[thirdparty/pdns.git] / pdns / dnssecinfra.hh

/*
 * This file is part of PowerDNS or dnsdist.
 * Copyright -- PowerDNS.COM B.V. and its contributors
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
 * published by the Free Software Foundation.
 *
 * In addition, for the avoidance of any doubt, permission is granted to
 * link this program with OpenSSL and to (re)distribute the binaries
 * produced as the result of such linking.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
#ifndef PDNS_DNSSECINFRA_HH
#define PDNS_DNSSECINFRA_HH

#include "dnsrecords.hh"

#include <string>
#include <vector>
#include <map>
#include "misc.hh"

class UeberBackend;

// rules of the road: Algorithm must be set in 'make' for each KeyEngine, and will NEVER change!

class DNSCryptoKeyEngine
{
  public:
    explicit DNSCryptoKeyEngine(unsigned int algorithm) : d_algorithm(algorithm) {}
    virtual ~DNSCryptoKeyEngine() {};
    virtual string getName() const = 0;
    
    typedef std::map<std::string, std::string> stormap_t;
    typedef std::vector<std::pair<std::string, std::string > > storvector_t;
    virtual void create(unsigned int bits)=0;
    virtual storvector_t convertToISCVector() const =0;
    std::string convertToISC() const ;
    virtual std::string sign(const std::string& msg) const =0;
    virtual std::string hash(const std::string& msg) const
    {
       throw std::runtime_error("hash() function not implemented");
       return msg;
    }
    virtual bool verify(const std::string& msg, const std::string& signature) const =0;
    
    virtual std::string getPubKeyHash()const =0;
    virtual std::string getPublicKeyString()const =0;
    virtual int getBits() const =0;
    virtual unsigned int getAlgorithm() const
    {
      return d_algorithm;
    }
 
    virtual void fromISCMap(DNSKEYRecordContent& drc, stormap_t& stormap)=0;
    virtual void fromPEMString(DNSKEYRecordContent& drc, const std::string& raw)
    {
      throw std::runtime_error("Can't import from PEM string");
    }
    virtual void fromPublicKeyString(const std::string& content) = 0;
    virtual bool checkKey() const
    {
      return true;
    }
    static shared_ptr<DNSCryptoKeyEngine> makeFromISCFile(DNSKEYRecordContent& drc, const char* fname);
    static shared_ptr<DNSCryptoKeyEngine> makeFromISCString(DNSKEYRecordContent& drc, const std::string& content);
    static shared_ptr<DNSCryptoKeyEngine> makeFromPEMString(DNSKEYRecordContent& drc, const std::string& raw);
    static shared_ptr<DNSCryptoKeyEngine> makeFromPublicKeyString(unsigned int algorithm, const std::string& raw);
    static shared_ptr<DNSCryptoKeyEngine> make(unsigned int algorithm);
    static bool isAlgorithmSupported(unsigned int algo);
    static bool isDigestSupported(uint8_t digest);
    
    typedef shared_ptr<DNSCryptoKeyEngine> maker_t(unsigned int algorithm);
    
    static void report(unsigned int algorithm, maker_t* maker, bool fallback=false);
    static std::pair<unsigned int, unsigned int> testMakers(unsigned int algorithm, maker_t* creator, maker_t* signer, maker_t* verifier);
    static vector<pair<uint8_t, string>> listAllAlgosWithBackend();
    static bool testAll();
    static bool testOne(int algo);
  private:
    
    typedef std::map<unsigned int, maker_t*> makers_t;
    typedef std::map<unsigned int, vector<maker_t*> > allmakers_t;
    static makers_t& getMakers()
    {
      static makers_t s_makers;
      return s_makers;
    }
    static allmakers_t& getAllMakers()
    {
      static allmakers_t s_allmakers;
      return s_allmakers;
    }
  protected:
    const unsigned int d_algorithm;
};

struct DNSSECPrivateKey
{
  uint16_t getTag() const
  {
    return getDNSKEY().getTag();
  }
  
  const shared_ptr<DNSCryptoKeyEngine> getKey() const
  {
    return d_key;
  }
  
  void setKey(const shared_ptr<DNSCryptoKeyEngine> key)
  {
    d_key = key;
    d_algorithm = key->getAlgorithm();
  }
  DNSKEYRecordContent getDNSKEY() const;

  uint16_t d_flags;
  uint8_t d_algorithm;

private:
  shared_ptr<DNSCryptoKeyEngine> d_key;
};


struct CanonicalCompare: public std::binary_function<string, string, bool>  
{
  bool operator()(const std::string& a, const std::string& b) {
    std::vector<std::string> avect, bvect;

    stringtok(avect, a, ".");
    stringtok(bvect, b, ".");
    
    reverse(avect.begin(), avect.end());
    reverse(bvect.begin(), bvect.end());
    
    return avect < bvect;
  }
};

string getMessageForRRSET(const DNSName& qname, const RRSIGRecordContent& rrc, std::vector<std::shared_ptr<DNSRecordContent> >& signRecords, bool processRRSIGLabels = false);

DSRecordContent makeDSFromDNSKey(const DNSName& qname, const DNSKEYRecordContent& drc, uint8_t digest);

class DNSSECKeeper; 

uint32_t getStartOfWeek();

string hashQNameWithSalt(const NSEC3PARAMRecordContent& ns3prc, const DNSName& qname);
string hashQNameWithSalt(const std::string& salt, unsigned int iterations, const DNSName& qname);

void incrementHash(std::string& raw);
void decrementHash(std::string& raw);

void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const std::set<DNSName>& authMap, vector<DNSZoneRecord>& rrs);

void addTSIG(DNSPacketWriter& pw, TSIGRecordContent& trc, const DNSName& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly);
bool validateTSIG(const std::string& packet, size_t sigPos, const TSIGTriplet& tt, const TSIGRecordContent& trc, const std::string& previousMAC, const std::string& theirMAC, bool timersOnly, unsigned int dnsHeaderOffset=0);

uint64_t signatureCacheSize(const std::string& str);
#endif
Commit	Line	Data
12471842 PL	1	/*
	2	* This file is part of PowerDNS or dnsdist.
	3	* Copyright -- PowerDNS.COM B.V. and its contributors
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of version 2 of the GNU General Public License as
	7	* published by the Free Software Foundation.
	8	*
	9	* In addition, for the avoidance of any doubt, permission is granted to
	10	* link this program with OpenSSL and to (re)distribute the binaries
	11	* produced as the result of such linking.
	12	*
	13	* This program is distributed in the hope that it will be useful,
	14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	* GNU General Public License for more details.
	17	*
	18	* You should have received a copy of the GNU General Public License
	19	* along with this program; if not, write to the Free Software
	20	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	21	*/
4691b2df BH	22	#ifndef PDNS_DNSSECINFRA_HH
4691b2df BH	23	#define PDNS_DNSSECINFRA_HH
8daea594	24
4691b2df	25	#include "dnsrecords.hh"
dd7da6cd	26
4691b2df BH	27	#include <string>
4691b2df BH	28	#include <vector>
022e5e0b	29	#include <map>
4691b2df	30	#include "misc.hh"
39ec5d29	31
39ec5d29	32	class UeberBackend;
4691b2df	33
189bb9d2 BH	34	// rules of the road: Algorithm must be set in 'make' for each KeyEngine, and will NEVER change!
189bb9d2 BH	35
8d9f38f2	36	class DNSCryptoKeyEngine
699e6e37 BH	37	{
699e6e37 BH	38	public:
189bb9d2	39	explicit DNSCryptoKeyEngine(unsigned int algorithm) : d_algorithm(algorithm) {}
3a168083	40	virtual ~DNSCryptoKeyEngine() {};
189bb9d2 BH	41	virtual string getName() const = 0;
	42
	43	typedef std::map<std::string, std::string> stormap_t;
c99573a5	44	typedef std::vector<std::pair<std::string, std::string > > storvector_t;
699e6e37	45	virtual void create(unsigned int bits)=0;
c99573a5	46	virtual storvector_t convertToISCVector() const =0;
189bb9d2 BH	47	std::string convertToISC() const ;
189bb9d2 BH	48	virtual std::string sign(const std::string& msg) const =0;
7c9c554a KM	49	virtual std::string hash(const std::string& msg) const
	50	{
	51	throw std::runtime_error("hash() function not implemented");
	52	return msg;
	53	}
189bb9d2 BH	54	virtual bool verify(const std::string& msg, const std::string& signature) const =0;
189bb9d2 BH	55
699e6e37	56	virtual std::string getPubKeyHash()const =0;
699e6e37 BH	57	virtual std::string getPublicKeyString()const =0;
699e6e37 BH	58	virtual int getBits() const =0;
8455425c RG	59	virtual unsigned int getAlgorithm() const
	60	{
	61	return d_algorithm;
	62	}
8daea594	63
189bb9d2 BH	64	virtual void fromISCMap(DNSKEYRecordContent& drc, stormap_t& stormap)=0;
189bb9d2 BH	65	virtual void fromPEMString(DNSKEYRecordContent& drc, const std::string& raw)
aa65a832	66	{
189bb9d2	67	throw std::runtime_error("Can't import from PEM string");
aa65a832	68	}
189bb9d2	69	virtual void fromPublicKeyString(const std::string& content) = 0;
45c2bc60	70	virtual bool checkKey() const
8ca3ea33 RG	71	{
	72	return true;
	73	}
e69c2dac RG	74	static shared_ptr<DNSCryptoKeyEngine> makeFromISCFile(DNSKEYRecordContent& drc, const char* fname);
	75	static shared_ptr<DNSCryptoKeyEngine> makeFromISCString(DNSKEYRecordContent& drc, const std::string& content);
	76	static shared_ptr<DNSCryptoKeyEngine> makeFromPEMString(DNSKEYRecordContent& drc, const std::string& raw);
	77	static shared_ptr<DNSCryptoKeyEngine> makeFromPublicKeyString(unsigned int algorithm, const std::string& raw);
	78	static shared_ptr<DNSCryptoKeyEngine> make(unsigned int algorithm);
8455425c RG	79	static bool isAlgorithmSupported(unsigned int algo);
8455425c RG	80	static bool isDigestSupported(uint8_t digest);
431a3cbc	81
e69c2dac	82	typedef shared_ptr<DNSCryptoKeyEngine> maker_t(unsigned int algorithm);
431a3cbc	83
f309dacd	84	static void report(unsigned int algorithm, maker_t* maker, bool fallback=false);
530b4335	85	static std::pair<unsigned int, unsigned int> testMakers(unsigned int algorithm, maker_t* creator, maker_t* signer, maker_t* verifier);
98d13a90	86	static vector<pair<uint8_t, string>> listAllAlgosWithBackend();
166d8647 KM	87	static bool testAll();
166d8647 KM	88	static bool testOne(int algo);
022e5e0b BH	89	private:
	90
	91	typedef std::map<unsigned int, maker_t*> makers_t;
189bb9d2	92	typedef std::map<unsigned int, vector<maker_t*> > allmakers_t;
022e5e0b BH	93	static makers_t& getMakers()
	94	{
	95	static makers_t s_makers;
	96	return s_makers;
	97	}
189bb9d2 BH	98	static allmakers_t& getAllMakers()
	99	{
	100	static allmakers_t s_allmakers;
	101	return s_allmakers;
	102	}
	103	protected:
	104	const unsigned int d_algorithm;
431a3cbc BH	105	};
431a3cbc BH	106
431a3cbc BH	107	struct DNSSECPrivateKey
431a3cbc BH	108	{
620d4801 RG	109	uint16_t getTag() const
	110	{
	111	return getDNSKEY().getTag();
	112	}
431a3cbc	113
e69c2dac	114	const shared_ptr<DNSCryptoKeyEngine> getKey() const
699e6e37	115	{
e69c2dac	116	return d_key;
699e6e37 BH	117	}
699e6e37 BH	118
8d9f38f2	119	void setKey(const shared_ptr<DNSCryptoKeyEngine> key)
699e6e37 BH	120	{
699e6e37 BH	121	d_key = key;
8455425c	122	d_algorithm = key->getAlgorithm();
699e6e37	123	}
431a3cbc	124	DNSKEYRecordContent getDNSKEY() const;
d5aac6e6	125
431a3cbc	126	uint16_t d_flags;
d5aac6e6 PL	127	uint8_t d_algorithm;
d5aac6e6 PL	128
699e6e37	129	private:
8d9f38f2	130	shared_ptr<DNSCryptoKeyEngine> d_key;
431a3cbc BH	131	};
	132
	133
	134
10f4eea8	135	struct CanonicalCompare: public std::binary_function<string, string, bool>
4691b2df BH	136	{
	137	bool operator()(const std::string& a, const std::string& b) {
	138	std::vector<std::string> avect, bvect;
	139
	140	stringtok(avect, a, ".");
	141	stringtok(bvect, b, ".");
	142
	143	reverse(avect.begin(), avect.end());
	144	reverse(bvect.begin(), bvect.end());
	145
	146	return avect < bvect;
	147	}
	148	};
	149
125058a0	150	string getMessageForRRSET(const DNSName& qname, const RRSIGRecordContent& rrc, std::vector<std::shared_ptr<DNSRecordContent> >& signRecords, bool processRRSIGLabels = false);
022e5e0b	151
8455425c	152	DSRecordContent makeDSFromDNSKey(const DNSName& qname, const DNSKEYRecordContent& drc, uint8_t digest);
4691b2df	153
e0d84497	154	class DNSSECKeeper;
4691b2df	155
b61e407d	156	uint32_t getStartOfWeek();
4691b2df	157
28e2e78e	158	string hashQNameWithSalt(const NSEC3PARAMRecordContent& ns3prc, const DNSName& qname);
e4805005	159	string hashQNameWithSalt(const std::string& salt, unsigned int iterations, const DNSName& qname);
8455425c	160
95823c07 RG	161	void incrementHash(std::string& raw);
	162	void decrementHash(std::string& raw);
	163
90ba52e0	164	void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const std::set<DNSName>& authMap, vector<DNSZoneRecord>& rrs);
431a3cbc	165
ea3816cf RG	166	void addTSIG(DNSPacketWriter& pw, TSIGRecordContent& trc, const DNSName& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly);
ea3816cf RG	167	bool validateTSIG(const std::string& packet, size_t sigPos, const TSIGTriplet& tt, const TSIGRecordContent& trc, const std::string& previousMAC, const std::string& theirMAC, bool timersOnly, unsigned int dnsHeaderOffset=0);
3213be1e	168
e903706d	169	uint64_t signatureCacheSize(const std::string& str);
4691b2df	170	#endif