diff options
Diffstat (limited to '')
-rw-r--r-- | external/unbound/util/net_help.c | 804 |
1 files changed, 804 insertions, 0 deletions
diff --git a/external/unbound/util/net_help.c b/external/unbound/util/net_help.c new file mode 100644 index 000000000..30d543e00 --- /dev/null +++ b/external/unbound/util/net_help.c @@ -0,0 +1,804 @@ +/* + * util/net_help.c - implementation of the network helper code + * + * Copyright (c) 2007, NLnet Labs. All rights reserved. + * + * This software is open source. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of the NLNET LABS nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +/** + * \file + * Implementation of net_help.h. + */ + +#include "config.h" +#include "util/net_help.h" +#include "util/log.h" +#include "util/data/dname.h" +#include "util/module.h" +#include "util/regional.h" +#include "ldns/parseutil.h" +#include "ldns/wire2str.h" +#include <fcntl.h> +#ifdef HAVE_OPENSSL_SSL_H +#include <openssl/ssl.h> +#endif +#ifdef HAVE_OPENSSL_ERR_H +#include <openssl/err.h> +#endif + +/** max length of an IP address (the address portion) that we allow */ +#define MAX_ADDR_STRLEN 128 /* characters */ +/** default value for EDNS ADVERTISED size */ +uint16_t EDNS_ADVERTISED_SIZE = 4096; + +/** minimal responses when positive answer: default is no */ +int MINIMAL_RESPONSES = 0; + +/** rrset order roundrobin: default is no */ +int RRSET_ROUNDROBIN = 0; + +/* returns true is string addr is an ip6 specced address */ +int +str_is_ip6(const char* str) +{ + if(strchr(str, ':')) + return 1; + else return 0; +} + +int +fd_set_nonblock(int s) +{ +#ifdef HAVE_FCNTL + int flag; + if((flag = fcntl(s, F_GETFL)) == -1) { + log_err("can't fcntl F_GETFL: %s", strerror(errno)); + flag = 0; + } + flag |= O_NONBLOCK; + if(fcntl(s, F_SETFL, flag) == -1) { + log_err("can't fcntl F_SETFL: %s", strerror(errno)); + return 0; + } +#elif defined(HAVE_IOCTLSOCKET) + unsigned long on = 1; + if(ioctlsocket(s, FIONBIO, &on) != 0) { + log_err("can't ioctlsocket FIONBIO on: %s", + wsa_strerror(WSAGetLastError())); + } +#endif + return 1; +} + +int +fd_set_block(int s) +{ +#ifdef HAVE_FCNTL + int flag; + if((flag = fcntl(s, F_GETFL)) == -1) { + log_err("cannot fcntl F_GETFL: %s", strerror(errno)); + flag = 0; + } + flag &= ~O_NONBLOCK; + if(fcntl(s, F_SETFL, flag) == -1) { + log_err("cannot fcntl F_SETFL: %s", strerror(errno)); + return 0; + } +#elif defined(HAVE_IOCTLSOCKET) + unsigned long off = 0; + if(ioctlsocket(s, FIONBIO, &off) != 0) { + log_err("can't ioctlsocket FIONBIO off: %s", + wsa_strerror(WSAGetLastError())); + } +#endif + return 1; +} + +int +is_pow2(size_t num) +{ + if(num == 0) return 1; + return (num & (num-1)) == 0; +} + +void* +memdup(void* data, size_t len) +{ + void* d; + if(!data) return NULL; + if(len == 0) return NULL; + d = malloc(len); + if(!d) return NULL; + memcpy(d, data, len); + return d; +} + +void +log_addr(enum verbosity_value v, const char* str, + struct sockaddr_storage* addr, socklen_t addrlen) +{ + uint16_t port; + const char* family = "unknown"; + char dest[100]; + int af = (int)((struct sockaddr_in*)addr)->sin_family; + void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; + if(verbosity < v) + return; + switch(af) { + case AF_INET: family="ip4"; break; + case AF_INET6: family="ip6"; + sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; + break; + case AF_UNIX: family="unix"; break; + default: break; + } + if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { + (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); + } + dest[sizeof(dest)-1] = 0; + port = ntohs(((struct sockaddr_in*)addr)->sin_port); + if(verbosity >= 4) + verbose(v, "%s %s %s port %d (len %d)", str, family, dest, + (int)port, (int)addrlen); + else verbose(v, "%s %s port %d", str, dest, (int)port); +} + +int +extstrtoaddr(const char* str, struct sockaddr_storage* addr, + socklen_t* addrlen) +{ + char* s; + int port = UNBOUND_DNS_PORT; + if((s=strchr(str, '@'))) { + char buf[MAX_ADDR_STRLEN]; + if(s-str >= MAX_ADDR_STRLEN) { + return 0; + } + (void)strlcpy(buf, str, sizeof(buf)); + buf[s-str] = 0; + port = atoi(s+1); + if(port == 0 && strcmp(s+1,"0")!=0) { + return 0; + } + return ipstrtoaddr(buf, port, addr, addrlen); + } + return ipstrtoaddr(str, port, addr, addrlen); +} + + +int +ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr, + socklen_t* addrlen) +{ + uint16_t p; + if(!ip) return 0; + p = (uint16_t) port; + if(str_is_ip6(ip)) { + char buf[MAX_ADDR_STRLEN]; + char* s; + struct sockaddr_in6* sa = (struct sockaddr_in6*)addr; + *addrlen = (socklen_t)sizeof(struct sockaddr_in6); + memset(sa, 0, *addrlen); + sa->sin6_family = AF_INET6; + sa->sin6_port = (in_port_t)htons(p); + if((s=strchr(ip, '%'))) { /* ip6%interface, rfc 4007 */ + if(s-ip >= MAX_ADDR_STRLEN) + return 0; + (void)strlcpy(buf, ip, sizeof(buf)); + buf[s-ip]=0; + sa->sin6_scope_id = (uint32_t)atoi(s+1); + ip = buf; + } + if(inet_pton((int)sa->sin6_family, ip, &sa->sin6_addr) <= 0) { + return 0; + } + } else { /* ip4 */ + struct sockaddr_in* sa = (struct sockaddr_in*)addr; + *addrlen = (socklen_t)sizeof(struct sockaddr_in); + memset(sa, 0, *addrlen); + sa->sin_family = AF_INET; + sa->sin_port = (in_port_t)htons(p); + if(inet_pton((int)sa->sin_family, ip, &sa->sin_addr) <= 0) { + return 0; + } + } + return 1; +} + +int netblockstrtoaddr(const char* str, int port, struct sockaddr_storage* addr, + socklen_t* addrlen, int* net) +{ + char* s = NULL; + *net = (str_is_ip6(str)?128:32); + if((s=strchr(str, '/'))) { + if(atoi(s+1) > *net) { + log_err("netblock too large: %s", str); + return 0; + } + *net = atoi(s+1); + if(*net == 0 && strcmp(s+1, "0") != 0) { + log_err("cannot parse netblock: '%s'", str); + return 0; + } + if(!(s = strdup(str))) { + log_err("out of memory"); + return 0; + } + *strchr(s, '/') = '\0'; + } + if(!ipstrtoaddr(s?s:str, port, addr, addrlen)) { + free(s); + log_err("cannot parse ip address: '%s'", str); + return 0; + } + if(s) { + free(s); + addr_mask(addr, *addrlen, *net); + } + return 1; +} + +void +log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name, + uint16_t type, uint16_t dclass) +{ + char buf[LDNS_MAX_DOMAINLEN+1]; + char t[12], c[12]; + const char *ts, *cs; + if(verbosity < v) + return; + dname_str(name, buf); + if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG"; + else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR"; + else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR"; + else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB"; + else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA"; + else if(type == LDNS_RR_TYPE_ANY) ts = "ANY"; + else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name) + ts = sldns_rr_descript(type)->_name; + else { + snprintf(t, sizeof(t), "TYPE%d", (int)type); + ts = t; + } + if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) && + sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name) + cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name; + else { + snprintf(c, sizeof(c), "CLASS%d", (int)dclass); + cs = c; + } + log_info("%s %s %s %s", str, buf, ts, cs); +} + +void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone, + struct sockaddr_storage* addr, socklen_t addrlen) +{ + uint16_t port; + const char* family = "unknown_family "; + char namebuf[LDNS_MAX_DOMAINLEN+1]; + char dest[100]; + int af = (int)((struct sockaddr_in*)addr)->sin_family; + void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; + if(verbosity < v) + return; + switch(af) { + case AF_INET: family=""; break; + case AF_INET6: family=""; + sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; + break; + case AF_UNIX: family="unix_family "; break; + default: break; + } + if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { + (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); + } + dest[sizeof(dest)-1] = 0; + port = ntohs(((struct sockaddr_in*)addr)->sin_port); + dname_str(zone, namebuf); + if(af != AF_INET && af != AF_INET6) + verbose(v, "%s <%s> %s%s#%d (addrlen %d)", + str, namebuf, family, dest, (int)port, (int)addrlen); + else verbose(v, "%s <%s> %s%s#%d", + str, namebuf, family, dest, (int)port); +} + +void log_err_addr(const char* str, const char* err, + struct sockaddr_storage* addr, socklen_t addrlen) +{ + uint16_t port; + char dest[100]; + int af = (int)((struct sockaddr_in*)addr)->sin_family; + void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; + if(af == AF_INET6) + sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; + if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { + (void)strlcpy(dest, "(inet_ntop error)", sizeof(dest)); + } + dest[sizeof(dest)-1] = 0; + port = ntohs(((struct sockaddr_in*)addr)->sin_port); + if(verbosity >= 4) + log_err("%s: %s for %s port %d (len %d)", str, err, dest, + (int)port, (int)addrlen); + else log_err("%s: %s for %s", str, err, dest); +} + +int +sockaddr_cmp(struct sockaddr_storage* addr1, socklen_t len1, + struct sockaddr_storage* addr2, socklen_t len2) +{ + struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; + struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; + struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; + struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; + if(len1 < len2) + return -1; + if(len1 > len2) + return 1; + log_assert(len1 == len2); + if( p1_in->sin_family < p2_in->sin_family) + return -1; + if( p1_in->sin_family > p2_in->sin_family) + return 1; + log_assert( p1_in->sin_family == p2_in->sin_family ); + /* compare ip4 */ + if( p1_in->sin_family == AF_INET ) { + /* just order it, ntohs not required */ + if(p1_in->sin_port < p2_in->sin_port) + return -1; + if(p1_in->sin_port > p2_in->sin_port) + return 1; + log_assert(p1_in->sin_port == p2_in->sin_port); + return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE); + } else if (p1_in6->sin6_family == AF_INET6) { + /* just order it, ntohs not required */ + if(p1_in6->sin6_port < p2_in6->sin6_port) + return -1; + if(p1_in6->sin6_port > p2_in6->sin6_port) + return 1; + log_assert(p1_in6->sin6_port == p2_in6->sin6_port); + return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, + INET6_SIZE); + } else { + /* eek unknown type, perform this comparison for sanity. */ + return memcmp(addr1, addr2, len1); + } +} + +int +sockaddr_cmp_addr(struct sockaddr_storage* addr1, socklen_t len1, + struct sockaddr_storage* addr2, socklen_t len2) +{ + struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1; + struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2; + struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1; + struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2; + if(len1 < len2) + return -1; + if(len1 > len2) + return 1; + log_assert(len1 == len2); + if( p1_in->sin_family < p2_in->sin_family) + return -1; + if( p1_in->sin_family > p2_in->sin_family) + return 1; + log_assert( p1_in->sin_family == p2_in->sin_family ); + /* compare ip4 */ + if( p1_in->sin_family == AF_INET ) { + return memcmp(&p1_in->sin_addr, &p2_in->sin_addr, INET_SIZE); + } else if (p1_in6->sin6_family == AF_INET6) { + return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr, + INET6_SIZE); + } else { + /* eek unknown type, perform this comparison for sanity. */ + return memcmp(addr1, addr2, len1); + } +} + +int +addr_is_ip6(struct sockaddr_storage* addr, socklen_t len) +{ + if(len == (socklen_t)sizeof(struct sockaddr_in6) && + ((struct sockaddr_in6*)addr)->sin6_family == AF_INET6) + return 1; + else return 0; +} + +void +addr_mask(struct sockaddr_storage* addr, socklen_t len, int net) +{ + uint8_t mask[8] = {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe}; + int i, max; + uint8_t* s; + if(addr_is_ip6(addr, len)) { + s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr; + max = 128; + } else { + s = (uint8_t*)&((struct sockaddr_in*)addr)->sin_addr; + max = 32; + } + if(net >= max) + return; + for(i=net/8+1; i<max/8; i++) { + s[i] = 0; + } + s[net/8] &= mask[net&0x7]; +} + +int +addr_in_common(struct sockaddr_storage* addr1, int net1, + struct sockaddr_storage* addr2, int net2, socklen_t addrlen) +{ + int min = (net1<net2)?net1:net2; + int i, to; + int match = 0; + uint8_t* s1, *s2; + if(addr_is_ip6(addr1, addrlen)) { + s1 = (uint8_t*)&((struct sockaddr_in6*)addr1)->sin6_addr; + s2 = (uint8_t*)&((struct sockaddr_in6*)addr2)->sin6_addr; + to = 16; + } else { + s1 = (uint8_t*)&((struct sockaddr_in*)addr1)->sin_addr; + s2 = (uint8_t*)&((struct sockaddr_in*)addr2)->sin_addr; + to = 4; + } + /* match = bits_in_common(s1, s2, to); */ + for(i=0; i<to; i++) { + if(s1[i] == s2[i]) { + match += 8; + } else { + uint8_t z = s1[i]^s2[i]; + log_assert(z); + while(!(z&0x80)) { + match++; + z<<=1; + } + break; + } + } + if(match > min) match = min; + return match; +} + +void +addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen, + char* buf, size_t len) +{ + int af = (int)((struct sockaddr_in*)addr)->sin_family; + void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; + if(addr_is_ip6(addr, addrlen)) + sinaddr = &((struct sockaddr_in6*)addr)->sin6_addr; + if(inet_ntop(af, sinaddr, buf, (socklen_t)len) == 0) { + snprintf(buf, len, "(inet_ntop_error)"); + } +} + +int +addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen) +{ + /* prefix for ipv4 into ipv6 mapping is ::ffff:x.x.x.x */ + const uint8_t map_prefix[16] = + {0,0,0,0, 0,0,0,0, 0,0,0xff,0xff, 0,0,0,0}; + uint8_t* s; + if(!addr_is_ip6(addr, addrlen)) + return 0; + /* s is 16 octet ipv6 address string */ + s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr; + return (memcmp(s, map_prefix, 12) == 0); +} + +int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen) +{ + int af = (int)((struct sockaddr_in*)addr)->sin_family; + void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; + return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in) + && memcmp(sinaddr, "\377\377\377\377", 4) == 0; +} + +int addr_is_any(struct sockaddr_storage* addr, socklen_t addrlen) +{ + int af = (int)((struct sockaddr_in*)addr)->sin_family; + void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; + void* sin6addr = &((struct sockaddr_in6*)addr)->sin6_addr; + if(af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in) + && memcmp(sinaddr, "\000\000\000\000", 4) == 0) + return 1; + else if(af==AF_INET6 && addrlen>=(socklen_t)sizeof(struct sockaddr_in6) + && memcmp(sin6addr, "\000\000\000\000\000\000\000\000" + "\000\000\000\000\000\000\000\000", 16) == 0) + return 1; + return 0; +} + +void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr, + socklen_t len, struct regional* region) +{ + struct sock_list* add = (struct sock_list*)regional_alloc(region, + sizeof(*add) - sizeof(add->addr) + (size_t)len); + if(!add) { + log_err("out of memory in socketlist insert"); + return; + } + log_assert(list); + add->next = *list; + add->len = len; + *list = add; + if(len) memmove(&add->addr, addr, len); +} + +void sock_list_prepend(struct sock_list** list, struct sock_list* add) +{ + struct sock_list* last = add; + if(!last) + return; + while(last->next) + last = last->next; + last->next = *list; + *list = add; +} + +int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr, + socklen_t len) +{ + while(list) { + if(len == list->len) { + if(len == 0 || sockaddr_cmp_addr(addr, len, + &list->addr, list->len) == 0) + return 1; + } + list = list->next; + } + return 0; +} + +void sock_list_merge(struct sock_list** list, struct regional* region, + struct sock_list* add) +{ + struct sock_list* p; + for(p=add; p; p=p->next) { + if(!sock_list_find(*list, &p->addr, p->len)) + sock_list_insert(list, &p->addr, p->len, region); + } +} + +void +log_crypto_err(const char* str) +{ +#ifdef HAVE_SSL + /* error:[error code]:[library name]:[function name]:[reason string] */ + char buf[128]; + unsigned long e; + ERR_error_string_n(ERR_get_error(), buf, sizeof(buf)); + log_err("%s crypto %s", str, buf); + while( (e=ERR_get_error()) ) { + ERR_error_string_n(e, buf, sizeof(buf)); + log_err("and additionally crypto %s", buf); + } +#else + (void)str; +#endif /* HAVE_SSL */ +} + +void* listen_sslctx_create(char* key, char* pem, char* verifypem) +{ +#ifdef HAVE_SSL + SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method()); + if(!ctx) { + log_crypto_err("could not SSL_CTX_new"); + return NULL; + } + /* no SSLv2 because has defects */ + if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){ + log_crypto_err("could not set SSL_OP_NO_SSLv2"); + SSL_CTX_free(ctx); + return NULL; + } + if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) { + log_err("error for cert file: %s", pem); + log_crypto_err("error in SSL_CTX use_certificate_file"); + SSL_CTX_free(ctx); + return NULL; + } + if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) { + log_err("error for private key file: %s", key); + log_crypto_err("Error in SSL_CTX use_PrivateKey_file"); + SSL_CTX_free(ctx); + return NULL; + } + if(!SSL_CTX_check_private_key(ctx)) { + log_err("error for key file: %s", key); + log_crypto_err("Error in SSL_CTX check_private_key"); + SSL_CTX_free(ctx); + return NULL; + } + + if(verifypem && verifypem[0]) { + if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) { + log_crypto_err("Error in SSL_CTX verify locations"); + SSL_CTX_free(ctx); + return NULL; + } + SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file( + verifypem)); + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); + } + return ctx; +#else + (void)key; (void)pem; (void)verifypem; + return NULL; +#endif +} + +void* connect_sslctx_create(char* key, char* pem, char* verifypem) +{ +#ifdef HAVE_SSL + SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method()); + if(!ctx) { + log_crypto_err("could not allocate SSL_CTX pointer"); + return NULL; + } + if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) { + log_crypto_err("could not set SSL_OP_NO_SSLv2"); + SSL_CTX_free(ctx); + return NULL; + } + if(key && key[0]) { + if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) { + log_err("error in client certificate %s", pem); + log_crypto_err("error in certificate file"); + SSL_CTX_free(ctx); + return NULL; + } + if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) { + log_err("error in client private key %s", key); + log_crypto_err("error in key file"); + SSL_CTX_free(ctx); + return NULL; + } + if(!SSL_CTX_check_private_key(ctx)) { + log_err("error in client key %s", key); + log_crypto_err("error in SSL_CTX_check_private_key"); + SSL_CTX_free(ctx); + return NULL; + } + } + if(verifypem && verifypem[0]) { + if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL) != 1) { + log_crypto_err("error in SSL_CTX verify"); + SSL_CTX_free(ctx); + return NULL; + } + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); + } + return ctx; +#else + (void)key; (void)pem; (void)verifypem; + return NULL; +#endif +} + +void* incoming_ssl_fd(void* sslctx, int fd) +{ +#ifdef HAVE_SSL + SSL* ssl = SSL_new((SSL_CTX*)sslctx); + if(!ssl) { + log_crypto_err("could not SSL_new"); + return NULL; + } + SSL_set_accept_state(ssl); + (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); + if(!SSL_set_fd(ssl, fd)) { + log_crypto_err("could not SSL_set_fd"); + SSL_free(ssl); + return NULL; + } + return ssl; +#else + (void)sslctx; (void)fd; + return NULL; +#endif +} + +void* outgoing_ssl_fd(void* sslctx, int fd) +{ +#ifdef HAVE_SSL + SSL* ssl = SSL_new((SSL_CTX*)sslctx); + if(!ssl) { + log_crypto_err("could not SSL_new"); + return NULL; + } + SSL_set_connect_state(ssl); + (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); + if(!SSL_set_fd(ssl, fd)) { + log_crypto_err("could not SSL_set_fd"); + SSL_free(ssl); + return NULL; + } + return ssl; +#else + (void)sslctx; (void)fd; + return NULL; +#endif +} + +#if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) +/** global lock list for openssl locks */ +static lock_basic_t *ub_openssl_locks = NULL; + +/** callback that gets thread id for openssl */ +static unsigned long +ub_crypto_id_cb(void) +{ + return (unsigned long)ub_thread_self(); +} + +static void +ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file), + int ATTR_UNUSED(line)) +{ + if((mode&CRYPTO_LOCK)) { + lock_basic_lock(&ub_openssl_locks[type]); + } else { + lock_basic_unlock(&ub_openssl_locks[type]); + } +} +#endif /* OPENSSL_THREADS */ + +int ub_openssl_lock_init(void) +{ +#if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) + int i; + ub_openssl_locks = (lock_basic_t*)malloc( + sizeof(lock_basic_t)*CRYPTO_num_locks()); + if(!ub_openssl_locks) + return 0; + for(i=0; i<CRYPTO_num_locks(); i++) { + lock_basic_init(&ub_openssl_locks[i]); + } + CRYPTO_set_id_callback(&ub_crypto_id_cb); + CRYPTO_set_locking_callback(&ub_crypto_lock_cb); +#endif /* OPENSSL_THREADS */ + return 1; +} + +void ub_openssl_lock_delete(void) +{ +#if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) + int i; + if(!ub_openssl_locks) + return; + CRYPTO_set_id_callback(NULL); + CRYPTO_set_locking_callback(NULL); + for(i=0; i<CRYPTO_num_locks(); i++) { + lock_basic_destroy(&ub_openssl_locks[i]); + } + free(ub_openssl_locks); +#endif /* OPENSSL_THREADS */ +} + |