]>
Commit | Line | Data |
---|---|---|
12471842 PL |
1 | /* |
2 | * This file is part of PowerDNS or dnsdist. | |
3 | * Copyright -- PowerDNS.COM B.V. and its contributors | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of version 2 of the GNU General Public License as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * In addition, for the avoidance of any doubt, permission is granted to | |
10 | * link this program with OpenSSL and to (re)distribute the binaries | |
11 | * produced as the result of such linking. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
17 | * | |
18 | * You should have received a copy of the GNU General Public License | |
19 | * along with this program; if not, write to the Free Software | |
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
21 | */ | |
4691b2df BH |
22 | #ifndef PDNS_DNSSECINFRA_HH |
23 | #define PDNS_DNSSECINFRA_HH | |
8daea594 | 24 | |
4691b2df | 25 | #include "dnsrecords.hh" |
dd7da6cd | 26 | |
4691b2df BH |
27 | #include <string> |
28 | #include <vector> | |
022e5e0b | 29 | #include <map> |
4691b2df | 30 | #include "misc.hh" |
39ec5d29 | 31 | |
32 | class UeberBackend; | |
4691b2df | 33 | |
189bb9d2 BH |
34 | // rules of the road: Algorithm must be set in 'make' for each KeyEngine, and will NEVER change! |
35 | ||
8d9f38f2 | 36 | class DNSCryptoKeyEngine |
699e6e37 BH |
37 | { |
38 | public: | |
189bb9d2 | 39 | explicit DNSCryptoKeyEngine(unsigned int algorithm) : d_algorithm(algorithm) {} |
3a168083 | 40 | virtual ~DNSCryptoKeyEngine() {}; |
189bb9d2 BH |
41 | virtual string getName() const = 0; |
42 | ||
43 | typedef std::map<std::string, std::string> stormap_t; | |
c99573a5 | 44 | typedef std::vector<std::pair<std::string, std::string > > storvector_t; |
699e6e37 | 45 | virtual void create(unsigned int bits)=0; |
c99573a5 | 46 | virtual storvector_t convertToISCVector() const =0; |
189bb9d2 BH |
47 | std::string convertToISC() const ; |
48 | virtual std::string sign(const std::string& msg) const =0; | |
7c9c554a KM |
49 | virtual std::string hash(const std::string& msg) const |
50 | { | |
51 | throw std::runtime_error("hash() function not implemented"); | |
52 | return msg; | |
53 | } | |
189bb9d2 BH |
54 | virtual bool verify(const std::string& msg, const std::string& signature) const =0; |
55 | ||
699e6e37 | 56 | virtual std::string getPubKeyHash()const =0; |
699e6e37 BH |
57 | virtual std::string getPublicKeyString()const =0; |
58 | virtual int getBits() const =0; | |
8455425c RG |
59 | virtual unsigned int getAlgorithm() const |
60 | { | |
61 | return d_algorithm; | |
62 | } | |
8daea594 | 63 | |
189bb9d2 BH |
64 | virtual void fromISCMap(DNSKEYRecordContent& drc, stormap_t& stormap)=0; |
65 | virtual void fromPEMString(DNSKEYRecordContent& drc, const std::string& raw) | |
aa65a832 | 66 | { |
189bb9d2 | 67 | throw std::runtime_error("Can't import from PEM string"); |
aa65a832 | 68 | } |
189bb9d2 | 69 | virtual void fromPublicKeyString(const std::string& content) = 0; |
45c2bc60 | 70 | virtual bool checkKey() const |
8ca3ea33 RG |
71 | { |
72 | return true; | |
73 | } | |
e69c2dac RG |
74 | static shared_ptr<DNSCryptoKeyEngine> makeFromISCFile(DNSKEYRecordContent& drc, const char* fname); |
75 | static shared_ptr<DNSCryptoKeyEngine> makeFromISCString(DNSKEYRecordContent& drc, const std::string& content); | |
76 | static shared_ptr<DNSCryptoKeyEngine> makeFromPEMString(DNSKEYRecordContent& drc, const std::string& raw); | |
77 | static shared_ptr<DNSCryptoKeyEngine> makeFromPublicKeyString(unsigned int algorithm, const std::string& raw); | |
78 | static shared_ptr<DNSCryptoKeyEngine> make(unsigned int algorithm); | |
8455425c RG |
79 | static bool isAlgorithmSupported(unsigned int algo); |
80 | static bool isDigestSupported(uint8_t digest); | |
431a3cbc | 81 | |
e69c2dac | 82 | typedef shared_ptr<DNSCryptoKeyEngine> maker_t(unsigned int algorithm); |
431a3cbc | 83 | |
f309dacd | 84 | static void report(unsigned int algorithm, maker_t* maker, bool fallback=false); |
530b4335 | 85 | static std::pair<unsigned int, unsigned int> testMakers(unsigned int algorithm, maker_t* creator, maker_t* signer, maker_t* verifier); |
98d13a90 | 86 | static vector<pair<uint8_t, string>> listAllAlgosWithBackend(); |
166d8647 KM |
87 | static bool testAll(); |
88 | static bool testOne(int algo); | |
022e5e0b BH |
89 | private: |
90 | ||
91 | typedef std::map<unsigned int, maker_t*> makers_t; | |
189bb9d2 | 92 | typedef std::map<unsigned int, vector<maker_t*> > allmakers_t; |
022e5e0b BH |
93 | static makers_t& getMakers() |
94 | { | |
95 | static makers_t s_makers; | |
96 | return s_makers; | |
97 | } | |
189bb9d2 BH |
98 | static allmakers_t& getAllMakers() |
99 | { | |
100 | static allmakers_t s_allmakers; | |
101 | return s_allmakers; | |
102 | } | |
103 | protected: | |
104 | const unsigned int d_algorithm; | |
431a3cbc BH |
105 | }; |
106 | ||
431a3cbc BH |
107 | struct DNSSECPrivateKey |
108 | { | |
620d4801 RG |
109 | uint16_t getTag() const |
110 | { | |
111 | return getDNSKEY().getTag(); | |
112 | } | |
431a3cbc | 113 | |
e69c2dac | 114 | const shared_ptr<DNSCryptoKeyEngine> getKey() const |
699e6e37 | 115 | { |
e69c2dac | 116 | return d_key; |
699e6e37 BH |
117 | } |
118 | ||
8d9f38f2 | 119 | void setKey(const shared_ptr<DNSCryptoKeyEngine> key) |
699e6e37 BH |
120 | { |
121 | d_key = key; | |
8455425c | 122 | d_algorithm = key->getAlgorithm(); |
699e6e37 | 123 | } |
431a3cbc | 124 | DNSKEYRecordContent getDNSKEY() const; |
d5aac6e6 | 125 | |
431a3cbc | 126 | uint16_t d_flags; |
d5aac6e6 PL |
127 | uint8_t d_algorithm; |
128 | ||
699e6e37 | 129 | private: |
8d9f38f2 | 130 | shared_ptr<DNSCryptoKeyEngine> d_key; |
431a3cbc BH |
131 | }; |
132 | ||
133 | ||
134 | ||
10f4eea8 | 135 | struct CanonicalCompare: public std::binary_function<string, string, bool> |
4691b2df BH |
136 | { |
137 | bool operator()(const std::string& a, const std::string& b) { | |
138 | std::vector<std::string> avect, bvect; | |
139 | ||
140 | stringtok(avect, a, "."); | |
141 | stringtok(bvect, b, "."); | |
142 | ||
143 | reverse(avect.begin(), avect.end()); | |
144 | reverse(bvect.begin(), bvect.end()); | |
145 | ||
146 | return avect < bvect; | |
147 | } | |
148 | }; | |
149 | ||
125058a0 | 150 | string getMessageForRRSET(const DNSName& qname, const RRSIGRecordContent& rrc, std::vector<std::shared_ptr<DNSRecordContent> >& signRecords, bool processRRSIGLabels = false); |
022e5e0b | 151 | |
8455425c | 152 | DSRecordContent makeDSFromDNSKey(const DNSName& qname, const DNSKEYRecordContent& drc, uint8_t digest); |
4691b2df | 153 | |
e0d84497 | 154 | class DNSSECKeeper; |
4691b2df | 155 | |
b61e407d | 156 | uint32_t getStartOfWeek(); |
4691b2df | 157 | |
28e2e78e | 158 | string hashQNameWithSalt(const NSEC3PARAMRecordContent& ns3prc, const DNSName& qname); |
e4805005 | 159 | string hashQNameWithSalt(const std::string& salt, unsigned int iterations, const DNSName& qname); |
8455425c | 160 | |
95823c07 RG |
161 | void incrementHash(std::string& raw); |
162 | void decrementHash(std::string& raw); | |
163 | ||
90ba52e0 | 164 | void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const std::set<DNSName>& authMap, vector<DNSZoneRecord>& rrs); |
431a3cbc | 165 | |
ea3816cf RG |
166 | void addTSIG(DNSPacketWriter& pw, TSIGRecordContent& trc, const DNSName& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly); |
167 | bool validateTSIG(const std::string& packet, size_t sigPos, const TSIGTriplet& tt, const TSIGRecordContent& trc, const std::string& previousMAC, const std::string& theirMAC, bool timersOnly, unsigned int dnsHeaderOffset=0); | |
3213be1e | 168 | |
e903706d | 169 | uint64_t signatureCacheSize(const std::string& str); |
4691b2df | 170 | #endif |