1 /* 2 * util/net_help.c - implementation of the network helper code 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 /** 36 * \file 37 * Implementation of net_help.h. 38 */ 39 40 #include "config.h" 41 #include "util/net_help.h" 42 #include "util/log.h" 43 #include "util/data/dname.h" 44 #include "util/module.h" 45 #include "util/regional.h" 46 #include "util/config_file.h" 47 #include "sldns/parseutil.h" 48 #include "sldns/wire2str.h" 49 #include <fcntl.h> 50 #ifdef HAVE_OPENSSL_SSL_H 51 #include <openssl/ssl.h> 52 #include <openssl/evp.h> 53 #include <openssl/rand.h> 54 #endif 55 #ifdef HAVE_OPENSSL_ERR_H 56 #include <openssl/err.h> 57 #endif 58 #ifdef USE_WINSOCK 59 #include <wincrypt.h> 60 #endif 61 62 /** max length of an IP address (the address portion) that we allow */ 63 #define MAX_ADDR_STRLEN 128 /* characters */ 64 /** default value for EDNS ADVERTISED size */ 65 uint16_t EDNS_ADVERTISED_SIZE = 4096; 66 67 /** minimal responses when positive answer: default is no */ 68 int MINIMAL_RESPONSES = 0; 69 70 /** rrset order roundrobin: default is no */ 71 int RRSET_ROUNDROBIN = 0; 72 73 /** log tag queries with name instead of 'info' for filtering */ 74 int LOG_TAG_QUERYREPLY = 0; 75 76 static struct tls_session_ticket_key { 77 unsigned char *key_name; 78 unsigned char *aes_key; 79 unsigned char *hmac_key; 80 } *ticket_keys; 81 82 /* returns true is string addr is an ip6 specced address */ 83 int 84 str_is_ip6(const char* str) 85 { 86 if(strchr(str, ':')) 87 return 1; 88 else return 0; 89 } 90 91 int 92 fd_set_nonblock(int s) 93 { 94 #ifdef HAVE_FCNTL 95 int flag; 96 if((flag = fcntl(s, F_GETFL)) == -1) { 97 log_err("can't fcntl F_GETFL: %s", strerror(errno)); 98 flag = 0; 99 } 100 flag |= O_NONBLOCK; 101 if(fcntl(s, F_SETFL, flag) == -1) { 102 log_err("can't fcntl F_SETFL: %s", strerror(errno)); 103 return 0; 104 } 105 #elif defined(HAVE_IOCTLSOCKET) 106 unsigned long on = 1; 107 if(ioctlsocket(s, FIONBIO, &on) != 0) { 108 log_err("can't ioctlsocket FIONBIO on: %s", 109 wsa_strerror(WSAGetLastError())); 110 } 111 #endif 112 return 1; 113 } 114 115 int 116 fd_set_block(int s) 117 { 118 #ifdef HAVE_FCNTL 119 int flag; 120 if((flag = fcntl(s, F_GETFL)) == -1) { 121 log_err("cannot fcntl F_GETFL: %s", strerror(errno)); 122 flag = 0; 123 } 124 flag &= ~O_NONBLOCK; 125 if(fcntl(s, F_SETFL, flag) == -1) { 126 log_err("cannot fcntl F_SETFL: %s", strerror(errno)); 127 return 0; 128 } 129 #elif defined(HAVE_IOCTLSOCKET) 130 unsigned long off = 0; 131 if(ioctlsocket(s, FIONBIO, &off) != 0) { 132 if(WSAGetLastError() != WSAEINVAL || verbosity >= 4) 133 log_err("can't ioctlsocket FIONBIO off: %s", 134 wsa_strerror(WSAGetLastError())); 135 } 136 #endif 137 return 1; 138 } 139 140 int 141 is_pow2(size_t num) 142 { 143 if(num == 0) return 1; 144 return (num & (num-1)) == 0; 145 } 146 147 void* 148 memdup(void* data, size_t len) 149 { 150 void* d; 151 if(!data) return NULL; 152 if(len == 0) return NULL; 153 d = malloc(len); 154 if(!d) return NULL; 155 memcpy(d, data, len); 156 return d; 157 } 158 159 void 160 log_addr(enum verbosity_value v, const char* str, 161 struct sockaddr_storage* addr, socklen_t addrlen) 162 { 163 uint16_t port; 164 const char* family = "unknown"; 165 char dest[100]; 166 int af = (int)((struct sockaddr_in*)addr)->sin_family; 167 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 168 if(verbosity < v) 169 return; 170 switch(af) { 171 case AF_INET: family="ip4"; break; 172 case AF_INET6: family="ip6"; 173 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; 174 break; 175 case AF_LOCAL: 176 dest[0]=0; 177 (void)inet_ntop(af, sinaddr, dest, 178 (socklen_t)sizeof(dest)); 179 verbose(v, "%s local %s", str, dest); 180 return; /* do not continue and try to get port */ 181 default: break; 182 } 183 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { 184 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); 185 } 186 dest[sizeof(dest)-1] = 0; 187 port = ntohs(((struct sockaddr_in*)addr)->sin_port); 188 if(verbosity >= 4) 189 verbose(v, "%s %s %s port %d (len %d)", str, family, dest, 190 (int)port, (int)addrlen); 191 else verbose(v, "%s %s port %d", str, dest, (int)port); 192 } 193 194 int 195 extstrtoaddr(const char* str, struct sockaddr_storage* addr, 196 socklen_t* addrlen) 197 { 198 char* s; 199 int port = UNBOUND_DNS_PORT; 200 if((s=strchr(str, '@'))) { 201 char buf[MAX_ADDR_STRLEN]; 202 if(s-str >= MAX_ADDR_STRLEN) { 203 return 0; 204 } 205 (void)strlcpy(buf, str, sizeof(buf)); 206 buf[s-str] = 0; 207 port = atoi(s+1); 208 if(port == 0 && strcmp(s+1,"0")!=0) { 209 return 0; 210 } 211 return ipstrtoaddr(buf, port, addr, addrlen); 212 } 213 return ipstrtoaddr(str, port, addr, addrlen); 214 } 215 216 217 int 218 ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr, 219 socklen_t* addrlen) 220 { 221 uint16_t p; 222 if(!ip) return 0; 223 p = (uint16_t) port; 224 if(str_is_ip6(ip)) { 225 char buf[MAX_ADDR_STRLEN]; 226 char* s; 227 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr; 228 *addrlen = (socklen_t)sizeof(struct sockaddr_in6); 229 memset(sa, 0, *addrlen); 230 sa->sin6_family = AF_INET6; 231 sa->sin6_port = (in_port_t)htons(p); 232 if((s=strchr(ip, '%'))) { /* ip6%interface, rfc 4007 */ 233 if(s-ip >= MAX_ADDR_STRLEN) 234 return 0; 235 (void)strlcpy(buf, ip, sizeof(buf)); 236 buf[s-ip]=0; 237 sa->sin6_scope_id = (uint32_t)atoi(s+1); 238 ip = buf; 239 } 240 if(inet_pton((int)sa->sin6_family, ip, &sa->sin6_addr) <= 0) { 241 return 0; 242 } 243 } else { /* ip4 */ 244 struct sockaddr_in* sa = (struct sockaddr_in*)addr; 245 *addrlen = (socklen_t)sizeof(struct sockaddr_in); 246 memset(sa, 0, *addrlen); 247 sa->sin_family = AF_INET; 248 sa->sin_port = (in_port_t)htons(p); 249 if(inet_pton((int)sa->sin_family, ip, &sa->sin_addr) <= 0) { 250 return 0; 251 } 252 } 253 return 1; 254 } 255 256 int netblockstrtoaddr(const char* str, int port, struct sockaddr_storage* addr, 257 socklen_t* addrlen, int* net) 258 { 259 char buf[64]; 260 char* s; 261 *net = (str_is_ip6(str)?128:32); 262 if((s=strchr(str, '/'))) { 263 if(atoi(s+1) > *net) { 264 log_err("netblock too large: %s", str); 265 return 0; 266 } 267 *net = atoi(s+1); 268 if(*net == 0 && strcmp(s+1, "0") != 0) { 269 log_err("cannot parse netblock: '%s'", str); 270 return 0; 271 } 272 strlcpy(buf, str, sizeof(buf)); 273 s = strchr(buf, '/'); 274 if(s) *s = 0; 275 s = buf; 276 } 277 if(!ipstrtoaddr(s?s:str, port, addr, addrlen)) { 278 log_err("cannot parse ip address: '%s'", str); 279 return 0; 280 } 281 if(s) { 282 addr_mask(addr, *addrlen, *net); 283 } 284 return 1; 285 } 286 287 int authextstrtoaddr(char* str, struct sockaddr_storage* addr, 288 socklen_t* addrlen, char** auth_name) 289 { 290 char* s; 291 int port = UNBOUND_DNS_PORT; 292 if((s=strchr(str, '@'))) { 293 char buf[MAX_ADDR_STRLEN]; 294 size_t len = (size_t)(s-str); 295 char* hash = strchr(s+1, '#'); 296 if(hash) { 297 *auth_name = hash+1; 298 } else { 299 *auth_name = NULL; 300 } 301 if(len >= MAX_ADDR_STRLEN) { 302 return 0; 303 } 304 (void)strlcpy(buf, str, sizeof(buf)); 305 buf[len] = 0; 306 port = atoi(s+1); 307 if(port == 0) { 308 if(!hash && strcmp(s+1,"0")!=0) 309 return 0; 310 if(hash && strncmp(s+1,"0#",2)!=0) 311 return 0; 312 } 313 return ipstrtoaddr(buf, port, addr, addrlen); 314 } 315 if((s=strchr(str, '#'))) { 316 char buf[MAX_ADDR_STRLEN]; 317 size_t len = (size_t)(s-str); 318 if(len >= MAX_ADDR_STRLEN) { 319 return 0; 320 } 321 (void)strlcpy(buf, str, sizeof(buf)); 322 buf[len] = 0; 323 port = UNBOUND_DNS_OVER_TLS_PORT; 324 *auth_name = s+1; 325 return ipstrtoaddr(buf, port, addr, addrlen); 326 } 327 *auth_name = NULL; 328 return ipstrtoaddr(str, port, addr, addrlen); 329 } 330 331 /** store port number into sockaddr structure */ 332 void 333 sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen, int port) 334 { 335 if(addr_is_ip6(addr, addrlen)) { 336 struct sockaddr_in6* sa = (struct sockaddr_in6*)addr; 337 sa->sin6_port = (in_port_t)htons((uint16_t)port); 338 } else { 339 struct sockaddr_in* sa = (struct sockaddr_in*)addr; 340 sa->sin_port = (in_port_t)htons((uint16_t)port); 341 } 342 } 343 344 void 345 log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name, 346 uint16_t type, uint16_t dclass) 347 { 348 char buf[LDNS_MAX_DOMAINLEN+1]; 349 char t[12], c[12]; 350 const char *ts, *cs; 351 if(verbosity < v) 352 return; 353 dname_str(name, buf); 354 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG"; 355 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR"; 356 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR"; 357 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB"; 358 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA"; 359 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY"; 360 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name) 361 ts = sldns_rr_descript(type)->_name; 362 else { 363 snprintf(t, sizeof(t), "TYPE%d", (int)type); 364 ts = t; 365 } 366 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) && 367 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name) 368 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name; 369 else { 370 snprintf(c, sizeof(c), "CLASS%d", (int)dclass); 371 cs = c; 372 } 373 log_info("%s %s %s %s", str, buf, ts, cs); 374 } 375 376 void 377 log_query_in(const char* str, uint8_t* name, uint16_t type, uint16_t dclass) 378 { 379 char buf[LDNS_MAX_DOMAINLEN+1]; 380 char t[12], c[12]; 381 const char *ts, *cs; 382 dname_str(name, buf); 383 if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG"; 384 else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR"; 385 else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR"; 386 else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB"; 387 else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA"; 388 else if(type == LDNS_RR_TYPE_ANY) ts = "ANY"; 389 else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name) 390 ts = sldns_rr_descript(type)->_name; 391 else { 392 snprintf(t, sizeof(t), "TYPE%d", (int)type); 393 ts = t; 394 } 395 if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) && 396 sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name) 397 cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name; 398 else { 399 snprintf(c, sizeof(c), "CLASS%d", (int)dclass); 400 cs = c; 401 } 402 if(LOG_TAG_QUERYREPLY) 403 log_query("%s %s %s %s", str, buf, ts, cs); 404 else log_info("%s %s %s %s", str, buf, ts, cs); 405 } 406 407 void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone, 408 struct sockaddr_storage* addr, socklen_t addrlen) 409 { 410 uint16_t port; 411 const char* family = "unknown_family "; 412 char namebuf[LDNS_MAX_DOMAINLEN+1]; 413 char dest[100]; 414 int af = (int)((struct sockaddr_in*)addr)->sin_family; 415 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 416 if(verbosity < v) 417 return; 418 switch(af) { 419 case AF_INET: family=""; break; 420 case AF_INET6: family=""; 421 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; 422 break; 423 case AF_LOCAL: family="local "; break; 424 default: break; 425 } 426 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { 427 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); 428 } 429 dest[sizeof(dest)-1] = 0; 430 port = ntohs(((struct sockaddr_in*)addr)->sin_port); 431 dname_str(zone, namebuf); 432 if(af != AF_INET && af != AF_INET6) 433 verbose(v, "%s <%s> %s%s#%d (addrlen %d)", 434 str, namebuf, family, dest, (int)port, (int)addrlen); 435 else verbose(v, "%s <%s> %s%s#%d", 436 str, namebuf, family, dest, (int)port); 437 } 438 439 void log_err_addr(const char* str, const char* err, 440 struct sockaddr_storage* addr, socklen_t addrlen) 441 { 442 uint16_t port; 443 char dest[100]; 444 int af = (int)((struct sockaddr_in*)addr)->sin_family; 445 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 446 if(af == AF_INET6) 447 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; 448 if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { 449 (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); 450 } 451 dest[sizeof(dest)-1] = 0; 452 port = ntohs(((struct sockaddr_in*)addr)->sin_port); 453 if(verbosity >= 4) 454 log_err("%s: %s for %s port %d (len %d)", str, err, dest, 455 (int)port, (int)addrlen); 456 else log_err("%s: %s for %s port %d", str, err, dest, (int)port); 457 } 458 459 int 460 sockaddr_cmp(struct sockaddr_storage* addr1, socklen_t len1, 461 struct sockaddr_storage* addr2, socklen_t len2) 462 { 463 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; 464 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; 465 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; 466 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; 467 if(len1 < len2) 468 return -1; 469 if(len1 > len2) 470 return 1; 471 log_assert(len1 == len2); 472 if( p1_in->sin_family < p2_in->sin_family) 473 return -1; 474 if( p1_in->sin_family > p2_in->sin_family) 475 return 1; 476 log_assert( p1_in->sin_family == p2_in->sin_family ); 477 /* compare ip4 */ 478 if( p1_in->sin_family == AF_INET ) { 479 /* just order it, ntohs not required */ 480 if(p1_in->sin_port < p2_in->sin_port) 481 return -1; 482 if(p1_in->sin_port > p2_in->sin_port) 483 return 1; 484 log_assert(p1_in->sin_port == p2_in->sin_port); 485 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE); 486 } else if (p1_in6->sin6_family == AF_INET6) { 487 /* just order it, ntohs not required */ 488 if(p1_in6->sin6_port < p2_in6->sin6_port) 489 return -1; 490 if(p1_in6->sin6_port > p2_in6->sin6_port) 491 return 1; 492 log_assert(p1_in6->sin6_port == p2_in6->sin6_port); 493 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, 494 INET6_SIZE); 495 } else { 496 /* eek unknown type, perform this comparison for sanity. */ 497 return memcmp(addr1, addr2, len1); 498 } 499 } 500 501 int 502 sockaddr_cmp_addr(struct sockaddr_storage* addr1, socklen_t len1, 503 struct sockaddr_storage* addr2, socklen_t len2) 504 { 505 struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; 506 struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; 507 struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; 508 struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; 509 if(len1 < len2) 510 return -1; 511 if(len1 > len2) 512 return 1; 513 log_assert(len1 == len2); 514 if( p1_in->sin_family < p2_in->sin_family) 515 return -1; 516 if( p1_in->sin_family > p2_in->sin_family) 517 return 1; 518 log_assert( p1_in->sin_family == p2_in->sin_family ); 519 /* compare ip4 */ 520 if( p1_in->sin_family == AF_INET ) { 521 return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE); 522 } else if (p1_in6->sin6_family == AF_INET6) { 523 return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, 524 INET6_SIZE); 525 } else { 526 /* eek unknown type, perform this comparison for sanity. */ 527 return memcmp(addr1, addr2, len1); 528 } 529 } 530 531 int 532 addr_is_ip6(struct sockaddr_storage* addr, socklen_t len) 533 { 534 if(len == (socklen_t)sizeof(struct sockaddr_in6) && 535 ((struct sockaddr_in6*)addr)->sin6_family == AF_INET6) 536 return 1; 537 else return 0; 538 } 539 540 void 541 addr_mask(struct sockaddr_storage* addr, socklen_t len, int net) 542 { 543 uint8_t mask[8] = {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe}; 544 int i, max; 545 uint8_t* s; 546 if(addr_is_ip6(addr, len)) { 547 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr; 548 max = 128; 549 } else { 550 s = (uint8_t*)&((struct sockaddr_in*)addr)->sin_addr; 551 max = 32; 552 } 553 if(net >= max) 554 return; 555 for(i=net/8+1; i<max/8; i++) { 556 s[i] = 0; 557 } 558 s[net/8] &= mask[net&0x7]; 559 } 560 561 int 562 addr_in_common(struct sockaddr_storage* addr1, int net1, 563 struct sockaddr_storage* addr2, int net2, socklen_t addrlen) 564 { 565 int min = (net1<net2)?net1:net2; 566 int i, to; 567 int match = 0; 568 uint8_t* s1, *s2; 569 if(addr_is_ip6(addr1, addrlen)) { 570 s1 = (uint8_t*)&((struct sockaddr_in6*)addr1)->sin6_addr; 571 s2 = (uint8_t*)&((struct sockaddr_in6*)addr2)->sin6_addr; 572 to = 16; 573 } else { 574 s1 = (uint8_t*)&((struct sockaddr_in*)addr1)->sin_addr; 575 s2 = (uint8_t*)&((struct sockaddr_in*)addr2)->sin_addr; 576 to = 4; 577 } 578 /* match = bits_in_common(s1, s2, to); */ 579 for(i=0; i<to; i++) { 580 if(s1[i] == s2[i]) { 581 match += 8; 582 } else { 583 uint8_t z = s1[i]^s2[i]; 584 log_assert(z); 585 while(!(z&0x80)) { 586 match++; 587 z<<=1; 588 } 589 break; 590 } 591 } 592 if(match > min) match = min; 593 return match; 594 } 595 596 void 597 addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen, 598 char* buf, size_t len) 599 { 600 int af = (int)((struct sockaddr_in*)addr)->sin_family; 601 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 602 if(addr_is_ip6(addr, addrlen)) 603 sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; 604 if(inet_ntop(af, sinaddr, buf, (socklen_t)len) == 0) { 605 snprintf(buf, len, "(inet_ntop_error)"); 606 } 607 } 608 609 int 610 addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen) 611 { 612 /* prefix for ipv4 into ipv6 mapping is ::ffff:x.x.x.x */ 613 const uint8_t map_prefix[16] = 614 {0,0,0,0, 0,0,0,0, 0,0,0xff,0xff, 0,0,0,0}; 615 uint8_t* s; 616 if(!addr_is_ip6(addr, addrlen)) 617 return 0; 618 /* s is 16 octet ipv6 address string */ 619 s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr; 620 return (memcmp(s, map_prefix, 12) == 0); 621 } 622 623 int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen) 624 { 625 int af = (int)((struct sockaddr_in*)addr)->sin_family; 626 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 627 return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in) 628 && memcmp(sinaddr, "\377\377\377\377", 4) == 0; 629 } 630 631 int addr_is_any(struct sockaddr_storage* addr, socklen_t addrlen) 632 { 633 int af = (int)((struct sockaddr_in*)addr)->sin_family; 634 void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; 635 void* sin6addr = &((struct sockaddr_in6*)addr)->sin6_addr; 636 if(af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in) 637 && memcmp(sinaddr, "\000\000\000\000", 4) == 0) 638 return 1; 639 else if(af==AF_INET6 && addrlen>=(socklen_t)sizeof(struct sockaddr_in6) 640 && memcmp(sin6addr, "\000\000\000\000\000\000\000\000" 641 "\000\000\000\000\000\000\000\000", 16) == 0) 642 return 1; 643 return 0; 644 } 645 646 void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr, 647 socklen_t len, struct regional* region) 648 { 649 struct sock_list* add = (struct sock_list*)regional_alloc(region, 650 sizeof(*add) - sizeof(add->addr) + (size_t)len); 651 if(!add) { 652 log_err("out of memory in socketlist insert"); 653 return; 654 } 655 log_assert(list); 656 add->next = *list; 657 add->len = len; 658 *list = add; 659 if(len) memmove(&add->addr, addr, len); 660 } 661 662 void sock_list_prepend(struct sock_list** list, struct sock_list* add) 663 { 664 struct sock_list* last = add; 665 if(!last) 666 return; 667 while(last->next) 668 last = last->next; 669 last->next = *list; 670 *list = add; 671 } 672 673 int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr, 674 socklen_t len) 675 { 676 while(list) { 677 if(len == list->len) { 678 if(len == 0 || sockaddr_cmp_addr(addr, len, 679 &list->addr, list->len) == 0) 680 return 1; 681 } 682 list = list->next; 683 } 684 return 0; 685 } 686 687 void sock_list_merge(struct sock_list** list, struct regional* region, 688 struct sock_list* add) 689 { 690 struct sock_list* p; 691 for(p=add; p; p=p->next) { 692 if(!sock_list_find(*list, &p->addr, p->len)) 693 sock_list_insert(list, &p->addr, p->len, region); 694 } 695 } 696 697 void 698 log_crypto_err(const char* str) 699 { 700 #ifdef HAVE_SSL 701 /* error:[error code]:[library name]:[function name]:[reason string] */ 702 char buf[128]; 703 unsigned long e; 704 ERR_error_string_n(ERR_get_error(), buf, sizeof(buf)); 705 log_err("%s crypto %s", str, buf); 706 while( (e=ERR_get_error()) ) { 707 ERR_error_string_n(e, buf, sizeof(buf)); 708 log_err("and additionally crypto %s", buf); 709 } 710 #else 711 (void)str; 712 #endif /* HAVE_SSL */ 713 } 714 715 int 716 listen_sslctx_setup(void* ctxt) 717 { 718 #ifdef HAVE_SSL 719 SSL_CTX* ctx = (SSL_CTX*)ctxt; 720 /* no SSLv2, SSLv3 because has defects */ 721 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) 722 != SSL_OP_NO_SSLv2){ 723 log_crypto_err("could not set SSL_OP_NO_SSLv2"); 724 return 0; 725 } 726 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) 727 != SSL_OP_NO_SSLv3){ 728 log_crypto_err("could not set SSL_OP_NO_SSLv3"); 729 return 0; 730 } 731 #if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1) 732 /* if we have tls 1.1 disable 1.0 */ 733 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1) 734 != SSL_OP_NO_TLSv1){ 735 log_crypto_err("could not set SSL_OP_NO_TLSv1"); 736 return 0; 737 } 738 #endif 739 #if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2) 740 /* if we have tls 1.2 disable 1.1 */ 741 if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1) 742 != SSL_OP_NO_TLSv1_1){ 743 log_crypto_err("could not set SSL_OP_NO_TLSv1_1"); 744 return 0; 745 } 746 #endif 747 #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA) 748 /* if we have sha256, set the cipher list to have no known vulns */ 749 if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256")) 750 log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list"); 751 #endif 752 753 if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) & 754 SSL_OP_CIPHER_SERVER_PREFERENCE) != 755 SSL_OP_CIPHER_SERVER_PREFERENCE) { 756 log_crypto_err("could not set SSL_OP_CIPHER_SERVER_PREFERENCE"); 757 return 0; 758 } 759 760 #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL 761 SSL_CTX_set_security_level(ctx, 0); 762 #endif 763 #else 764 (void)ctxt; 765 #endif /* HAVE_SSL */ 766 return 1; 767 } 768 769 void 770 listen_sslctx_setup_2(void* ctxt) 771 { 772 #ifdef HAVE_SSL 773 SSL_CTX* ctx = (SSL_CTX*)ctxt; 774 (void)ctx; 775 #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO 776 if(!SSL_CTX_set_ecdh_auto(ctx,1)) { 777 log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE"); 778 } 779 #elif defined(USE_ECDSA) 780 if(1) { 781 EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1); 782 if (!ecdh) { 783 log_crypto_err("could not find p256, not enabling ECDHE"); 784 } else { 785 if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) { 786 log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE"); 787 } 788 EC_KEY_free (ecdh); 789 } 790 } 791 #endif 792 #else 793 (void)ctxt; 794 #endif /* HAVE_SSL */ 795 } 796 797 void* listen_sslctx_create(char* key, char* pem, char* verifypem) 798 { 799 #ifdef HAVE_SSL 800 SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method()); 801 if(!ctx) { 802 log_crypto_err("could not SSL_CTX_new"); 803 return NULL; 804 } 805 if(!listen_sslctx_setup(ctx)) { 806 SSL_CTX_free(ctx); 807 return NULL; 808 } 809 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { 810 log_err("error for cert file: %s", pem); 811 log_crypto_err("error in SSL_CTX use_certificate_chain_file"); 812 SSL_CTX_free(ctx); 813 return NULL; 814 } 815 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) { 816 log_err("error for private key file: %s", key); 817 log_crypto_err("Error in SSL_CTX use_PrivateKey_file"); 818 SSL_CTX_free(ctx); 819 return NULL; 820 } 821 if(!SSL_CTX_check_private_key(ctx)) { 822 log_err("error for key file: %s", key); 823 log_crypto_err("Error in SSL_CTX check_private_key"); 824 SSL_CTX_free(ctx); 825 return NULL; 826 } 827 listen_sslctx_setup_2(ctx); 828 if(verifypem && verifypem[0]) { 829 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) { 830 log_crypto_err("Error in SSL_CTX verify locations"); 831 SSL_CTX_free(ctx); 832 return NULL; 833 } 834 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file( 835 verifypem)); 836 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); 837 } 838 return ctx; 839 #else 840 (void)key; (void)pem; (void)verifypem; 841 return NULL; 842 #endif 843 } 844 845 #ifdef USE_WINSOCK 846 /* For windows, the CA trust store is not read by openssl. 847 Add code to open the trust store using wincrypt API and add 848 the root certs into openssl trust store */ 849 static int 850 add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx) 851 { 852 HCERTSTORE hSystemStore; 853 PCCERT_CONTEXT pTargetCert = NULL; 854 X509_STORE* store; 855 856 verbose(VERB_ALGO, "Adding Windows certificates from system root store to CA store"); 857 858 /* load just once per context lifetime for this version 859 TODO: dynamically update CA trust changes as they are available */ 860 if (!tls_ctx) 861 return 0; 862 863 /* Call wincrypt's CertOpenStore to open the CA root store. */ 864 865 if ((hSystemStore = CertOpenStore( 866 CERT_STORE_PROV_SYSTEM, 867 0, 868 0, 869 /* NOTE: mingw does not have this const: replace with 1 << 16 from code 870 CERT_SYSTEM_STORE_CURRENT_USER, */ 871 1 << 16, 872 L"root")) == 0) 873 { 874 return 0; 875 } 876 877 store = SSL_CTX_get_cert_store(tls_ctx); 878 if (!store) 879 return 0; 880 881 /* failure if the CA store is empty or the call fails */ 882 if ((pTargetCert = CertEnumCertificatesInStore( 883 hSystemStore, pTargetCert)) == 0) { 884 verbose(VERB_ALGO, "CA certificate store for Windows is empty."); 885 return 0; 886 } 887 /* iterate over the windows cert store and add to openssl store */ 888 do 889 { 890 X509 *cert1 = d2i_X509(NULL, 891 (const unsigned char **)&pTargetCert->pbCertEncoded, 892 pTargetCert->cbCertEncoded); 893 if (!cert1) { 894 /* return error if a cert fails */ 895 verbose(VERB_ALGO, "%s %d:%s", 896 "Unable to parse certificate in memory", 897 (int)ERR_get_error(), ERR_error_string(ERR_get_error(), NULL)); 898 return 0; 899 } 900 else { 901 /* return error if a cert add to store fails */ 902 if (X509_STORE_add_cert(store, cert1) == 0) { 903 unsigned long error = ERR_peek_last_error(); 904 905 /* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the 906 * certificate is already in the store. */ 907 if(ERR_GET_LIB(error) != ERR_LIB_X509 || 908 ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) { 909 verbose(VERB_ALGO, "%s %d:%s\n", 910 "Error adding certificate", (int)ERR_get_error(), 911 ERR_error_string(ERR_get_error(), NULL)); 912 X509_free(cert1); 913 return 0; 914 } 915 } 916 X509_free(cert1); 917 } 918 } while ((pTargetCert = CertEnumCertificatesInStore( 919 hSystemStore, pTargetCert)) != 0); 920 921 /* Clean up memory and quit. */ 922 if (pTargetCert) 923 CertFreeCertificateContext(pTargetCert); 924 if (hSystemStore) 925 { 926 if (!CertCloseStore( 927 hSystemStore, 0)) 928 return 0; 929 } 930 verbose(VERB_ALGO, "Completed adding Windows certificates to CA store successfully"); 931 return 1; 932 } 933 #endif /* USE_WINSOCK */ 934 935 void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert) 936 { 937 #ifdef HAVE_SSL 938 SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method()); 939 if(!ctx) { 940 log_crypto_err("could not allocate SSL_CTX pointer"); 941 return NULL; 942 } 943 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) 944 != SSL_OP_NO_SSLv2) { 945 log_crypto_err("could not set SSL_OP_NO_SSLv2"); 946 SSL_CTX_free(ctx); 947 return NULL; 948 } 949 if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) 950 != SSL_OP_NO_SSLv3) { 951 log_crypto_err("could not set SSL_OP_NO_SSLv3"); 952 SSL_CTX_free(ctx); 953 return NULL; 954 } 955 if(key && key[0]) { 956 if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { 957 log_err("error in client certificate %s", pem); 958 log_crypto_err("error in certificate file"); 959 SSL_CTX_free(ctx); 960 return NULL; 961 } 962 if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) { 963 log_err("error in client private key %s", key); 964 log_crypto_err("error in key file"); 965 SSL_CTX_free(ctx); 966 return NULL; 967 } 968 if(!SSL_CTX_check_private_key(ctx)) { 969 log_err("error in client key %s", key); 970 log_crypto_err("error in SSL_CTX_check_private_key"); 971 SSL_CTX_free(ctx); 972 return NULL; 973 } 974 } 975 if((verifypem && verifypem[0]) || wincert) { 976 if(verifypem && verifypem[0]) { 977 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) { 978 log_crypto_err("error in SSL_CTX verify"); 979 SSL_CTX_free(ctx); 980 return NULL; 981 } 982 } 983 #ifdef USE_WINSOCK 984 if(wincert) { 985 if(!add_WIN_cacerts_to_openssl_store(ctx)) { 986 log_crypto_err("error in add_WIN_cacerts_to_openssl_store"); 987 SSL_CTX_free(ctx); 988 return NULL; 989 } 990 } 991 #else 992 (void)wincert; 993 #endif 994 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); 995 } 996 return ctx; 997 #else 998 (void)key; (void)pem; (void)verifypem; (void)wincert; 999 return NULL; 1000 #endif 1001 } 1002 1003 void* incoming_ssl_fd(void* sslctx, int fd) 1004 { 1005 #ifdef HAVE_SSL 1006 SSL* ssl = SSL_new((SSL_CTX*)sslctx); 1007 if(!ssl) { 1008 log_crypto_err("could not SSL_new"); 1009 return NULL; 1010 } 1011 SSL_set_accept_state(ssl); 1012 (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); 1013 if(!SSL_set_fd(ssl, fd)) { 1014 log_crypto_err("could not SSL_set_fd"); 1015 SSL_free(ssl); 1016 return NULL; 1017 } 1018 return ssl; 1019 #else 1020 (void)sslctx; (void)fd; 1021 return NULL; 1022 #endif 1023 } 1024 1025 void* outgoing_ssl_fd(void* sslctx, int fd) 1026 { 1027 #ifdef HAVE_SSL 1028 SSL* ssl = SSL_new((SSL_CTX*)sslctx); 1029 if(!ssl) { 1030 log_crypto_err("could not SSL_new"); 1031 return NULL; 1032 } 1033 SSL_set_connect_state(ssl); 1034 (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); 1035 if(!SSL_set_fd(ssl, fd)) { 1036 log_crypto_err("could not SSL_set_fd"); 1037 SSL_free(ssl); 1038 return NULL; 1039 } 1040 return ssl; 1041 #else 1042 (void)sslctx; (void)fd; 1043 return NULL; 1044 #endif 1045 } 1046 1047 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L 1048 /** global lock list for openssl locks */ 1049 static lock_basic_type *ub_openssl_locks = NULL; 1050 1051 /** callback that gets thread id for openssl */ 1052 static unsigned long 1053 ub_crypto_id_cb(void) 1054 { 1055 return (unsigned long)log_thread_get(); 1056 } 1057 1058 static void 1059 ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file), 1060 int ATTR_UNUSED(line)) 1061 { 1062 if((mode&CRYPTO_LOCK)) { 1063 lock_basic_lock(&ub_openssl_locks[type]); 1064 } else { 1065 lock_basic_unlock(&ub_openssl_locks[type]); 1066 } 1067 } 1068 #endif /* OPENSSL_THREADS */ 1069 1070 int ub_openssl_lock_init(void) 1071 { 1072 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L 1073 int i; 1074 ub_openssl_locks = (lock_basic_type*)reallocarray( 1075 NULL, (size_t)CRYPTO_num_locks(), sizeof(lock_basic_type)); 1076 if(!ub_openssl_locks) 1077 return 0; 1078 for(i=0; i<CRYPTO_num_locks(); i++) { 1079 lock_basic_init(&ub_openssl_locks[i]); 1080 } 1081 CRYPTO_set_id_callback(&ub_crypto_id_cb); 1082 CRYPTO_set_locking_callback(&ub_crypto_lock_cb); 1083 #endif /* OPENSSL_THREADS */ 1084 return 1; 1085 } 1086 1087 void ub_openssl_lock_delete(void) 1088 { 1089 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L 1090 int i; 1091 if(!ub_openssl_locks) 1092 return; 1093 CRYPTO_set_id_callback(NULL); 1094 CRYPTO_set_locking_callback(NULL); 1095 for(i=0; i<CRYPTO_num_locks(); i++) { 1096 lock_basic_destroy(&ub_openssl_locks[i]); 1097 } 1098 free(ub_openssl_locks); 1099 #endif /* OPENSSL_THREADS */ 1100 } 1101 1102 int listen_sslctx_setup_ticket_keys(void* sslctx, struct config_strlist* tls_session_ticket_keys) { 1103 #ifdef HAVE_SSL 1104 size_t s = 1; 1105 struct config_strlist* p; 1106 struct tls_session_ticket_key *keys; 1107 for(p = tls_session_ticket_keys; p; p = p->next) { 1108 s++; 1109 } 1110 keys = calloc(s, sizeof(struct tls_session_ticket_key)); 1111 memset(keys, 0, s*sizeof(*keys)); 1112 ticket_keys = keys; 1113 1114 for(p = tls_session_ticket_keys; p; p = p->next) { 1115 size_t n; 1116 unsigned char *data = (unsigned char *)malloc(80); 1117 FILE *f = fopen(p->str, "r"); 1118 if(!f) { 1119 log_err("could not read tls-session-ticket-key %s: %s", p->str, strerror(errno)); 1120 free(data); 1121 return 0; 1122 } 1123 n = fread(data, 1, 80, f); 1124 fclose(f); 1125 1126 if(n != 80) { 1127 log_err("tls-session-ticket-key %s is %d bytes, must be 80 bytes", p->str, (int)n); 1128 free(data); 1129 return 0; 1130 } 1131 verbose(VERB_OPS, "read tls-session-ticket-key: %s", p->str); 1132 1133 keys->key_name = data; 1134 keys->aes_key = data + 16; 1135 keys->hmac_key = data + 48; 1136 keys++; 1137 } 1138 /* terminate array with NULL key name entry */ 1139 keys->key_name = NULL; 1140 if(SSL_CTX_set_tlsext_ticket_key_cb(sslctx, tls_session_ticket_key_cb) == 0) { 1141 log_err("no support for TLS session ticket"); 1142 return 0; 1143 } 1144 return 1; 1145 #else 1146 (void)sslctx; 1147 (void)tls_session_ticket_keys; 1148 return 0; 1149 #endif 1150 1151 } 1152 1153 int tls_session_ticket_key_cb(void *ATTR_UNUSED(sslctx), unsigned char* key_name, unsigned char* iv, void *evp_sctx, void *hmac_ctx, int enc) 1154 { 1155 #ifdef HAVE_SSL 1156 const EVP_MD *digest; 1157 const EVP_CIPHER *cipher; 1158 int evp_cipher_length; 1159 digest = EVP_sha256(); 1160 cipher = EVP_aes_256_cbc(); 1161 evp_cipher_length = EVP_CIPHER_iv_length(cipher); 1162 if( enc == 1 ) { 1163 /* encrypt */ 1164 verbose(VERB_CLIENT, "start session encrypt"); 1165 memcpy(key_name, ticket_keys->key_name, 16); 1166 if (RAND_bytes(iv, evp_cipher_length) != 1) { 1167 verbose(VERB_CLIENT, "RAND_bytes failed"); 1168 return -1; 1169 } 1170 if (EVP_EncryptInit_ex(evp_sctx, cipher, NULL, ticket_keys->aes_key, iv) != 1) { 1171 verbose(VERB_CLIENT, "EVP_EncryptInit_ex failed"); 1172 return -1; 1173 } 1174 if (HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL) != 1) { 1175 verbose(VERB_CLIENT, "HMAC_Init_ex failed"); 1176 return -1; 1177 } 1178 return 1; 1179 } else if (enc == 0) { 1180 /* decrypt */ 1181 struct tls_session_ticket_key *key; 1182 verbose(VERB_CLIENT, "start session decrypt"); 1183 for(key = ticket_keys; key->key_name != NULL; key++) { 1184 if (!memcmp(key_name, key->key_name, 16)) { 1185 verbose(VERB_CLIENT, "Found session_key"); 1186 break; 1187 } 1188 } 1189 if(key->key_name == NULL) { 1190 verbose(VERB_CLIENT, "Not found session_key"); 1191 return 0; 1192 } 1193 1194 if (HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL) != 1) { 1195 verbose(VERB_CLIENT, "HMAC_Init_ex failed"); 1196 return -1; 1197 } 1198 if (EVP_DecryptInit_ex(evp_sctx, cipher, NULL, key->aes_key, iv) != 1) { 1199 log_err("EVP_DecryptInit_ex failed"); 1200 return -1; 1201 } 1202 1203 return (key == ticket_keys) ? 1 : 2; 1204 } 1205 return -1; 1206 #else 1207 (void)key_name; 1208 (void)iv; 1209 (void)evp_sctx; 1210 (void)hmac_ctx; 1211 (void)enc; 1212 return 0; 1213 #endif 1214 } 1215 1216 void 1217 listen_sslctx_delete_ticket_keys(void) 1218 { 1219 struct tls_session_ticket_key *key; 1220 if(!ticket_keys) return; 1221 for(key = ticket_keys; key->key_name != NULL; key++) { 1222 free(key->key_name); 1223 } 1224 free(ticket_keys); 1225 ticket_keys = NULL; 1226 } 1227