dnscrypt.h revision 356345 
1#ifndef UNBOUND_DNSCRYPT_H
2#define UNBOUND_DNSCRYPT_H
3
4/**
5 * \file
6 * dnscrypt functions for encrypting DNS packets.
7 */
8
9#include "dnscrypt/dnscrypt_config.h"
10#ifdef USE_DNSCRYPT
11
12#define DNSCRYPT_MAGIC_HEADER_LEN 8U
13#define DNSCRYPT_MAGIC_RESPONSE  "r6fnvWj8"
14
15#ifndef DNSCRYPT_MAX_PADDING
16# define DNSCRYPT_MAX_PADDING 256U
17#endif
18#ifndef DNSCRYPT_BLOCK_SIZE
19# define DNSCRYPT_BLOCK_SIZE 64U
20#endif
21#ifndef DNSCRYPT_MIN_PAD_LEN
22# define DNSCRYPT_MIN_PAD_LEN 8U
23#endif
24
25#define crypto_box_HALF_NONCEBYTES (crypto_box_NONCEBYTES / 2U)
26
27#include "config.h"
28#include "dnscrypt/cert.h"
29#include "util/locks.h"
30
31#define DNSCRYPT_QUERY_HEADER_SIZE \
32    (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_PUBLICKEYBYTES + crypto_box_HALF_NONCEBYTES + crypto_box_MACBYTES)
33#define DNSCRYPT_RESPONSE_HEADER_SIZE \
34    (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_NONCEBYTES + crypto_box_MACBYTES)
35
36#define DNSCRYPT_REPLY_HEADER_SIZE \
37    (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_HALF_NONCEBYTES * 2 + crypto_box_MACBYTES)
38
39struct sldns_buffer;
40struct config_file;
41struct comm_reply;
42struct slabhash;
43
44typedef struct KeyPair_ {
45    uint8_t crypt_publickey[crypto_box_PUBLICKEYBYTES];
46    uint8_t crypt_secretkey[crypto_box_SECRETKEYBYTES];
47} KeyPair;
48
49typedef struct cert_ {
50    uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN];
51    uint8_t es_version[2];
52    KeyPair *keypair;
53} dnsccert;
54
55struct dnsc_env {
56	struct SignedCert *signed_certs;
57	struct SignedCert **rotated_certs;
58	dnsccert *certs;
59	size_t signed_certs_count;
60	size_t rotated_certs_count;
61	uint8_t provider_publickey[crypto_sign_ed25519_PUBLICKEYBYTES];
62	uint8_t provider_secretkey[crypto_sign_ed25519_SECRETKEYBYTES];
63	KeyPair *keypairs;
64	size_t keypairs_count;
65	uint64_t nonce_ts_last;
66	unsigned char hash_key[crypto_shorthash_KEYBYTES];
67	char * provider_name;
68
69    /** Caches */
70	struct slabhash *shared_secrets_cache;
71	/** lock on shared secret cache counters */
72	lock_basic_type shared_secrets_cache_lock;
73	/** number of misses from shared_secrets_cache */
74	size_t num_query_dnscrypt_secret_missed_cache;
75
76	/** slabhash keeping track of nonce/cient pk/server sk pairs. */
77	struct slabhash *nonces_cache;
78	/** lock on nonces_cache, used to avoid race condition in updating the hash */
79	lock_basic_type nonces_cache_lock;
80	/** number of replayed queries */
81	size_t num_query_dnscrypt_replay;
82};
83
84struct dnscrypt_query_header {
85    uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN];
86    uint8_t publickey[crypto_box_PUBLICKEYBYTES];
87    uint8_t nonce[crypto_box_HALF_NONCEBYTES];
88    uint8_t mac[crypto_box_MACBYTES];
89};
90
91/**
92 * Initialize DNSCrypt environment.
93 * Initialize sodium library and allocate the dnsc_env structure.
94 * \return an uninitialized struct dnsc_env.
95 */
96struct dnsc_env * dnsc_create(void);
97
98/**
99 * Apply configuration.
100 * Read certificates and secret keys from configuration. Initialize hashkey and
101 * provider name as well as loading cert TXT records.
102 * In case of issue applying configuration, this function fatals.
103 * \param[in] env the struct dnsc_env to populate.
104 * \param[in] cfg the config_file struct with dnscrypt options.
105 * \return 0 on success.
106 */
107int dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg);
108
109/**
110 * Delete DNSCrypt environment
111 *
112 */
113void dnsc_delete(struct dnsc_env *env);
114
115/**
116 * handle a crypted dnscrypt request.
117 * Determine wether or not a query is coming over the dnscrypt listener and
118 * attempt to uncurve it or detect if it is a certificate query.
119 * return 0 in case of failure.
120 */
121int dnsc_handle_curved_request(struct dnsc_env* dnscenv,
122                               struct comm_reply* repinfo);
123/**
124 * handle an unencrypted dnscrypt request.
125 * Determine wether or not a query is going over the dnscrypt channel and
126 * attempt to curve it unless it was not crypted like when  it is a
127 * certificate query.
128 * \return 0 in case of failure.
129 */
130
131int dnsc_handle_uncurved_request(struct comm_reply *repinfo);
132
133/**
134 * Computes the size of the shared secret cache entry.
135 */
136size_t dnsc_shared_secrets_sizefunc(void *k, void *d);
137
138/**
139 * Compares two shared secret cache keys.
140 */
141int dnsc_shared_secrets_compfunc(void *m1, void *m2);
142
143/**
144 * Function to delete a shared secret cache key.
145 */
146void dnsc_shared_secrets_delkeyfunc(void *k, void* arg);
147
148/**
149 * Function to delete a share secret cache value.
150 */
151void dnsc_shared_secrets_deldatafunc(void* d, void* arg);
152
153/**
154 * Computes the size of the nonce cache entry.
155 */
156size_t dnsc_nonces_sizefunc(void *k, void *d);
157
158/**
159 * Compares two nonce cache keys.
160 */
161int dnsc_nonces_compfunc(void *m1, void *m2);
162
163/**
164 * Function to delete a nonce cache key.
165 */
166void dnsc_nonces_delkeyfunc(void *k, void* arg);
167
168/**
169 * Function to delete a nonce cache value.
170 */
171void dnsc_nonces_deldatafunc(void* d, void* arg);
172
173
174#endif /* USE_DNSCRYPT */
175#endif
176