crypto_err("could not SSL_new");
1033 SSL_set_connect_state(ssl);
1034 (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
1035 if(!SSL_set_fd(ssl, fd)) {
1036 log_crypto_err("could not SSL_set_fd");
1042 (void)sslctx; (void)fd;
1047 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
1048 /** global lock list for openssl locks */
1049 static lock_basic_type *ub_openssl_locks = NULL;
1051 /** callback that gets thread id for openssl */
1052 static unsigned long
1053 ub_crypto_id_cb(void)
1055 return (unsigned long)log_thread_get();
1059 ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
1060 int ATTR_UNUSED(line))
1062 if((mode&CRYPTO_LOCK)) {
1063 lock_basic_lock(&ub_openssl_locks[type]);
1065 lock_basic_unlock(&ub_openssl_locks[type]);
1068 #endif /* OPENSSL_THREADS */
1070 int ub_openssl_lock_init(void)
1072 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
1074 ub_openssl_locks = (lock_basic_type*)reallocarray(
1075 NULL, (size_t)CRYPTO_num_locks(), sizeof(lock_basic_type));
1076 if(!ub_openssl_locks)
1078 for(i=0; i<CRYPTO_num_locks(); i++) {
1079 lock_basic_init(&ub_openssl_locks[i]);
1081 CRYPTO_set_id_callback(&ub_crypto_id_cb);
1082 CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
1083 #endif /* OPENSSL_THREADS */
1087 void ub_openssl_lock_delete(void)
1089 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
1091 if(!ub_openssl_locks)
1093 CRYPTO_set_id_callback(NULL);
1094 CRYPTO_set_locking_callback(NULL);
1095 for(i=0; i<CRYPTO_num_locks(); i++) {
1096 lock_basic_destroy(&ub_openssl_locks[i]);
1098 free(ub_openssl_locks);
1099 #endif /* OPENSSL_THREADS */
1102 int listen_sslctx_setup_ticket_keys(void* sslctx, struct config_strlist* tls_session_ticket_keys) {
1105 struct config_strlist* p;
1106 struct tls_session_ticket_key *keys;
1107 for(p = tls_session_ticket_keys; p; p = p->next) {
1110 keys = calloc(s, sizeof(struct tls_session_ticket_key));
1111 memset(keys, 0, s*sizeof(*keys));
1114 for(p = tls_session_ticket_keys; p; p = p->next) {
1116 unsigned char *data = (unsigned char *)malloc(80);
1117 FILE *f = fopen(p->str, "r");
1119 log_err("could not read tls-session-ticket-key %s: %s", p->str, strerror(errno));
1123 n = fread(data, 1, 80, f);
1127 log_err("tls-session-ticket-key %s is %d bytes, must be 80 bytes", p->str, (int)n);
1131 verbose(VERB_OPS, "read tls-session-ticket-key: %s", p->str);
1133 keys->key_name = data;
1134 keys->aes_key = data + 16;
1135 keys->hmac_key = data + 48;
1138 /* terminate array with NULL key name entry */
1139 keys->key_name = NULL;
1140 if(SSL_CTX_set_tlsext_ticket_key_cb(sslctx, tls_session_ticket_key_cb) == 0) {
1141 log_err("no support for TLS session ticket");
1147 (void)tls_session_ticket_keys;
1153 int tls_session_ticket_key_cb(void *ATTR_UNUSED(sslctx), unsigned char* key_name, unsigned char* iv, void *evp_sctx, void *hmac_ctx, int enc)
1156 const EVP_MD *digest;
1157 const EVP_CIPHER *cipher;
1158 int evp_cipher_length;
1159 digest = EVP_sha256();
1160 cipher = EVP_aes_256_cbc();
1161 evp_cipher_length = EVP_CIPHER_iv_length(cipher);
1164 verbose(VERB_CLIENT, "start session encrypt");
1165 memcpy(key_name, ticket_keys->key_name, 16);
1166 if (RAND_bytes(iv, evp_cipher_length) != 1) {
1167 verbose(VERB_CLIENT, "RAND_bytes failed");
1170 if (EVP_EncryptInit_ex(evp_sctx, cipher, NULL, ticket_keys->aes_key, iv) != 1) {
1171 verbose(VERB_CLIENT, "EVP_EncryptInit_ex failed");
1174 if (HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL) != 1) {
1175 verbose(VERB_CLIENT, "HMAC_Init_ex failed");
1179 } else if (enc == 0) {
1181 struct tls_session_ticket_key *key;
1182 verbose(VERB_CLIENT, "start session decrypt");
1183 for(key = ticket_keys; key->key_name != NULL; key++) {
1184 if (!memcmp(key_name, key->key_name, 16)) {
1185 verbose(VERB_CLIENT, "Found session_key");
1189 if(key->key_name == NULL) {
1190 verbose(VERB_CLIENT, "Not found session_key");
1194 if (HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL) != 1) {
1195 verbose(VERB_CLIENT, "HMAC_Init_ex failed");
1198 if (EVP_DecryptInit_ex(evp_sctx, cipher, NULL, key->aes_key, iv) != 1) {
1199 log_err("EVP_DecryptInit_ex failed");
1203 return (key == ticket_keys) ? 1 : 2;
1217 listen_sslctx_delete_ticket_keys(void)
1219 struct tls_session_ticket_key *key;
1220 if(!ticket_keys) return;
1221 for(key = ticket_keys; key->key_name != NULL; key++) {
1222 free(key->key_name);
projects / FreeBSD / FreeBSD.git / blob