net_help.h revision 1.1.1.8 
1111072Sjake/*
2111072Sjake * util/net_help.h - network help functions
3167308Smarius *
4111072Sjake * Copyright (c) 2007, NLnet Labs. All rights reserved.
5111072Sjake *
6111072Sjake * This software is open source.
7111072Sjake *
8111072Sjake * Redistribution and use in source and binary forms, with or without
9111072Sjake * modification, are permitted provided that the following conditions
10111072Sjake * are met:
11111072Sjake *
12111072Sjake * Redistributions of source code must retain the above copyright notice,
13111072Sjake * this list of conditions and the following disclaimer.
14111072Sjake *
15111072Sjake * Redistributions in binary form must reproduce the above copyright notice,
16111072Sjake * this list of conditions and the following disclaimer in the documentation
17111072Sjake * and/or other materials provided with the distribution.
18111072Sjake *
19111072Sjake * Neither the name of the NLNET LABS nor the names of its contributors may
20111072Sjake * be used to endorse or promote products derived from this software without
21111072Sjake * specific prior written permission.
22111072Sjake *
23111072Sjake * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24111072Sjake * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25111072Sjake * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26111072Sjake * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27111072Sjake * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28143129Smarius * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29143129Smarius * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30143129Smarius * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31111072Sjake * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32111072Sjake * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33111072Sjake * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34111072Sjake */
35111072Sjake
36167308Smarius/**
37111123Sjake * \file
38111072Sjake *
39143826Smarius * This file contains functions to perform network related tasks.
40133589Smarius */
41152684Smarius
42111072Sjake#ifndef NET_HELP_H
43111072Sjake#define NET_HELP_H
44111072Sjake#include "util/log.h"
45111072Sjake#include "util/random.h"
46111072Sjakestruct sock_list;
47111072Sjakestruct regional;
48111072Sjakestruct config_strlist;
49111072Sjake
50111072Sjake/** DNS constants for uint16_t style flag manipulation. host byteorder.
51111072Sjake *                                1  1  1  1  1  1
52111072Sjake *  0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
53111072Sjake * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
54152684Smarius * |QR|   Opcode  |AA|TC|RD|RA| Z|AD|CD|   RCODE   |
55111072Sjake * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
56111072Sjake */
57111072Sjake/** CD flag */
58167308Smarius#define BIT_CD 0x0010
59172066Smarius/** AD flag */
60167308Smarius#define BIT_AD 0x0020
61167308Smarius/** Z flag */
62167308Smarius#define BIT_Z  0x0040
63167308Smarius/** RA flag */
64167308Smarius#define BIT_RA 0x0080
65167308Smarius/** RD flag */
66167308Smarius#define BIT_RD 0x0100
67167308Smarius/** TC flag */
68167308Smarius#define BIT_TC 0x0200
69167308Smarius/** AA flag */
70167308Smarius#define BIT_AA 0x0400
71167308Smarius/** QR flag */
72167308Smarius#define BIT_QR 0x8000
73167308Smarius/** get RCODE bits from uint16 flags */
74167308Smarius#define FLAGS_GET_RCODE(f) ((f) & 0xf)
75172066Smarius/** set RCODE bits in uint16 flags */
76172066Smarius#define FLAGS_SET_RCODE(f, r) (f = (((f) & 0xfff0) | (r)))
77178443Smarius
78178443Smarius/** timeout in milliseconds for UDP queries to auth servers. */
79143826Smarius#define UDP_AUTH_QUERY_TIMEOUT 3000
80152684Smarius/** Advertised version of EDNS capabilities */
81111123Sjake#define EDNS_ADVERTISED_VERSION         0
82167308Smarius/** Advertised size of EDNS capabilities */
83167308Smariusextern uint16_t EDNS_ADVERTISED_SIZE;
84167308Smarius/** bits for EDNS bitfield */
85167308Smarius#define EDNS_DO 0x8000 /* Dnssec Ok */
86167308Smarius/** byte size of ip4 address */
87167308Smarius#define INET_SIZE 4
88167308Smarius/** byte size of ip6 address */
89167308Smarius#define INET6_SIZE 16
90167308Smarius
91167308Smarius/** DNSKEY zone sign key flag */
92167308Smarius#define DNSKEY_BIT_ZSK 0x0100
93167308Smarius/** DNSKEY secure entry point, KSK flag */
94167308Smarius#define DNSKEY_BIT_SEP 0x0001
95167308Smarius
96190098Smarius/** return a random 16-bit number given a random source */
97190098Smarius#define GET_RANDOM_ID(rnd) (((unsigned)ub_random(rnd)>>8) & 0xffff)
98190098Smarius
99190098Smarius/** define MSG_DONTWAIT for unsupported platforms */
100167308Smarius#ifndef MSG_DONTWAIT
101190114Smarius#define MSG_DONTWAIT 0
102167308Smarius#endif
103167308Smarius
104167308Smarius/** minimal responses when positive answer */
105167308Smariusextern int MINIMAL_RESPONSES;
106167308Smarius
107167308Smarius/** rrset order roundrobin */
108167308Smariusextern int RRSET_ROUNDROBIN;
109167308Smarius
110167308Smarius/** log tag queries with name instead of 'info' for filtering */
111190098Smariusextern int LOG_TAG_QUERYREPLY;
112167308Smarius
113167308Smarius/**
114167308Smarius * See if string is ip4 or ip6.
115167308Smarius * @param str: IP specification.
116167308Smarius * @return: true if string addr is an ip6 specced address.
117167308Smarius */
118167308Smariusint str_is_ip6(const char* str);
119167308Smarius
120167308Smarius/**
121167308Smarius * Set fd nonblocking.
122167308Smarius * @param s: file descriptor.
123167308Smarius * @return: 0 on error (error is printed to log).
124182070Smarius */
125182070Smariusint fd_set_nonblock(int s);
126167308Smarius
127172066Smarius/**
128172066Smarius * Set fd (back to) blocking.
129172066Smarius * @param s: file descriptor.
130178443Smarius * @return: 0 on error (error is printed to log).
131178443Smarius */
132172066Smariusint fd_set_block(int s);
133172066Smarius
134172066Smarius/**
135172066Smarius * See if number is a power of 2.
136172066Smarius * @param num: the value.
137172066Smarius * @return: true if the number is a power of 2.
138172066Smarius */
139167308Smariusint is_pow2(size_t num);
140111072Sjake
141111072Sjake/**
142111072Sjake * Allocate memory and copy over contents.
143167308Smarius * @param data: what to copy over.
144167308Smarius * @param len: length of data.
145167308Smarius * @return: NULL on malloc failure, or newly malloced data.
146167308Smarius */
147167308Smariusvoid* memdup(void* data, size_t len);
148111072Sjake
149111072Sjake/**
150167308Smarius * Prints the sockaddr in readable format with log_info. Debug helper.
151111072Sjake * @param v: at what verbosity level to print this.
152111072Sjake * @param str: descriptive string printed with it.
153143826Smarius * @param addr: the sockaddr to print. Can be ip4 or ip6.
154111072Sjake * @param addrlen: length of addr.
155172066Smarius */
156172066Smariusvoid log_addr(enum verbosity_value v, const char* str,
157111072Sjake	struct sockaddr_storage* addr, socklen_t addrlen);
158111072Sjake
159111072Sjake/**
160111072Sjake * Prints zone name and sockaddr in readable format with log_info. Debug.
161167308Smarius * @param v: at what verbosity level to print this.
162111123Sjake * @param str: descriptive string printed with it.
163143142Smarius * @param zone: DNS domain name, uncompressed wireformat.
164143142Smarius * @param addr: the sockaddr to print. Can be ip4 or ip6.
165111072Sjake * @param addrlen: length of addr.
166172066Smarius */
167167308Smariusvoid log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone,
168167308Smarius	struct sockaddr_storage* addr, socklen_t addrlen);
169190098Smarius
170111072Sjake/**
171111072Sjake * Log errno and addr.
172167308Smarius * @param str: descriptive string printed with it.
173111072Sjake * @param err: errno string to print, i.e. strerror(errno).
174172066Smarius * @param addr: the sockaddr to print. Can be ip4 or ip6.
175167308Smarius * @param addrlen: length of addr.
176172066Smarius */
177167308Smariusvoid log_err_addr(const char* str, const char* err,
178167308Smarius	struct sockaddr_storage* addr, socklen_t addrlen);
179190098Smarius
180167308Smarius/**
181190098Smarius * Convert address string, with "@port" appendix, to sockaddr.
182167308Smarius * Uses DNS port by default.
183167308Smarius * @param str: the string
184167308Smarius * @param addr: where to store sockaddr.
185167308Smarius * @param addrlen: length of stored sockaddr is returned.
186167308Smarius * @param port: default port.
187167308Smarius * @return 0 on error.
188167308Smarius */
189172066Smariusint extstrtoaddr(const char* str, struct sockaddr_storage* addr,
190172066Smarius	socklen_t* addrlen, int port);
191172066Smarius
192167308Smarius/**
193172066Smarius * Convert ip address string and port to sockaddr.
194167308Smarius * @param ip: ip4 or ip6 address string.
195167308Smarius * @param port: port number, host format.
196167308Smarius * @param addr: where to store sockaddr.
197167308Smarius * @param addrlen: length of stored sockaddr is returned.
198167308Smarius * @return 0 on error.
199167308Smarius */
200172066Smariusint ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr,
201143129Smarius	socklen_t* addrlen);
202143826Smarius
203143129Smarius/**
204143826Smarius * Convert ip netblock (ip/netsize) string and port to sockaddr.
205143826Smarius * performs a copy internally to avoid writing over 'ip' string.
206143129Smarius * @param ip: ip4 or ip6 address string.
207111072Sjake * @param port: port number, host format.
208172066Smarius * @param addr: where to store sockaddr.
209172066Smarius * @param addrlen: length of stored sockaddr is returned.
210111072Sjake * @param net: netblock size is returned.
211111072Sjake * @return 0 on error.
212172066Smarius */
213172066Smariusint netblockstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr,
214172066Smarius	socklen_t* addrlen, int* net);
215111123Sjake
216172066Smarius/**
217172066Smarius * Convert address string, with "@port" appendix, to sockaddr.
218111123Sjake * It can also have an "#tls-auth-name" appendix (after the port).
219111123Sjake * The returned auth_name string is a pointer into the input string.
220172066Smarius * Uses DNS port by default; TLS port when a "#tls-auth-name" is configured.
221172066Smarius * @param str: the string
222111123Sjake * @param addr: where to store sockaddr.
223111072Sjake * @param addrlen: length of stored sockaddr is returned.
224111072Sjake * @param auth_name: returned pointer to tls_auth_name, or NULL if none.
225111072Sjake * @return 0 on error.
226167308Smarius */
227167308Smariusint authextstrtoaddr(char* str, struct sockaddr_storage* addr,
228167308Smarius	socklen_t* addrlen, char** auth_name);
229111072Sjake
230111072Sjake/**
231172066Smarius * Convert domain string, with "@port" appendix, to dname.
232172066Smarius * It can also have an "#tls-auth-name" appendix (after the port).
233172066Smarius * The return port is the parsed port.
234172066Smarius * Uses DNS port by default; TLS port when a "#tls-auth-name" is configured.
235172066Smarius * The returned auth_name string is a pointer into the input string.
236172066Smarius * @param str: the string
237172066Smarius * @param port: pointer to be assigned the parsed port value.
238172066Smarius * @param auth_name: returned pointer to tls_auth_name, or NULL if none.
239172066Smarius * @return pointer to the dname.
240172066Smarius */
241190098Smariusuint8_t* authextstrtodname(char* str, int* port, char** auth_name);
242190098Smarius
243172066Smarius/**
244172066Smarius * Store port number into sockaddr structure
245172066Smarius * @param addr: sockaddr structure, ip4 or ip6.
246172066Smarius * @param addrlen: length of addr.
247172066Smarius * @param port: port number to put into the addr.
248172066Smarius */
249172066Smariusvoid sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen,
250172066Smarius	int port);
251172066Smarius
252172066Smarius/**
253172066Smarius * Print string with neat domain name, type and class.
254172066Smarius * @param v: at what verbosity level to print this.
255172066Smarius * @param str: string of message.
256172066Smarius * @param name: domain name uncompressed wireformat.
257172066Smarius * @param type: host format RR type.
258172066Smarius * @param dclass: host format RR class.
259172066Smarius */
260172066Smariusvoid log_nametypeclass(enum verbosity_value v, const char* str,
261172066Smarius	uint8_t* name, uint16_t type, uint16_t dclass);
262190098Smarius
263172066Smarius/**
264190098Smarius * Like log_nametypeclass, but logs with log_query for query logging
265190098Smarius */
266190098Smariusvoid log_query_in(const char* str, uint8_t* name, uint16_t type,
267190098Smarius	uint16_t dclass);
268190098Smarius
269172066Smarius/**
270172066Smarius * Compare two sockaddrs. Imposes an ordering on the addresses.
271172066Smarius * Compares address and port.
272143826Smarius * @param addr1: address 1.
273143826Smarius * @param len1: lengths of addr1.
274143826Smarius * @param addr2: address 2.
275111072Sjake * @param len2: lengths of addr2.
276152684Smarius * @return: 0 if addr1 == addr2. -1 if addr1 is smaller, +1 if larger.
277152684Smarius */
278152684Smariusint sockaddr_cmp(struct sockaddr_storage* addr1, socklen_t len1,
279111072Sjake	struct sockaddr_storage* addr2, socklen_t len2);
280152684Smarius
281190098Smarius/**
282152684Smarius * Compare two sockaddrs. Compares address, not the port.
283190098Smarius * @param addr1: address 1.
284152684Smarius * @param len1: lengths of addr1.
285152684Smarius * @param addr2: address 2.
286152684Smarius * @param len2: lengths of addr2.
287152684Smarius * @return: 0 if addr1 == addr2. -1 if addr1 is smaller, +1 if larger.
288152684Smarius */
289152684Smariusint sockaddr_cmp_addr(struct sockaddr_storage* addr1, socklen_t len1,
290152684Smarius	struct sockaddr_storage* addr2, socklen_t len2);
291190098Smarius
292190098Smarius/**
293190098Smarius * Checkout address family.
294190098Smarius * @param addr: the sockaddr to examine.
295152684Smarius * @param len: the length of addr.
296172066Smarius * @return: true if sockaddr is ip6.
297190098Smarius */
298172066Smariusint addr_is_ip6(struct sockaddr_storage* addr, socklen_t len);
299190098Smarius
300190098Smarius/**
301190098Smarius * Make sure the sockaddr ends in zeroes. For tree insertion and subsequent
302172066Smarius * comparison.
303190098Smarius * @param addr: the ip4 or ip6 addr.
304172066Smarius * @param len: length of addr.
305172066Smarius * @param net: number of bits to leave untouched, the rest of the netblock
306152684Smarius * 	address is zeroed.
307152684Smarius */
308111072Sjakevoid addr_mask(struct sockaddr_storage* addr, socklen_t len, int net);
309152684Smarius
310152684Smarius/**
311152684Smarius * See how many bits are shared, equal, between two addrs.
312152684Smarius * @param addr1: first addr.
313152684Smarius * @param net1: netblock size of first addr.
314152684Smarius * @param addr2: second addr.
315152684Smarius * @param net2: netblock size of second addr.
316152684Smarius * @param addrlen: length of first addr and of second addr.
317152684Smarius * 	They must be of the same length (i.e. same type IP4, IP6).
318111072Sjake * @return: number of bits the same.
319111072Sjake */
320111072Sjakeint addr_in_common(struct sockaddr_storage* addr1, int net1,
321167308Smarius	struct sockaddr_storage* addr2, int net2, socklen_t addrlen);
322167308Smarius
323167308Smarius/**
324167308Smarius * Put address into string, works for IPv4 and IPv6.
325167308Smarius * @param addr: address
326167308Smarius * @param addrlen: length of address
327182070Smarius * @param buf: result string stored here
328111072Sjake * @param len: length of buf.
329111072Sjake * On failure a string with "error" is stored inside.
330167308Smarius */
331111072Sjakevoid addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen,
332111072Sjake	char* buf, size_t len);
333111072Sjake
334111072Sjake/**
335111072Sjake * Check if the prefix network length is one of the allowed 32, 40, 48, 56, 64,
336152684Smarius * or 96.
337111072Sjake * @param prefixnet: prefix network length to check.
338111072Sjake * @return 1 on success, 0 on failure.
339111072Sjake */
340111072Sjakeint prefixnet_is_nat64(int prefixnet);
341167308Smarius
342111072Sjake/**
343111072Sjake * Create a NAT64 address from a given address (needs to be IPv4) and a given
344152684Smarius * NAT64 prefix. The NAT64 prefix net needs to be one of 32, 40, 48, 56, 64, 96.
345111072Sjake * @param addr: IPv4 address.
346152684Smarius * @param nat64_prefix: NAT64 prefix.
347152684Smarius * @param nat64_prefixlen: NAT64 prefix len.
348152684Smarius * @param nat64_prefixnet: NAT64 prefix mask.
349111072Sjake * @param nat64_addr: the resulting NAT64 address.
350152684Smarius * @param nat64_addrlen: the resulting NAT64 address length.
351111072Sjake */
352111072Sjakevoid addr_to_nat64(const struct sockaddr_storage* addr,
353172066Smarius	const struct sockaddr_storage* nat64_prefix,
354172066Smarius	socklen_t nat64_prefixlen, int nat64_prefixnet,
355111072Sjake	struct sockaddr_storage* nat64_addr, socklen_t* nat64_addrlen);
356172066Smarius
357172066Smarius/**
358111072Sjake * See if sockaddr is an ipv6 mapped ipv4 address, "::ffff:0.0.0.0"
359172066Smarius * @param addr: address
360172066Smarius * @param addrlen: length of address
361172066Smarius * @return true if so
362111072Sjake */
363111072Sjakeint addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen);
364172066Smarius
365172066Smarius/**
366111072Sjake * See if sockaddr is 255.255.255.255.
367172066Smarius * @param addr: address
368172066Smarius * @param addrlen: length of address
369111072Sjake * @return true if so
370172066Smarius */
371172066Smariusint addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen);
372111072Sjake
373111072Sjake/**
374172066Smarius * See if sockaddr is 0.0.0.0 or ::0.
375178443Smarius * @param addr: address
376170387Spiso * @param addrlen: length of address
377172066Smarius * @return true if so
378172066Smarius */
379170387Spisoint addr_is_any(struct sockaddr_storage* addr, socklen_t addrlen);
380178443Smarius
381178443Smarius/**
382178443Smarius * Insert new socket list item. If fails logs error.
383178443Smarius * @param list: pointer to pointer to first item.
384178443Smarius * @param addr: address or NULL if 'cache'.
385178443Smarius * @param len: length of addr, or 0 if 'cache'.
386178443Smarius * @param region: where to allocate
387178443Smarius */
388178443Smariusvoid sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr,
389178443Smarius	socklen_t len, struct regional* region);
390178443Smarius
391172066Smarius/**
392172066Smarius * Append one list to another.  Must both be from same qstate(regional).
393170387Spiso * @param list: pointer to result list that is modified.
394170387Spiso * @param add: item(s) to add.  They are prepended to list.
395172066Smarius */
396172066Smariusvoid sock_list_prepend(struct sock_list** list, struct sock_list* add);
397172066Smarius
398111123Sjake/**
399172066Smarius * Find addr in list.
400172066Smarius * @param list: to search in
401111123Sjake * @param addr: address to look for.
402172066Smarius * @param len: length. Can be 0, look for 'cache entry'.
403172066Smarius * @return true if found.
404172066Smarius */
405172066Smariusint sock_list_find(struct sock_list* list, struct sockaddr_storage* addr,
406182070Smarius        socklen_t len);
407172066Smarius
408172066Smarius/**
409172066Smarius * Merge socklist into another socket list.  Allocates the new entries
410182070Smarius * freshly and copies them over, so also performs a region switchover.
411182070Smarius * Allocation failures are logged.
412172066Smarius * @param list: the destination list (checked for duplicates)
413172066Smarius * @param region: where to allocate
414111123Sjake * @param add: the list of entries to add.
415111123Sjake */
416167308Smariusvoid sock_list_merge(struct sock_list** list, struct regional* region,
417111072Sjake	struct sock_list* add);
418111072Sjake
419111072Sjake/**
420143826Smarius * Log libcrypto error with descriptive string. Calls log_err().
421111072Sjake * @param str: what failed.
422111072Sjake */
423111072Sjakevoid log_crypto_err(const char* str);
424111072Sjake
425111072Sjake/**
426111072Sjake * Log libcrypto error from errcode with descriptive string, calls log_err.
427111072Sjake * @param str: what failed.
428143826Smarius * @param err: error code from ERR_get_error.
429111072Sjake */
430111072Sjakevoid log_crypto_err_code(const char* str, unsigned long err);
431111072Sjake
432143826Smarius/**
433111072Sjake * Log an error from libcrypto that came from SSL_write and so on, with
434143826Smarius * a value from SSL_get_error, calls log_err. If that fails it logs with
435143826Smarius * log_crypto_err.
436111072Sjake * @param str: what failed
437111072Sjake * @param r: output of SSL_get_error on the I/O operation result.
438111072Sjake */
439143826Smariusvoid log_crypto_err_io(const char* str, int r);
440143826Smarius
441111072Sjake/**
442143826Smarius * Log an error from libcrypt that came from an I/O routine with the
443172066Smarius * errcode from ERR_get_error. Calls log_err() and log_crypto_err_code.
444143826Smarius * @param str: what failed
445143826Smarius * @param r: output of SSL_get_error on the I/O operation result.
446143826Smarius * @param err: error code from ERR_get_error
447143826Smarius */
448143826Smariusvoid log_crypto_err_io_code(const char* str, int r, unsigned long err);
449143826Smarius
450143826Smarius/**
451143826Smarius * Log certificate details verbosity, string, of X509 cert
452143826Smarius * @param level: verbosity level
453143826Smarius * @param str: string to prefix on output
454111072Sjake * @param cert: X509* structure.
455111072Sjake */
456111072Sjakevoid log_cert(unsigned level, const char* str, void* cert);
457111072Sjake
458111072Sjake/**
459111072Sjake * Set SSL_OP_NOxxx options on SSL context to disable bad crypto
460111072Sjake * @param ctxt: SSL_CTX*
461111072Sjake * @return false on failure.
462111072Sjake */
463111072Sjakeint listen_sslctx_setup(void* ctxt);
464111072Sjake
465143826Smarius/**
466143826Smarius * Further setup of listening SSL context, after keys loaded.
467111072Sjake * @param ctxt: SSL_CTX*
468111072Sjake */
469111072Sjakevoid listen_sslctx_setup_2(void* ctxt);
470111072Sjake
471111072Sjake/**
472111072Sjake * create SSL listen context
473111072Sjake * @param key: private key file.
474111072Sjake * @param pem: public key cert.
475167308Smarius * @param verifypem: if nonNULL, verifylocation file.
476143826Smarius * return SSL_CTX* or NULL on failure (logged).
477111072Sjake */
478111072Sjakevoid* listen_sslctx_create(char* key, char* pem, char* verifypem);
479111072Sjake
480111072Sjake/**
481143826Smarius * create SSL connect context
482111072Sjake * @param key: if nonNULL (also pem nonNULL), the client private key.
483133589Smarius * @param pem: client public key (or NULL if key is NULL).
484167308Smarius * @param verifypem: if nonNULL used for verifylocation file.
485152684Smarius * @param wincert: add system certificate store to ctx (add to verifypem ca
486152684Smarius * 	certs).
487152684Smarius * @return SSL_CTX* or NULL on failure (logged).
488152684Smarius */
489152684Smariusvoid* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert);
490152684Smarius
491152684Smarius/**
492152684Smarius * accept a new fd and wrap it in a BIO in SSL
493143826Smarius * @param sslctx: the SSL_CTX to use (from listen_sslctx_create()).
494143826Smarius * @param fd: from accept, nonblocking.
495143826Smarius * @return SSL or NULL on alloc failure.
496143826Smarius */
497143826Smariusvoid* incoming_ssl_fd(void* sslctx, int fd);
498143826Smarius
499143826Smarius/**
500143826Smarius * connect a new fd and wrap it in a BIO in SSL
501172066Smarius * @param sslctx: the SSL_CTX to use (from connect_sslctx_create())
502143826Smarius * @param fd: from connect.
503143826Smarius * @return SSL or NULL on alloc failure
504143826Smarius */
505143826Smariusvoid* outgoing_ssl_fd(void* sslctx, int fd);
506143826Smarius
507172066Smarius/**
508172066Smarius * check if authname SSL functionality is available, false if not
509143826Smarius * @param auth_name: the name for the remote server, used for error print.
510143826Smarius * @return false if SSL functionality to check the SSL name is not available.
511152684Smarius */
512152684Smariusint check_auth_name_for_ssl(char* auth_name);
513133589Smarius
514152684Smarius/**
515133589Smarius * set auth name on SSL for verification
516152684Smarius * @param ssl: SSL* to set
517152684Smarius * @param auth_name: if NULL nothing happens, otherwise the name to check.
518152684Smarius * @param use_sni: if SNI will be used.
519152684Smarius * @return 1 on success or NULL auth_name, 0 on failure.
520152684Smarius */
521133589Smariusint set_auth_name_on_ssl(void* ssl, char* auth_name, int use_sni);
522
523/**
524 * Initialize openssl locking for thread safety
525 * @return false on failure (alloc failure).
526 */
527int ub_openssl_lock_init(void);
528
529/**
530 * De-init the allocated openssl locks
531 */
532void ub_openssl_lock_delete(void);
533
534/**
535 * setup TLS session ticket
536 * @param sslctx: the SSL_CTX to use (from connect_sslctx_create())
537 * @param tls_session_ticket_keys: TLS ticket secret filenames
538 * @return false on failure (alloc failure).
539 */
540int listen_sslctx_setup_ticket_keys(void* sslctx,
541	struct config_strlist* tls_session_ticket_keys);
542
543/** Free memory used for TLS session ticket keys */
544void listen_sslctx_delete_ticket_keys(void);
545
546/**
547 * RPZ format netblock to network byte order address and netblock
548 * example RPZ netblock format dnames:
549 *  - 24.10.100.51.198.rpz-ip -> 198.51.100.10/24
550 *  - 32.10.zz.db8.2001.rpz-ip -> 2001:db8:0:0:0:0:0:10/32
551 * @param dname: the dname containing RPZ format netblock
552 * @param dnamelen: length of dname
553 * @param addr: where to store sockaddr.
554 * @param addrlen: length of stored sockaddr is returned.
555 * @param net: where to store netmask
556 * @param af: where to store address family.
557 * @return 0 on error.
558 */
559int netblockdnametoaddr(uint8_t* dname, size_t dnamelen,
560	struct sockaddr_storage* addr, socklen_t* addrlen, int* net, int* af);
561
562/** Return strerror or wsastrerror for socket error printout */
563char* sock_strerror(int errn);
564/** close the socket with close, or wsa closesocket */
565void sock_close(int socket);
566
567#endif /* NET_HELP_H */
568