1/*
2 * util/net_help.c - implementation of the network helper code
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35/**
36 * \file
37 * Implementation of net_help.h.
38 */
39
40#include "config.h"
41#include "util/net_help.h"
42#include "util/log.h"
43#include "util/data/dname.h"
44#include "util/module.h"
45#include "util/regional.h"
46#include "ldns/parseutil.h"
47#include "ldns/wire2str.h"
48#include <fcntl.h>
49#ifdef HAVE_OPENSSL_SSL_H
50#include <openssl/ssl.h>
51#endif
52#ifdef HAVE_OPENSSL_ERR_H
53#include <openssl/err.h>
54#endif
55
56/** max length of an IP address (the address portion) that we allow */
57#define MAX_ADDR_STRLEN 128 /* characters */
58/** default value for EDNS ADVERTISED size */
59uint16_t EDNS_ADVERTISED_SIZE = 4096;
60
61/** minimal responses when positive answer: default is no */
62int MINIMAL_RESPONSES = 0;
63
64/** rrset order roundrobin: default is no */
65int RRSET_ROUNDROBIN = 0;
66
67/* returns true is string addr is an ip6 specced address */
68int
69str_is_ip6(const char* str)
70{
71 if(strchr(str, ':'))
72 return 1;
73 else return 0;
74}
75
76int
77fd_set_nonblock(int s)
78{
79#ifdef HAVE_FCNTL
80 int flag;
81 if((flag = fcntl(s, F_GETFL)) == -1) {
82 log_err("can't fcntl F_GETFL: %s", strerror(errno));
83 flag = 0;
84 }
85 flag |= O_NONBLOCK;
86 if(fcntl(s, F_SETFL, flag) == -1) {
87 log_err("can't fcntl F_SETFL: %s", strerror(errno));
88 return 0;
89 }
90#elif defined(HAVE_IOCTLSOCKET)
91 unsigned long on = 1;
92 if(ioctlsocket(s, FIONBIO, &on) != 0) {
93 log_err("can't ioctlsocket FIONBIO on: %s",
94 wsa_strerror(WSAGetLastError()));
95 }
96#endif
97 return 1;
98}
99
100int
101fd_set_block(int s)
102{
103#ifdef HAVE_FCNTL
104 int flag;
105 if((flag = fcntl(s, F_GETFL)) == -1) {
106 log_err("cannot fcntl F_GETFL: %s", strerror(errno));
107 flag = 0;
108 }
109 flag &= ~O_NONBLOCK;
110 if(fcntl(s, F_SETFL, flag) == -1) {
111 log_err("cannot fcntl F_SETFL: %s", strerror(errno));
112 return 0;
113 }
114#elif defined(HAVE_IOCTLSOCKET)
115 unsigned long off = 0;
116 if(ioctlsocket(s, FIONBIO, &off) != 0) {
117 log_err("can't ioctlsocket FIONBIO off: %s",
118 wsa_strerror(WSAGetLastError()));
119 }
120#endif
121 return 1;
122}
123
124int
125is_pow2(size_t num)
126{
127 if(num == 0) return 1;
128 return (num & (num-1)) == 0;
129}
130
131void*
132memdup(void* data, size_t len)
133{
134 void* d;
135 if(!data) return NULL;
136 if(len == 0) return NULL;
137 d = malloc(len);
138 if(!d) return NULL;
139 memcpy(d, data, len);
140 return d;
141}
142
143void
144log_addr(enum verbosity_value v, const char* str,
145 struct sockaddr_storage* addr, socklen_t addrlen)
146{
147 uint16_t port;
148 const char* family = "unknown";
149 char dest[100];
150 int af = (int)((struct sockaddr_in*)addr)->sin_family;
151 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
152 if(verbosity < v)
153 return;
154 switch(af) {
155 case AF_INET: family="ip4"; break;
156 case AF_INET6: family="ip6";
157 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
158 break;
|
160 default: break;
161 }
162 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
163 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
164 }
165 dest[sizeof(dest)-1] = 0;
166 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
167 if(verbosity >= 4)
168 verbose(v, "%s %s %s port %d (len %d)", str, family, dest,
169 (int)port, (int)addrlen);
170 else verbose(v, "%s %s port %d", str, dest, (int)port);
171}
172
173int
174extstrtoaddr(const char* str, struct sockaddr_storage* addr,
175 socklen_t* addrlen)
176{
177 char* s;
178 int port = UNBOUND_DNS_PORT;
179 if((s=strchr(str, '@'))) {
180 char buf[MAX_ADDR_STRLEN];
181 if(s-str >= MAX_ADDR_STRLEN) {
182 return 0;
183 }
184 (void)strlcpy(buf, str, sizeof(buf));
185 buf[s-str] = 0;
186 port = atoi(s+1);
187 if(port == 0 && strcmp(s+1,"0")!=0) {
188 return 0;
189 }
190 return ipstrtoaddr(buf, port, addr, addrlen);
191 }
192 return ipstrtoaddr(str, port, addr, addrlen);
193}
194
195
196int
197ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr,
198 socklen_t* addrlen)
199{
200 uint16_t p;
201 if(!ip) return 0;
202 p = (uint16_t) port;
203 if(str_is_ip6(ip)) {
204 char buf[MAX_ADDR_STRLEN];
205 char* s;
206 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
207 *addrlen = (socklen_t)sizeof(struct sockaddr_in6);
208 memset(sa, 0, *addrlen);
209 sa->sin6_family = AF_INET6;
210 sa->sin6_port = (in_port_t)htons(p);
211 if((s=strchr(ip, '%'))) { /* ip6%interface, rfc 4007 */
212 if(s-ip >= MAX_ADDR_STRLEN)
213 return 0;
214 (void)strlcpy(buf, ip, sizeof(buf));
215 buf[s-ip]=0;
216 sa->sin6_scope_id = (uint32_t)atoi(s+1);
217 ip = buf;
218 }
219 if(inet_pton((int)sa->sin6_family, ip, &sa->sin6_addr) <= 0) {
220 return 0;
221 }
222 } else { /* ip4 */
223 struct sockaddr_in* sa = (struct sockaddr_in*)addr;
224 *addrlen = (socklen_t)sizeof(struct sockaddr_in);
225 memset(sa, 0, *addrlen);
226 sa->sin_family = AF_INET;
227 sa->sin_port = (in_port_t)htons(p);
228 if(inet_pton((int)sa->sin_family, ip, &sa->sin_addr) <= 0) {
229 return 0;
230 }
231 }
232 return 1;
233}
234
235int netblockstrtoaddr(const char* str, int port, struct sockaddr_storage* addr,
236 socklen_t* addrlen, int* net)
237{
238 char* s = NULL;
239 *net = (str_is_ip6(str)?128:32);
240 if((s=strchr(str, '/'))) {
241 if(atoi(s+1) > *net) {
242 log_err("netblock too large: %s", str);
243 return 0;
244 }
245 *net = atoi(s+1);
246 if(*net == 0 && strcmp(s+1, "0") != 0) {
247 log_err("cannot parse netblock: '%s'", str);
248 return 0;
249 }
250 if(!(s = strdup(str))) {
251 log_err("out of memory");
252 return 0;
253 }
254 *strchr(s, '/') = '\0';
255 }
256 if(!ipstrtoaddr(s?s:str, port, addr, addrlen)) {
257 free(s);
258 log_err("cannot parse ip address: '%s'", str);
259 return 0;
260 }
261 if(s) {
262 free(s);
263 addr_mask(addr, *addrlen, *net);
264 }
265 return 1;
266}
267
268void
269log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name,
270 uint16_t type, uint16_t dclass)
271{
272 char buf[LDNS_MAX_DOMAINLEN+1];
273 char t[12], c[12];
274 const char *ts, *cs;
275 if(verbosity < v)
276 return;
277 dname_str(name, buf);
278 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG";
279 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR";
280 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR";
281 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB";
282 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA";
283 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY";
284 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name)
285 ts = sldns_rr_descript(type)->_name;
286 else {
287 snprintf(t, sizeof(t), "TYPE%d", (int)type);
288 ts = t;
289 }
290 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) &&
291 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name)
292 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name;
293 else {
294 snprintf(c, sizeof(c), "CLASS%d", (int)dclass);
295 cs = c;
296 }
297 log_info("%s %s %s %s", str, buf, ts, cs);
298}
299
300void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone,
301 struct sockaddr_storage* addr, socklen_t addrlen)
302{
303 uint16_t port;
304 const char* family = "unknown_family ";
305 char namebuf[LDNS_MAX_DOMAINLEN+1];
306 char dest[100];
307 int af = (int)((struct sockaddr_in*)addr)->sin_family;
308 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
309 if(verbosity < v)
310 return;
311 switch(af) {
312 case AF_INET: family=""; break;
313 case AF_INET6: family="";
314 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
315 break;
|
317 default: break;
318 }
319 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
320 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
321 }
322 dest[sizeof(dest)-1] = 0;
323 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
324 dname_str(zone, namebuf);
325 if(af != AF_INET && af != AF_INET6)
326 verbose(v, "%s <%s> %s%s#%d (addrlen %d)",
327 str, namebuf, family, dest, (int)port, (int)addrlen);
328 else verbose(v, "%s <%s> %s%s#%d",
329 str, namebuf, family, dest, (int)port);
330}
331
332void log_err_addr(const char* str, const char* err,
333 struct sockaddr_storage* addr, socklen_t addrlen)
334{
335 uint16_t port;
336 char dest[100];
337 int af = (int)((struct sockaddr_in*)addr)->sin_family;
338 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
339 if(af == AF_INET6)
340 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
341 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
342 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest));
343 }
344 dest[sizeof(dest)-1] = 0;
345 port = ntohs(((struct sockaddr_in*)addr)->sin_port);
346 if(verbosity >= 4)
347 log_err("%s: %s for %s port %d (len %d)", str, err, dest,
348 (int)port, (int)addrlen);
349 else log_err("%s: %s for %s", str, err, dest);
350}
351
352int
353sockaddr_cmp(struct sockaddr_storage* addr1, socklen_t len1,
354 struct sockaddr_storage* addr2, socklen_t len2)
355{
356 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
357 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
358 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
359 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
360 if(len1 < len2)
361 return -1;
362 if(len1 > len2)
363 return 1;
364 log_assert(len1 == len2);
365 if( p1_in->sin_family < p2_in->sin_family)
366 return -1;
367 if( p1_in->sin_family > p2_in->sin_family)
368 return 1;
369 log_assert( p1_in->sin_family == p2_in->sin_family );
370 /* compare ip4 */
371 if( p1_in->sin_family == AF_INET ) {
372 /* just order it, ntohs not required */
373 if(p1_in->sin_port < p2_in->sin_port)
374 return -1;
375 if(p1_in->sin_port > p2_in->sin_port)
376 return 1;
377 log_assert(p1_in->sin_port == p2_in->sin_port);
378 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
379 } else if (p1_in6->sin6_family == AF_INET6) {
380 /* just order it, ntohs not required */
381 if(p1_in6->sin6_port < p2_in6->sin6_port)
382 return -1;
383 if(p1_in6->sin6_port > p2_in6->sin6_port)
384 return 1;
385 log_assert(p1_in6->sin6_port == p2_in6->sin6_port);
386 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
387 INET6_SIZE);
388 } else {
389 /* eek unknown type, perform this comparison for sanity. */
390 return memcmp(addr1, addr2, len1);
391 }
392}
393
394int
395sockaddr_cmp_addr(struct sockaddr_storage* addr1, socklen_t len1,
396 struct sockaddr_storage* addr2, socklen_t len2)
397{
398 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
399 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
400 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
401 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
402 if(len1 < len2)
403 return -1;
404 if(len1 > len2)
405 return 1;
406 log_assert(len1 == len2);
407 if( p1_in->sin_family < p2_in->sin_family)
408 return -1;
409 if( p1_in->sin_family > p2_in->sin_family)
410 return 1;
411 log_assert( p1_in->sin_family == p2_in->sin_family );
412 /* compare ip4 */
413 if( p1_in->sin_family == AF_INET ) {
414 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE);
415 } else if (p1_in6->sin6_family == AF_INET6) {
416 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
417 INET6_SIZE);
418 } else {
419 /* eek unknown type, perform this comparison for sanity. */
420 return memcmp(addr1, addr2, len1);
421 }
422}
423
424int
425addr_is_ip6(struct sockaddr_storage* addr, socklen_t len)
426{
427 if(len == (socklen_t)sizeof(struct sockaddr_in6) &&
428 ((struct sockaddr_in6*)addr)->sin6_family == AF_INET6)
429 return 1;
430 else return 0;
431}
432
433void
434addr_mask(struct sockaddr_storage* addr, socklen_t len, int net)
435{
436 uint8_t mask[8] = {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe};
437 int i, max;
438 uint8_t* s;
439 if(addr_is_ip6(addr, len)) {
440 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr;
441 max = 128;
442 } else {
443 s = (uint8_t*)&((struct sockaddr_in*)addr)->sin_addr;
444 max = 32;
445 }
446 if(net >= max)
447 return;
448 for(i=net/8+1; i<max/8; i++) {
449 s[i] = 0;
450 }
451 s[net/8] &= mask[net&0x7];
452}
453
454int
455addr_in_common(struct sockaddr_storage* addr1, int net1,
456 struct sockaddr_storage* addr2, int net2, socklen_t addrlen)
457{
458 int min = (net1<net2)?net1:net2;
459 int i, to;
460 int match = 0;
461 uint8_t* s1, *s2;
462 if(addr_is_ip6(addr1, addrlen)) {
463 s1 = (uint8_t*)&((struct sockaddr_in6*)addr1)->sin6_addr;
464 s2 = (uint8_t*)&((struct sockaddr_in6*)addr2)->sin6_addr;
465 to = 16;
466 } else {
467 s1 = (uint8_t*)&((struct sockaddr_in*)addr1)->sin_addr;
468 s2 = (uint8_t*)&((struct sockaddr_in*)addr2)->sin_addr;
469 to = 4;
470 }
471 /* match = bits_in_common(s1, s2, to); */
472 for(i=0; i<to; i++) {
473 if(s1[i] == s2[i]) {
474 match += 8;
475 } else {
476 uint8_t z = s1[i]^s2[i];
477 log_assert(z);
478 while(!(z&0x80)) {
479 match++;
480 z<<=1;
481 }
482 break;
483 }
484 }
485 if(match > min) match = min;
486 return match;
487}
488
489void
490addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen,
491 char* buf, size_t len)
492{
493 int af = (int)((struct sockaddr_in*)addr)->sin_family;
494 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
495 if(addr_is_ip6(addr, addrlen))
496 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr;
497 if(inet_ntop(af, sinaddr, buf, (socklen_t)len) == 0) {
498 snprintf(buf, len, "(inet_ntop_error)");
499 }
500}
501
502int
503addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen)
504{
505 /* prefix for ipv4 into ipv6 mapping is ::ffff:x.x.x.x */
506 const uint8_t map_prefix[16] =
507 {0,0,0,0, 0,0,0,0, 0,0,0xff,0xff, 0,0,0,0};
508 uint8_t* s;
509 if(!addr_is_ip6(addr, addrlen))
510 return 0;
511 /* s is 16 octet ipv6 address string */
512 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr;
513 return (memcmp(s, map_prefix, 12) == 0);
514}
515
516int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen)
517{
518 int af = (int)((struct sockaddr_in*)addr)->sin_family;
519 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
520 return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
521 && memcmp(sinaddr, "\377\377\377\377", 4) == 0;
522}
523
524int addr_is_any(struct sockaddr_storage* addr, socklen_t addrlen)
525{
526 int af = (int)((struct sockaddr_in*)addr)->sin_family;
527 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
528 void* sin6addr = &((struct sockaddr_in6*)addr)->sin6_addr;
529 if(af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
530 && memcmp(sinaddr, "\000\000\000\000", 4) == 0)
531 return 1;
532 else if(af==AF_INET6 && addrlen>=(socklen_t)sizeof(struct sockaddr_in6)
533 && memcmp(sin6addr, "\000\000\000\000\000\000\000\000"
534 "\000\000\000\000\000\000\000\000", 16) == 0)
535 return 1;
536 return 0;
537}
538
539void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr,
540 socklen_t len, struct regional* region)
541{
542 struct sock_list* add = (struct sock_list*)regional_alloc(region,
543 sizeof(*add) - sizeof(add->addr) + (size_t)len);
544 if(!add) {
545 log_err("out of memory in socketlist insert");
546 return;
547 }
548 log_assert(list);
549 add->next = *list;
550 add->len = len;
551 *list = add;
552 if(len) memmove(&add->addr, addr, len);
553}
554
555void sock_list_prepend(struct sock_list** list, struct sock_list* add)
556{
557 struct sock_list* last = add;
558 if(!last)
559 return;
560 while(last->next)
561 last = last->next;
562 last->next = *list;
563 *list = add;
564}
565
566int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr,
567 socklen_t len)
568{
569 while(list) {
570 if(len == list->len) {
571 if(len == 0 || sockaddr_cmp_addr(addr, len,
572 &list->addr, list->len) == 0)
573 return 1;
574 }
575 list = list->next;
576 }
577 return 0;
578}
579
580void sock_list_merge(struct sock_list** list, struct regional* region,
581 struct sock_list* add)
582{
583 struct sock_list* p;
584 for(p=add; p; p=p->next) {
585 if(!sock_list_find(*list, &p->addr, p->len))
586 sock_list_insert(list, &p->addr, p->len, region);
587 }
588}
589
590void
591log_crypto_err(const char* str)
592{
593#ifdef HAVE_SSL
594 /* error:[error code]:[library name]:[function name]:[reason string] */
595 char buf[128];
596 unsigned long e;
597 ERR_error_string_n(ERR_get_error(), buf, sizeof(buf));
598 log_err("%s crypto %s", str, buf);
599 while( (e=ERR_get_error()) ) {
600 ERR_error_string_n(e, buf, sizeof(buf));
601 log_err("and additionally crypto %s", buf);
602 }
603#else
604 (void)str;
605#endif /* HAVE_SSL */
606}
607
608void* listen_sslctx_create(char* key, char* pem, char* verifypem)
609{
610#ifdef HAVE_SSL
611 SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
612 if(!ctx) {
613 log_crypto_err("could not SSL_CTX_new");
614 return NULL;
615 }
616 /* no SSLv2, SSLv3 because has defects */
617 if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
618 log_crypto_err("could not set SSL_OP_NO_SSLv2");
619 SSL_CTX_free(ctx);
620 return NULL;
621 }
622 if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
623 log_crypto_err("could not set SSL_OP_NO_SSLv3");
624 SSL_CTX_free(ctx);
625 return NULL;
626 }
627 if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
628 log_err("error for cert file: %s", pem);
629 log_crypto_err("error in SSL_CTX use_certificate_file");
630 SSL_CTX_free(ctx);
631 return NULL;
632 }
633 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
634 log_err("error for private key file: %s", key);
635 log_crypto_err("Error in SSL_CTX use_PrivateKey_file");
636 SSL_CTX_free(ctx);
637 return NULL;
638 }
639 if(!SSL_CTX_check_private_key(ctx)) {
640 log_err("error for key file: %s", key);
641 log_crypto_err("Error in SSL_CTX check_private_key");
642 SSL_CTX_free(ctx);
643 return NULL;
644 }
645
646 if(verifypem && verifypem[0]) {
647 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
648 log_crypto_err("Error in SSL_CTX verify locations");
649 SSL_CTX_free(ctx);
650 return NULL;
651 }
652 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(
653 verifypem));
654 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
655 }
656 return ctx;
657#else
658 (void)key; (void)pem; (void)verifypem;
659 return NULL;
660#endif
661}
662
663void* connect_sslctx_create(char* key, char* pem, char* verifypem)
664{
665#ifdef HAVE_SSL
666 SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());
667 if(!ctx) {
668 log_crypto_err("could not allocate SSL_CTX pointer");
669 return NULL;
670 }
671 if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) {
672 log_crypto_err("could not set SSL_OP_NO_SSLv2");
673 SSL_CTX_free(ctx);
674 return NULL;
675 }
676 if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) {
677 log_crypto_err("could not set SSL_OP_NO_SSLv3");
678 SSL_CTX_free(ctx);
679 return NULL;
680 }
681 if(key && key[0]) {
682 if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
683 log_err("error in client certificate %s", pem);
684 log_crypto_err("error in certificate file");
685 SSL_CTX_free(ctx);
686 return NULL;
687 }
688 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
689 log_err("error in client private key %s", key);
690 log_crypto_err("error in key file");
691 SSL_CTX_free(ctx);
692 return NULL;
693 }
694 if(!SSL_CTX_check_private_key(ctx)) {
695 log_err("error in client key %s", key);
696 log_crypto_err("error in SSL_CTX_check_private_key");
697 SSL_CTX_free(ctx);
698 return NULL;
699 }
700 }
701 if(verifypem && verifypem[0]) {
702 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
703 log_crypto_err("error in SSL_CTX verify");
704 SSL_CTX_free(ctx);
705 return NULL;
706 }
707 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
708 }
709 return ctx;
710#else
711 (void)key; (void)pem; (void)verifypem;
712 return NULL;
713#endif
714}
715
716void* incoming_ssl_fd(void* sslctx, int fd)
717{
718#ifdef HAVE_SSL
719 SSL* ssl = SSL_new((SSL_CTX*)sslctx);
720 if(!ssl) {
721 log_crypto_err("could not SSL_new");
722 return NULL;
723 }
724 SSL_set_accept_state(ssl);
725 (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
726 if(!SSL_set_fd(ssl, fd)) {
727 log_crypto_err("could not SSL_set_fd");
728 SSL_free(ssl);
729 return NULL;
730 }
731 return ssl;
732#else
733 (void)sslctx; (void)fd;
734 return NULL;
735#endif
736}
737
738void* outgoing_ssl_fd(void* sslctx, int fd)
739{
740#ifdef HAVE_SSL
741 SSL* ssl = SSL_new((SSL_CTX*)sslctx);
742 if(!ssl) {
743 log_crypto_err("could not SSL_new");
744 return NULL;
745 }
746 SSL_set_connect_state(ssl);
747 (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
748 if(!SSL_set_fd(ssl, fd)) {
749 log_crypto_err("could not SSL_set_fd");
750 SSL_free(ssl);
751 return NULL;
752 }
753 return ssl;
754#else
755 (void)sslctx; (void)fd;
756 return NULL;
757#endif
758}
759
760#if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
761/** global lock list for openssl locks */
762static lock_basic_t *ub_openssl_locks = NULL;
763
764/** callback that gets thread id for openssl */
765static unsigned long
766ub_crypto_id_cb(void)
767{
768 return (unsigned long)ub_thread_self();
769}
770
771static void
772ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
773 int ATTR_UNUSED(line))
774{
775 if((mode&CRYPTO_LOCK)) {
776 lock_basic_lock(&ub_openssl_locks[type]);
777 } else {
778 lock_basic_unlock(&ub_openssl_locks[type]);
779 }
780}
781#endif /* OPENSSL_THREADS */
782
783int ub_openssl_lock_init(void)
784{
785#if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
786 int i;
787 ub_openssl_locks = (lock_basic_t*)malloc(
788 sizeof(lock_basic_t)*CRYPTO_num_locks());
789 if(!ub_openssl_locks)
790 return 0;
791 for(i=0; i<CRYPTO_num_locks(); i++) {
792 lock_basic_init(&ub_openssl_locks[i]);
793 }
794 CRYPTO_set_id_callback(&ub_crypto_id_cb);
795 CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
796#endif /* OPENSSL_THREADS */
797 return 1;
798}
799
800void ub_openssl_lock_delete(void)
801{
802#if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
803 int i;
804 if(!ub_openssl_locks)
805 return;
806 CRYPTO_set_id_callback(NULL);
807 CRYPTO_set_locking_callback(NULL);
808 for(i=0; i<CRYPTO_num_locks(); i++) {
809 lock_basic_destroy(&ub_openssl_locks[i]);
810 }
811 free(ub_openssl_locks);
812#endif /* OPENSSL_THREADS */
813}
814
|