devuan
/
pdns-recursor
10
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 20 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
499 Commits
1 Branch
7.9 MiB
 
 
 
 
 
 
Branch: suites/unstable
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'suites/unstable'
${ noResults }
pdns-recursor/dnssecinfra.hh

176 lines
6.2 KiB
Raw Permalink Blame History 

  1. /*

  2.  * This file is part of PowerDNS or dnsdist.

  3.  * Copyright -- PowerDNS.COM B.V. and its contributors

  4.  *

  5.  * This program is free software; you can redistribute it and/or modify

  6.  * it under the terms of version 2 of the GNU General Public License as

  7.  * published by the Free Software Foundation.

  8.  *

  9.  * In addition, for the avoidance of any doubt, permission is granted to

  10.  * link this program with OpenSSL and to (re)distribute the binaries

  11.  * produced as the result of such linking.

  12.  *

  13.  * This program is distributed in the hope that it will be useful,

  14.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  15.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  16.  * GNU General Public License for more details.

  17.  *

  18.  * You should have received a copy of the GNU General Public License

  19.  * along with this program; if not, write to the Free Software

  20.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

  21.  */

  22. #pragma once

  23. #include "dnsrecords.hh"

  24. 

  25. #include <string>

  26. #include <vector>

  27. #include <map>

  28. #include "misc.hh"

  29. 

  30. class UeberBackend;

  31. 

  32. // rules of the road: Algorithm must be set in 'make' for each KeyEngine, and will NEVER change!

  33. 

  34. class DNSCryptoKeyEngine

  35. {

  36.   public:

  37.     explicit DNSCryptoKeyEngine(unsigned int algorithm) : d_algorithm(algorithm) {}

  38.     virtual ~DNSCryptoKeyEngine() {};

  39.     virtual string getName() const = 0;

  40.     

  41.     typedef std::map<std::string, std::string> stormap_t;

  42.     typedef std::vector<std::pair<std::string, std::string > > storvector_t;

  43.     virtual void create(unsigned int bits)=0;

  44.     virtual storvector_t convertToISCVector() const =0;

  45.     std::string convertToISC() const ;

  46.     virtual std::string sign(const std::string& msg) const =0;

  47.     virtual std::string hash(const std::string& msg) const

  48.     {

  49.        throw std::runtime_error("hash() function not implemented");

  50.        return msg;

  51.     }

  52.     virtual bool verify(const std::string& msg, const std::string& signature) const =0;

  53.     

  54.     virtual std::string getPubKeyHash()const =0;

  55.     virtual std::string getPublicKeyString()const =0;

  56.     virtual int getBits() const =0;

  57.     virtual unsigned int getAlgorithm() const

  58.     {

  59.       return d_algorithm;

  60.     }

  61.  

  62.     virtual void fromISCMap(DNSKEYRecordContent& drc, stormap_t& stormap)=0;

  63.     virtual void fromPEMString(DNSKEYRecordContent& drc, const std::string& raw)

  64.     {

  65.       throw std::runtime_error("Can't import from PEM string");

  66.     }

  67.     virtual void fromPublicKeyString(const std::string& content) = 0;

  68.     virtual bool checkKey(vector<string> *errorMessages = nullptr) const

  69.     {

  70.       return true;

  71.     }

  72.     static shared_ptr<DNSCryptoKeyEngine> makeFromISCFile(DNSKEYRecordContent& drc, const char* fname);

  73.     static shared_ptr<DNSCryptoKeyEngine> makeFromISCString(DNSKEYRecordContent& drc, const std::string& content);

  74.     static shared_ptr<DNSCryptoKeyEngine> makeFromPEMString(DNSKEYRecordContent& drc, const std::string& raw);

  75.     static shared_ptr<DNSCryptoKeyEngine> makeFromPublicKeyString(unsigned int algorithm, const std::string& raw);

  76.     static shared_ptr<DNSCryptoKeyEngine> make(unsigned int algorithm);

  77.     static bool isAlgorithmSupported(unsigned int algo);

  78.     static bool isDigestSupported(uint8_t digest);

  79.     

  80.     typedef shared_ptr<DNSCryptoKeyEngine> maker_t(unsigned int algorithm);

  81.     

  82.     static void report(unsigned int algorithm, maker_t* maker, bool fallback=false);

  83.     static void testMakers(unsigned int algorithm, maker_t* creator, maker_t* signer, maker_t* verifier);

  84.     static vector<pair<uint8_t, string>> listAllAlgosWithBackend();

  85.     static bool testAll();

  86.     static bool testOne(int algo);

  87.   private:

  88.     

  89.     typedef std::map<unsigned int, maker_t*> makers_t;

  90.     typedef std::map<unsigned int, vector<maker_t*> > allmakers_t;

  91.     static makers_t& getMakers()

  92.     {

  93.       static makers_t s_makers;

  94.       return s_makers;

  95.     }

  96.     static allmakers_t& getAllMakers()

  97.     {

  98.       static allmakers_t s_allmakers;

  99.       return s_allmakers;

  100.     }

  101.   protected:

  102.     const unsigned int d_algorithm;

  103. };

  104. 

  105. struct DNSSECPrivateKey

  106. {

  107.   uint16_t getTag() const

  108.   {

  109.     return getDNSKEY().getTag();

  110.   }

  111.   

  112.   const shared_ptr<DNSCryptoKeyEngine> getKey() const

  113.   {

  114.     return d_key;

  115.   }

  116.   

  117.   void setKey(const shared_ptr<DNSCryptoKeyEngine> key)

  118.   {

  119.     d_key = key;

  120.     d_algorithm = key->getAlgorithm();

  121.   }

  122.   DNSKEYRecordContent getDNSKEY() const;

  123. 

  124.   uint16_t d_flags;

  125.   uint8_t d_algorithm;

  126. 

  127. private:

  128.   shared_ptr<DNSCryptoKeyEngine> d_key;

  129. };

  130. 

  131. 

  132. 

  133. struct CanonicalCompare: public std::binary_function<string, string, bool>  

  134. {

  135.   bool operator()(const std::string& a, const std::string& b) {

  136.     std::vector<std::string> avect, bvect;

  137. 

  138.     stringtok(avect, a, ".");

  139.     stringtok(bvect, b, ".");

  140.     

  141.     reverse(avect.begin(), avect.end());

  142.     reverse(bvect.begin(), bvect.end());

  143.     

  144.     return avect < bvect;

  145.   }

  146. };

  147. 

  148. struct sharedDNSSECRecordCompare {

  149.     bool operator() (const shared_ptr<DNSRecordContent>& a, const shared_ptr<DNSRecordContent>& b) const {

  150.       return a->serialize(g_rootdnsname, true, true) < b->serialize(g_rootdnsname, true, true);

  151.     }

  152. };

  153. 

  154. typedef std::set<std::shared_ptr<DNSRecordContent>, sharedDNSSECRecordCompare> sortedRecords_t;

  155. 

  156. string getMessageForRRSET(const DNSName& qname, const RRSIGRecordContent& rrc, const sortedRecords_t& signRecords, bool processRRSIGLabels = false);

  157. 

  158. DSRecordContent makeDSFromDNSKey(const DNSName& qname, const DNSKEYRecordContent& drc, uint8_t digest);

  159. 

  160. class DNSSECKeeper; 

  161. 

  162. uint32_t getStartOfWeek();

  163. 

  164. string hashQNameWithSalt(const NSEC3PARAMRecordContent& ns3prc, const DNSName& qname);

  165. string hashQNameWithSalt(const std::string& salt, unsigned int iterations, const DNSName& qname);

  166. 

  167. void incrementHash(std::string& raw);

  168. void decrementHash(std::string& raw);

  169. 

  170. void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const std::set<DNSName>& authMap, vector<DNSZoneRecord>& rrs);

  171. 

  172. void addTSIG(DNSPacketWriter& pw, TSIGRecordContent& trc, const DNSName& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly);

  173. bool validateTSIG(const std::string& packet, size_t sigPos, const TSIGTriplet& tt, const TSIGRecordContent& trc, const std::string& previousMAC, const std::string& theirMAC, bool timersOnly, unsigned int dnsHeaderOffset=0);

  174. 

  175. uint64_t signatureCacheSize(const std::string& str);