pdns/dnssecinfra.hh

   1 /*
   2  * This file is part of PowerDNS or dnsdist.
   3  * Copyright -- PowerDNS.COM B.V. and its contributors
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of version 2 of the GNU General Public License as
   7  * published by the Free Software Foundation.
   8  *
   9  * In addition, for the avoidance of any doubt, permission is granted to
  10  * link this program with OpenSSL and to (re)distribute the binaries
  11  * produced as the result of such linking.
  12  *
  13  * This program is distributed in the hope that it will be useful,
  14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16  * GNU General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU General Public License
  19  * along with this program; if not, write to the Free Software
  20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21  */
  22 #pragma once
  23 #include "dnsrecords.hh"
  24
  25 #include <string>
  26 #include <vector>
  27 #include <optional>
  28 #include <map>
  29 #include "misc.hh"
  30
  31 class UeberBackend;
  32
  33 // rules of the road: Algorithm must be set in 'make' for each KeyEngine, and will NEVER change!
  34
  35 class DNSCryptoKeyEngine
  36 {
  37   public:
  38     explicit DNSCryptoKeyEngine(unsigned int algorithm) : d_algorithm(algorithm) {}
  39     virtual ~DNSCryptoKeyEngine() {};
  40     [[nodiscard]] virtual string getName() const = 0;
  41
  42     using stormap_t = std::map<std::string, std::string>;
  43     using storvector_t = std::vector<std::pair<std::string, std::string>>;
  44     virtual void create(unsigned int bits)=0;
  45
  46     virtual void createFromPEMFile(DNSKEYRecordContent& /* drc */, std::FILE& /* inputFile */, const std::optional<std::reference_wrapper<const std::string>> filename = std::nullopt)
  47     {
  48       if (filename.has_value()) {
  49         throw std::runtime_error("Can't create key from PEM file `" + filename->get() + "`");
  50       }
  51
  52       throw std::runtime_error("Can't create key from PEM contents");
  53     }
  54
  55     /**
  56      * \brief Creates a key engine from a PEM string.
  57      *
  58      * Receives PEM contents and creates a key engine.
  59      *
  60      * \param[in] drc Key record contents to be populated.
  61      *
  62      * \param[in] contents The PEM string contents.
  63      *
  64      * \return A key engine populated with the contents of the PEM string.
  65      */
  66     void createFromPEMString(DNSKEYRecordContent& drc, const std::string& contents)
  67     {
  68       // NOLINTNEXTLINE(*-cast): POSIX APIs.
  69       unique_ptr<std::FILE, decltype(&std::fclose)> inputFile{fmemopen(const_cast<char*>(contents.data()), contents.length(), "r"), &std::fclose};
  70       createFromPEMFile(drc, *inputFile);
  71     }
  72
  73     [[nodiscard]] virtual storvector_t convertToISCVector() const =0;
  74     [[nodiscard]] std::string convertToISC() const ;
  75
  76     virtual void convertToPEMFile(std::FILE& /* outputFile */) const
  77     {
  78       throw std::runtime_error(getName() + ": Conversion to PEM not supported");
  79     };
  80
  81     /**
  82      * \brief Converts the key into a PEM string.
  83      *
  84      * \return A string containing the key's PEM contents.
  85      */
  86     [[nodiscard]] auto convertToPEMString() const -> std::string
  87     {
  88       const size_t buflen = 4096;
  89
  90       std::string output{};
  91       output.resize(buflen);
  92       unique_ptr<std::FILE, decltype(&std::fclose)> outputFile{fmemopen(output.data(), output.length() - 1, "w"), &std::fclose};
  93       convertToPEMFile(*outputFile);
  94       std::fflush(outputFile.get());
  95       output.resize(std::ftell(outputFile.get()));
  96
  97       return output;
  98     };
  99
 100     [[nodiscard]] virtual std::string sign(const std::string& msg) const =0;
 101
 102     [[nodiscard]] virtual std::string hash(const std::string& msg) const
 103     {
 104        throw std::runtime_error("hash() function not implemented");
 105        return msg;
 106     }
 107
 108     [[nodiscard]] virtual bool verify(const std::string& msg, const std::string& signature) const =0;
 109
 110     [[nodiscard]] virtual std::string getPublicKeyString()const =0;
 111     [[nodiscard]] virtual int getBits() const =0;
 112     [[nodiscard]] virtual unsigned int getAlgorithm() const
 113     {
 114       return d_algorithm;
 115     }
 116
 117     virtual void fromISCMap(DNSKEYRecordContent& drc, stormap_t& stormap) = 0;
 118     virtual void fromPublicKeyString(const std::string& content) = 0;
 119
 120     [[nodiscard]] virtual bool checkKey(std::optional<std::reference_wrapper<std::vector<std::string>>> /* errorMessages */ = std::nullopt) const
 121     {
 122       return true;
 123     }
 124
 125     static std::unique_ptr<DNSCryptoKeyEngine> makeFromISCFile(DNSKEYRecordContent& drc, const char* fname);
 126
 127     /**
 128      * \brief Creates a key engine from a PEM file.
 129      *
 130      * Receives an open file handle with PEM contents and creates a key engine
 131      * corresponding to the algorithm requested.
 132      *
 133      * \param[in] drc Key record contents to be populated.
 134      *
 135      * \param[in] algorithm Which algorithm to use. See
 136      * https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
 137      *
 138      * \param[in] fp An open file handle to a file containing PEM contents.
 139      *
 140      * \param[in] filename Only used for providing filename information in error messages.
 141      *
 142      * \return A key engine corresponding to the requested algorithm and populated with
 143      * the contents of the PEM file.
 144      */
 145     static std::unique_ptr<DNSCryptoKeyEngine> makeFromPEMFile(DNSKEYRecordContent& drc, uint8_t algorithm, std::FILE& inputFile, const std::string& filename);
 146
 147     /**
 148      * \brief Creates a key engine from a PEM string.
 149      *
 150      * Receives PEM contents and creates a key engine corresponding to the algorithm
 151      * requested.
 152      *
 153      * \param[in] drc Key record contents to be populated.
 154      *
 155      * \param[in] algorithm Which algorithm to use. See
 156      * https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
 157      *
 158      * \param[in] contents The PEM contents.
 159      *
 160      * \return A key engine corresponding to the requested algorithm and populated with
 161      * the contents of the PEM string.
 162      */
 163     static std::unique_ptr<DNSCryptoKeyEngine> makeFromPEMString(DNSKEYRecordContent& drc, uint8_t algorithm, const std::string& contents);
 164
 165     static std::unique_ptr<DNSCryptoKeyEngine> makeFromISCString(DNSKEYRecordContent& drc, const std::string& content);
 166     static std::unique_ptr<DNSCryptoKeyEngine> makeFromPublicKeyString(unsigned int algorithm, const std::string& raw);
 167     static std::unique_ptr<DNSCryptoKeyEngine> make(unsigned int algorithm);
 168     static bool isAlgorithmSupported(unsigned int algo);
 169     static bool isDigestSupported(uint8_t digest);
 170
 171     using maker_t = std::unique_ptr<DNSCryptoKeyEngine> (unsigned int);
 172
 173     static void report(unsigned int algorithm, maker_t* maker, bool fallback=false);
 174     static void testMakers(unsigned int algorithm, maker_t* creator, maker_t* signer, maker_t* verifier);
 175     static vector<pair<uint8_t, string>> listAllAlgosWithBackend();
 176     static bool testAll();
 177     static bool testOne(int algo);
 178
 179   private:
 180     using makers_t = std::map<unsigned int, maker_t *>;
 181     using allmakers_t = std::map<unsigned int, vector<maker_t *>>;
 182     static makers_t& getMakers()
 183     {
 184       static makers_t s_makers;
 185       return s_makers;
 186     }
 187     static allmakers_t& getAllMakers()
 188     {
 189       static allmakers_t s_allmakers;
 190       return s_allmakers;
 191     }
 192
 193   protected:
 194     const unsigned int d_algorithm;
 195 };
 196
 197 struct DNSSECPrivateKey
 198 {
 199   uint16_t getTag() const
 200   {
 201     return getDNSKEY().getTag();
 202   }
 203
 204   const std::shared_ptr<DNSCryptoKeyEngine>& getKey() const
 205   {
 206     return d_key;
 207   }
 208
 209   // be aware that calling setKey() will also set the algorithm
 210   void setKey(std::shared_ptr<DNSCryptoKeyEngine>& key, uint16_t flags, std::optional<uint8_t> algorithm = std::nullopt)
 211   {
 212     d_key = key;
 213     d_flags = flags;
 214     d_algorithm = algorithm ? *algorithm : d_key->getAlgorithm();
 215     computeDNSKEY();
 216   }
 217
 218   // be aware that calling setKey() will also set the algorithm
 219   void setKey(std::unique_ptr<DNSCryptoKeyEngine>&& key, uint16_t flags, std::optional<uint8_t> algorithm = std::nullopt)
 220   {
 221     d_key = std::move(key);
 222     d_flags = flags;
 223     d_algorithm = algorithm ? *algorithm : d_key->getAlgorithm();
 224     computeDNSKEY();
 225   }
 226
 227   const DNSKEYRecordContent& getDNSKEY() const;
 228
 229   uint16_t getFlags() const
 230   {
 231     return d_flags;
 232   }
 233
 234   uint8_t getAlgorithm() const
 235   {
 236     return d_algorithm;
 237   }
 238
 239 private:
 240   void computeDNSKEY();
 241
 242   DNSKEYRecordContent d_dnskey;
 243   std::shared_ptr<DNSCryptoKeyEngine> d_key;
 244   uint16_t d_flags;
 245   uint8_t d_algorithm;
 246 };
 247
 248
 249
 250 struct CanonicalCompare
 251 {
 252   bool operator()(const std::string& a, const std::string& b) {
 253     std::vector<std::string> avect, bvect;
 254
 255     stringtok(avect, a, ".");
 256     stringtok(bvect, b, ".");
 257
 258     reverse(avect.begin(), avect.end());
 259     reverse(bvect.begin(), bvect.end());
 260
 261     return avect < bvect;
 262   }
 263 };
 264
 265 struct sharedDNSSECRecordCompare {
 266     bool operator() (const shared_ptr<const DNSRecordContent>& a, const shared_ptr<const DNSRecordContent>& b) const {
 267       return a->serialize(g_rootdnsname, true, true) < b->serialize(g_rootdnsname, true, true);
 268     }
 269 };
 270
 271 typedef std::set<std::shared_ptr<const DNSRecordContent>, sharedDNSSECRecordCompare> sortedRecords_t;
 272
 273 string getMessageForRRSET(const DNSName& qname, const RRSIGRecordContent& rrc, const sortedRecords_t& signRecords, bool processRRSIGLabels = false, bool includeRRSIG_RDATA = true);
 274
 275 DSRecordContent makeDSFromDNSKey(const DNSName& qname, const DNSKEYRecordContent& drc, uint8_t digest);
 276
 277 class DNSSECKeeper;
 278
 279 uint32_t getStartOfWeek();
 280
 281 string hashQNameWithSalt(const NSEC3PARAMRecordContent& ns3prc, const DNSName& qname);
 282 string hashQNameWithSalt(const std::string& salt, unsigned int iterations, const DNSName& qname);
 283
 284 void incrementHash(std::string& raw);
 285 void decrementHash(std::string& raw);
 286
 287 void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const std::set<DNSName>& authMap, vector<DNSZoneRecord>& rrs);
 288
 289 void addTSIG(DNSPacketWriter& pw, TSIGRecordContent& trc, const DNSName& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly);
 290 bool validateTSIG(const std::string& packet, size_t sigPos, const TSIGTriplet& tt, const TSIGRecordContent& trc, const std::string& previousMAC, const std::string& theirMAC, bool timersOnly, unsigned int dnsHeaderOffset=0);
 291
 292 uint64_t signatureCacheSize(const std::string& str);