You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

176 lines
6.2 KiB

  1. /*
  2. * This file is part of PowerDNS or dnsdist.
  3. * Copyright -- PowerDNS.COM B.V. and its contributors
  4. *
  5. * This program is free software; you can redistribute it and/or modify
  6. * it under the terms of version 2 of the GNU General Public License as
  7. * published by the Free Software Foundation.
  8. *
  9. * In addition, for the avoidance of any doubt, permission is granted to
  10. * link this program with OpenSSL and to (re)distribute the binaries
  11. * produced as the result of such linking.
  12. *
  13. * This program is distributed in the hope that it will be useful,
  14. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  16. * GNU General Public License for more details.
  17. *
  18. * You should have received a copy of the GNU General Public License
  19. * along with this program; if not, write to the Free Software
  20. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21. */
  22. #pragma once
  23. #include "dnsrecords.hh"
  24. #include <string>
  25. #include <vector>
  26. #include <map>
  27. #include "misc.hh"
  28. class UeberBackend;
  29. // rules of the road: Algorithm must be set in 'make' for each KeyEngine, and will NEVER change!
  30. class DNSCryptoKeyEngine
  31. {
  32. public:
  33. explicit DNSCryptoKeyEngine(unsigned int algorithm) : d_algorithm(algorithm) {}
  34. virtual ~DNSCryptoKeyEngine() {};
  35. virtual string getName() const = 0;
  36. typedef std::map<std::string, std::string> stormap_t;
  37. typedef std::vector<std::pair<std::string, std::string > > storvector_t;
  38. virtual void create(unsigned int bits)=0;
  39. virtual storvector_t convertToISCVector() const =0;
  40. std::string convertToISC() const ;
  41. virtual std::string sign(const std::string& msg) const =0;
  42. virtual std::string hash(const std::string& msg) const
  43. {
  44. throw std::runtime_error("hash() function not implemented");
  45. return msg;
  46. }
  47. virtual bool verify(const std::string& msg, const std::string& signature) const =0;
  48. virtual std::string getPubKeyHash()const =0;
  49. virtual std::string getPublicKeyString()const =0;
  50. virtual int getBits() const =0;
  51. virtual unsigned int getAlgorithm() const
  52. {
  53. return d_algorithm;
  54. }
  55. virtual void fromISCMap(DNSKEYRecordContent& drc, stormap_t& stormap)=0;
  56. virtual void fromPEMString(DNSKEYRecordContent& drc, const std::string& raw)
  57. {
  58. throw std::runtime_error("Can't import from PEM string");
  59. }
  60. virtual void fromPublicKeyString(const std::string& content) = 0;
  61. virtual bool checkKey(vector<string> *errorMessages = nullptr) const
  62. {
  63. return true;
  64. }
  65. static shared_ptr<DNSCryptoKeyEngine> makeFromISCFile(DNSKEYRecordContent& drc, const char* fname);
  66. static shared_ptr<DNSCryptoKeyEngine> makeFromISCString(DNSKEYRecordContent& drc, const std::string& content);
  67. static shared_ptr<DNSCryptoKeyEngine> makeFromPEMString(DNSKEYRecordContent& drc, const std::string& raw);
  68. static shared_ptr<DNSCryptoKeyEngine> makeFromPublicKeyString(unsigned int algorithm, const std::string& raw);
  69. static shared_ptr<DNSCryptoKeyEngine> make(unsigned int algorithm);
  70. static bool isAlgorithmSupported(unsigned int algo);
  71. static bool isDigestSupported(uint8_t digest);
  72. typedef shared_ptr<DNSCryptoKeyEngine> maker_t(unsigned int algorithm);
  73. static void report(unsigned int algorithm, maker_t* maker, bool fallback=false);
  74. static void testMakers(unsigned int algorithm, maker_t* creator, maker_t* signer, maker_t* verifier);
  75. static vector<pair<uint8_t, string>> listAllAlgosWithBackend();
  76. static bool testAll();
  77. static bool testOne(int algo);
  78. private:
  79. typedef std::map<unsigned int, maker_t*> makers_t;
  80. typedef std::map<unsigned int, vector<maker_t*> > allmakers_t;
  81. static makers_t& getMakers()
  82. {
  83. static makers_t s_makers;
  84. return s_makers;
  85. }
  86. static allmakers_t& getAllMakers()
  87. {
  88. static allmakers_t s_allmakers;
  89. return s_allmakers;
  90. }
  91. protected:
  92. const unsigned int d_algorithm;
  93. };
  94. struct DNSSECPrivateKey
  95. {
  96. uint16_t getTag() const
  97. {
  98. return getDNSKEY().getTag();
  99. }
  100. const shared_ptr<DNSCryptoKeyEngine> getKey() const
  101. {
  102. return d_key;
  103. }
  104. void setKey(const shared_ptr<DNSCryptoKeyEngine> key)
  105. {
  106. d_key = key;
  107. d_algorithm = key->getAlgorithm();
  108. }
  109. DNSKEYRecordContent getDNSKEY() const;
  110. uint16_t d_flags;
  111. uint8_t d_algorithm;
  112. private:
  113. shared_ptr<DNSCryptoKeyEngine> d_key;
  114. };
  115. struct CanonicalCompare: public std::binary_function<string, string, bool>
  116. {
  117. bool operator()(const std::string& a, const std::string& b) {
  118. std::vector<std::string> avect, bvect;
  119. stringtok(avect, a, ".");
  120. stringtok(bvect, b, ".");
  121. reverse(avect.begin(), avect.end());
  122. reverse(bvect.begin(), bvect.end());
  123. return avect < bvect;
  124. }
  125. };
  126. struct sharedDNSSECRecordCompare {
  127. bool operator() (const shared_ptr<DNSRecordContent>& a, const shared_ptr<DNSRecordContent>& b) const {
  128. return a->serialize(g_rootdnsname, true, true) < b->serialize(g_rootdnsname, true, true);
  129. }
  130. };
  131. typedef std::set<std::shared_ptr<DNSRecordContent>, sharedDNSSECRecordCompare> sortedRecords_t;
  132. string getMessageForRRSET(const DNSName& qname, const RRSIGRecordContent& rrc, const sortedRecords_t& signRecords, bool processRRSIGLabels = false);
  133. DSRecordContent makeDSFromDNSKey(const DNSName& qname, const DNSKEYRecordContent& drc, uint8_t digest);
  134. class DNSSECKeeper;
  135. uint32_t getStartOfWeek();
  136. string hashQNameWithSalt(const NSEC3PARAMRecordContent& ns3prc, const DNSName& qname);
  137. string hashQNameWithSalt(const std::string& salt, unsigned int iterations, const DNSName& qname);
  138. void incrementHash(std::string& raw);
  139. void decrementHash(std::string& raw);
  140. void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const std::set<DNSName>& authMap, vector<DNSZoneRecord>& rrs);
  141. void addTSIG(DNSPacketWriter& pw, TSIGRecordContent& trc, const DNSName& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly);
  142. bool validateTSIG(const std::string& packet, size_t sigPos, const TSIGTriplet& tt, const TSIGRecordContent& trc, const std::string& previousMAC, const std::string& theirMAC, bool timersOnly, unsigned int dnsHeaderOffset=0);
  143. uint64_t signatureCacheSize(const std::string& str);