2 * util/net_help.c - implementation of the network helper code
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
6 * This software is open source.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
25 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
26 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
27 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
28 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
37 * Implementation of net_help.h.
41 #include <ldns/ldns.h>
42 #include "util/net_help.h"
44 #include "util/data/dname.h"
45 #include "util/module.h"
46 #include "util/regional.h"
48 #ifdef HAVE_OPENSSL_SSL_H
49 #include <openssl/ssl.h>
51 #ifdef HAVE_OPENSSL_ERR_H
52 #include <openssl/err.h>
55 /** max length of an IP address (the address portion) that we allow */
56 #define MAX_ADDR_STRLEN 128 /* characters */
57 /** default value for EDNS ADVERTISED size */
58 uint16_t EDNS_ADVERTISED_SIZE = 4096;
60 /** minimal responses when positive answer: default is no */
61 int MINIMAL_RESPONSES = 0;
63 /** rrset order roundrobin: default is no */
64 int RRSET_ROUNDROBIN = 0;
66 /* returns true is string addr is an ip6 specced address */
68 str_is_ip6(const char* str)
76 fd_set_nonblock(int s)
80 if((flag = fcntl(s, F_GETFL)) == -1) {
81 log_err("can't fcntl F_GETFL: %s", strerror(errno));
85 if(fcntl(s, F_SETFL, flag) == -1) {
86 log_err("can't fcntl F_SETFL: %s", strerror(errno));
89 #elif defined(HAVE_IOCTLSOCKET)
91 if(ioctlsocket(s, FIONBIO, &on) != 0) {
92 log_err("can't ioctlsocket FIONBIO on: %s",
93 wsa_strerror(WSAGetLastError()));
104 if((flag = fcntl(s, F_GETFL)) == -1) {
105 log_err("cannot fcntl F_GETFL: %s", strerror(errno));
109 if(fcntl(s, F_SETFL, flag) == -1) {
110 log_err("cannot fcntl F_SETFL: %s", strerror(errno));
113 #elif defined(HAVE_IOCTLSOCKET)
114 unsigned long off = 0;
115 if(ioctlsocket(s, FIONBIO, &off) != 0) {
116 log_err("can't ioctlsocket FIONBIO off: %s",
117 wsa_strerror(WSAGetLastError()));
126 if(num == 0) return 1;
127 return (num & (num-1)) == 0;
131 memdup(void* data, size_t len)
134 if(!data) return NULL;
135 if(len == 0) return NULL;
138 memcpy(d, data, len);
143 log_addr(enum verbosity_value v, const char* str,
144 struct sockaddr_storage* addr, socklen_t addrlen)
147 const char* family = "unknown";
149 int af = (int)((struct sockaddr_in*)addr)->sin_family;
150 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
154 case AF_INET: family="ip4"; break;
155 case AF_INET6: family="ip6";
156 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
158 case AF_UNIX: family="unix"; break;
161 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
162 strncpy(dest, "(inet_ntop error)", sizeof(dest));
164 dest[sizeof(dest)-1] = 0;
165 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
167 verbose(v, "%s %s %s port %d (len %d)", str, family, dest,
168 (int)port, (int)addrlen);
169 else verbose(v, "%s %s port %d", str, dest, (int)port);
173 extstrtoaddr(const char* str, struct sockaddr_storage* addr,
177 int port = UNBOUND_DNS_PORT;
178 if((s=strchr(str, '@'))) {
179 char buf[MAX_ADDR_STRLEN];
180 if(s-str >= MAX_ADDR_STRLEN) {
183 strncpy(buf, str, MAX_ADDR_STRLEN);
186 if(port == 0 && strcmp(s+1,"0")!=0) {
189 return ipstrtoaddr(buf, port, addr, addrlen);
191 return ipstrtoaddr(str, port, addr, addrlen);
196 ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr,
203 char buf[MAX_ADDR_STRLEN];
205 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
206 *addrlen = (socklen_t)sizeof(struct sockaddr_in6);
207 memset(sa, 0, *addrlen);
208 sa->sin6_family = AF_INET6;
209 sa->sin6_port = (in_port_t)htons(p);
210 if((s=strchr(ip, '%'))) { /* ip6%interface, rfc 4007 */
211 if(s-ip >= MAX_ADDR_STRLEN)
213 strncpy(buf, ip, MAX_ADDR_STRLEN);
215 sa->sin6_scope_id = (uint32_t)atoi(s+1);
218 if(inet_pton((int)sa->sin6_family, ip, &sa->sin6_addr) <= 0) {
222 struct sockaddr_in* sa = (struct sockaddr_in*)addr;
223 *addrlen = (socklen_t)sizeof(struct sockaddr_in);
224 memset(sa, 0, *addrlen);
225 sa->sin_family = AF_INET;
226 sa->sin_port = (in_port_t)htons(p);
227 if(inet_pton((int)sa->sin_family, ip, &sa->sin_addr) <= 0) {
234 int netblockstrtoaddr(const char* str, int port, struct sockaddr_storage* addr,
235 socklen_t* addrlen, int* net)
238 *net = (str_is_ip6(str)?128:32);
239 if((s=strchr(str, '/'))) {
240 if(atoi(s+1) > *net) {
241 log_err("netblock too large: %s", str);
245 if(*net == 0 && strcmp(s+1, "0") != 0) {
246 log_err("cannot parse netblock: '%s'", str);
249 if(!(s = strdup(str))) {
250 log_err("out of memory");
253 *strchr(s, '/') = '\0';
255 if(!ipstrtoaddr(s?s:str, port, addr, addrlen)) {
257 log_err("cannot parse ip address: '%s'", str);
262 addr_mask(addr, *addrlen, *net);
268 log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name,
269 uint16_t type, uint16_t dclass)
271 char buf[LDNS_MAX_DOMAINLEN+1];
276 dname_str(name, buf);
277 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG";
278 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR";
279 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR";
280 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB";
281 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA";
282 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY";
283 else if(ldns_rr_descript(type) && ldns_rr_descript(type)->_name)
284 ts = ldns_rr_descript(type)->_name;
286 snprintf(t, sizeof(t), "TYPE%d", (int)type);
289 if(ldns_lookup_by_id(ldns_rr_classes, (int)dclass) &&
290 ldns_lookup_by_id(ldns_rr_classes, (int)dclass)->name)
291 cs = ldns_lookup_by_id(ldns_rr_classes, (int)dclass)->name;
293 snprintf(c, sizeof(c), "CLASS%d", (int)dclass);
296 log_info("%s %s %s %s", str, buf, ts, cs);
299 void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone,
300 struct sockaddr_storage* addr, socklen_t addrlen)
303 const char* family = "unknown_family ";
304 char namebuf[LDNS_MAX_DOMAINLEN+1];
306 int af = (int)((struct sockaddr_in*)addr)->sin_family;
307 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
311 case AF_INET: family=""; break;
312 case AF_INET6: family="";
313 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
315 case AF_UNIX: family="unix_family "; break;
318 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
319 strncpy(dest, "(inet_ntop error)", sizeof(dest));
321 dest[sizeof(dest)-1] = 0;
322 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
323 dname_str(zone, namebuf);
324 if(af != AF_INET && af != AF_INET6)
325 verbose(v, "%s <%s> %s%s#%d (addrlen %d)",
326 str, namebuf, family, dest, (int)port, (int)addrlen);
327 else verbose(v, "%s <%s> %s%s#%d",
328 str, namebuf, family, dest, (int)port);
332 sockaddr_cmp(struct sockaddr_storage* addr1, socklen_t len1,
333 struct sockaddr_storage* addr2, socklen_t len2)
335 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
336 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
337 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
338 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
343 log_assert(len1 == len2);
344 if( p1_in->sin_family < p2_in->sin_family)
346 if( p1_in->sin_family > p2_in->sin_family)
348 log_assert( p1_in->sin_family == p2_in->sin_family );
350 if( p1_in->sin_family == AF_INET ) {
351 /* just order it, ntohs not required */
352 if(p1_in->sin_port < p2_in->sin_port)
354 if(p1_in->sin_port > p2_in->sin_port)
356 log_assert(p1_in->sin_port == p2_in->sin_port);
357 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
358 } else if (p1_in6->sin6_family == AF_INET6) {
359 /* just order it, ntohs not required */
360 if(p1_in6->sin6_port < p2_in6->sin6_port)
362 if(p1_in6->sin6_port > p2_in6->sin6_port)
364 log_assert(p1_in6->sin6_port == p2_in6->sin6_port);
365 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
368 /* eek unknown type, perform this comparison for sanity. */
369 return memcmp(addr1, addr2, len1);
374 sockaddr_cmp_addr(struct sockaddr_storage* addr1, socklen_t len1,
375 struct sockaddr_storage* addr2, socklen_t len2)
377 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
378 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
379 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
380 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
385 log_assert(len1 == len2);
386 if( p1_in->sin_family < p2_in->sin_family)
388 if( p1_in->sin_family > p2_in->sin_family)
390 log_assert( p1_in->sin_family == p2_in->sin_family );
392 if( p1_in->sin_family == AF_INET ) {
393 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
394 } else if (p1_in6->sin6_family == AF_INET6) {
395 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
398 /* eek unknown type, perform this comparison for sanity. */
399 return memcmp(addr1, addr2, len1);
404 addr_is_ip6(struct sockaddr_storage* addr, socklen_t len)
406 if(len == (socklen_t)sizeof(struct sockaddr_in6) &&
407 ((struct sockaddr_in6*)addr)->sin6_family == AF_INET6)
413 addr_mask(struct sockaddr_storage* addr, socklen_t len, int net)
415 uint8_t mask[8] = {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe};
418 if(addr_is_ip6(addr, len)) {
419 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr;
422 s = (uint8_t*)&((struct sockaddr_in*)addr)->sin_addr;
427 for(i=net/8+1; i<max/8; i++) {
430 s[net/8] &= mask[net&0x7];
434 addr_in_common(struct sockaddr_storage* addr1, int net1,
435 struct sockaddr_storage* addr2, int net2, socklen_t addrlen)
437 int min = (net1<net2)?net1:net2;
441 if(addr_is_ip6(addr1, addrlen)) {
442 s1 = (uint8_t*)&((struct sockaddr_in6*)addr1)->sin6_addr;
443 s2 = (uint8_t*)&((struct sockaddr_in6*)addr2)->sin6_addr;
446 s1 = (uint8_t*)&((struct sockaddr_in*)addr1)->sin_addr;
447 s2 = (uint8_t*)&((struct sockaddr_in*)addr2)->sin_addr;
450 /* match = bits_in_common(s1, s2, to); */
451 for(i=0; i<to; i++) {
455 uint8_t z = s1[i]^s2[i];
464 if(match > min) match = min;
469 addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen,
470 char* buf, size_t len)
472 int af = (int)((struct sockaddr_in*)addr)->sin_family;
473 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
474 if(addr_is_ip6(addr, addrlen))
475 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
476 if(inet_ntop(af, sinaddr, buf, (socklen_t)len) == 0) {
477 snprintf(buf, len, "(inet_ntop_error)");
482 addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen)
484 /* prefix for ipv4 into ipv6 mapping is ::ffff:x.x.x.x */
485 const uint8_t map_prefix[16] =
486 {0,0,0,0, 0,0,0,0, 0,0,0xff,0xff, 0,0,0,0};
488 if(!addr_is_ip6(addr, addrlen))
490 /* s is 16 octet ipv6 address string */
491 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr;
492 return (memcmp(s, map_prefix, 12) == 0);
495 int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen)
497 int af = (int)((struct sockaddr_in*)addr)->sin_family;
498 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
499 return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
500 && memcmp(sinaddr, "\377\377\377\377", 4) == 0;
503 int addr_is_any(struct sockaddr_storage* addr, socklen_t addrlen)
505 int af = (int)((struct sockaddr_in*)addr)->sin_family;
506 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
507 void* sin6addr = &((struct sockaddr_in6*)addr)->sin6_addr;
508 if(af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
509 && memcmp(sinaddr, "\000\000\000\000", 4) == 0)
511 else if(af==AF_INET6 && addrlen>=(socklen_t)sizeof(struct sockaddr_in6)
512 && memcmp(sin6addr, "\000\000\000\000\000\000\000\000"
513 "\000\000\000\000\000\000\000\000", 16) == 0)
518 void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr,
519 socklen_t len, struct regional* region)
521 struct sock_list* add = (struct sock_list*)regional_alloc(region,
522 sizeof(*add) - sizeof(add->addr) + (size_t)len);
524 log_err("out of memory in socketlist insert");
531 if(len) memmove(&add->addr, addr, len);
534 void sock_list_prepend(struct sock_list** list, struct sock_list* add)
536 struct sock_list* last = add;
545 int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr,
549 if(len == list->len) {
550 if(len == 0 || sockaddr_cmp_addr(addr, len,
551 &list->addr, list->len) == 0)
559 void sock_list_merge(struct sock_list** list, struct regional* region,
560 struct sock_list* add)
563 for(p=add; p; p=p->next) {
564 if(!sock_list_find(*list, &p->addr, p->len))
565 sock_list_insert(list, &p->addr, p->len, region);
570 log_crypto_err(const char* str)
573 /* error:[error code]:[library name]:[function name]:[reason string] */
576 ERR_error_string_n(ERR_get_error(), buf, sizeof(buf));
577 log_err("%s crypto %s", str, buf);
578 while( (e=ERR_get_error()) ) {
579 ERR_error_string_n(e, buf, sizeof(buf));
580 log_err("and additionally crypto %s", buf);
584 #endif /* HAVE_SSL */
587 void* listen_sslctx_create(char* key, char* pem, char* verifypem)
590 SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
592 log_crypto_err("could not SSL_CTX_new");
595 /* no SSLv2 because has defects */
596 if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
597 log_crypto_err("could not set SSL_OP_NO_SSLv2");
601 if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
602 log_err("error for cert file: %s", pem);
603 log_crypto_err("error in SSL_CTX use_certificate_file");
607 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
608 log_err("error for private key file: %s", key);
609 log_crypto_err("Error in SSL_CTX use_PrivateKey_file");
613 if(!SSL_CTX_check_private_key(ctx)) {
614 log_err("error for key file: %s", key);
615 log_crypto_err("Error in SSL_CTX check_private_key");
620 if(verifypem && verifypem[0]) {
621 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
622 log_crypto_err("Error in SSL_CTX verify locations");
626 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(
628 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
632 (void)key; (void)pem; (void)verifypem;
637 void* connect_sslctx_create(char* key, char* pem, char* verifypem)
640 SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());
642 log_crypto_err("could not allocate SSL_CTX pointer");
645 if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) {
646 log_crypto_err("could not set SSL_OP_NO_SSLv2");
651 if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
652 log_err("error in client certificate %s", pem);
653 log_crypto_err("error in certificate file");
657 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
658 log_err("error in client private key %s", key);
659 log_crypto_err("error in key file");
663 if(!SSL_CTX_check_private_key(ctx)) {
664 log_err("error in client key %s", key);
665 log_crypto_err("error in SSL_CTX_check_private_key");
670 if(verifypem && verifypem[0]) {
671 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL) != 1) {
672 log_crypto_err("error in SSL_CTX verify");
676 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
680 (void)key; (void)pem; (void)verifypem;
685 void* incoming_ssl_fd(void* sslctx, int fd)
688 SSL* ssl = SSL_new((SSL_CTX*)sslctx);
690 log_crypto_err("could not SSL_new");
693 SSL_set_accept_state(ssl);
694 (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
695 if(!SSL_set_fd(ssl, fd)) {
696 log_crypto_err("could not SSL_set_fd");
702 (void)sslctx; (void)fd;
707 void* outgoing_ssl_fd(void* sslctx, int fd)
710 SSL* ssl = SSL_new((SSL_CTX*)sslctx);
712 log_crypto_err("could not SSL_new");
715 SSL_set_connect_state(ssl);
716 (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
717 if(!SSL_set_fd(ssl, fd)) {
718 log_crypto_err("could not SSL_set_fd");
724 (void)sslctx; (void)fd;
729 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
730 /** global lock list for openssl locks */
731 static lock_basic_t *ub_openssl_locks = NULL;
733 /** callback that gets thread id for openssl */
735 ub_crypto_id_cb(void)
737 return (unsigned long)ub_thread_self();
741 ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
742 int ATTR_UNUSED(line))
744 if((mode&CRYPTO_LOCK)) {
745 lock_basic_lock(&ub_openssl_locks[type]);
747 lock_basic_unlock(&ub_openssl_locks[type]);
750 #endif /* OPENSSL_THREADS */
752 int ub_openssl_lock_init(void)
754 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
756 ub_openssl_locks = (lock_basic_t*)malloc(
757 sizeof(lock_basic_t)*CRYPTO_num_locks());
758 if(!ub_openssl_locks)
760 for(i=0; i<CRYPTO_num_locks(); i++) {
761 lock_basic_init(&ub_openssl_locks[i]);
763 CRYPTO_set_id_callback(&ub_crypto_id_cb);
764 CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
765 #endif /* OPENSSL_THREADS */
769 void ub_openssl_lock_delete(void)
771 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
773 if(!ub_openssl_locks)
775 CRYPTO_set_id_callback(NULL);
776 CRYPTO_set_locking_callback(NULL);
777 for(i=0; i<CRYPTO_num_locks(); i++) {
778 lock_basic_destroy(&ub_openssl_locks[i]);
780 free(ub_openssl_locks);
781 #endif /* OPENSSL_THREADS */