pdns/dnssecinfra.hh

   1 /*
   2  * This file is part of PowerDNS or dnsdist.
   3  * Copyright -- PowerDNS.COM B.V. and its contributors
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of version 2 of the GNU General Public License as
   7  * published by the Free Software Foundation.
   8  *
   9  * In addition, for the avoidance of any doubt, permission is granted to
  10  * link this program with OpenSSL and to (re)distribute the binaries
  11  * produced as the result of such linking.
  12  *
  13  * This program is distributed in the hope that it will be useful,
  14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16  * GNU General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU General Public License
  19  * along with this program; if not, write to the Free Software
  20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21  */
  22 #pragma once
  23 #include "dnsrecords.hh"
  24
  25 #include <string>
  26 #include <vector>
  27 #include <optional>
  28 #include <map>
  29 #include "misc.hh"
  30
  31 class UeberBackend;
  32
  33 // rules of the road: Algorithm must be set in 'make' for each KeyEngine, and will NEVER change!
  34
  35 class DNSCryptoKeyEngine
  36 {
  37   public:
  38     explicit DNSCryptoKeyEngine(unsigned int algorithm) : d_algorithm(algorithm) {}
  39     virtual ~DNSCryptoKeyEngine() {};
  40     [[nodiscard]] virtual string getName() const = 0;
  41
  42     using stormap_t = std::map<std::string, std::string>;
  43     using storvector_t = std::vector<std::pair<std::string, std::string>>;
  44     virtual void create(unsigned int bits)=0;
  45
  46     virtual void createFromPEMFile(DNSKEYRecordContent& /* drc */, std::FILE& /* inputFile */, const std::optional<std::reference_wrapper<const std::string>> filename = std::nullopt)
  47     {
  48       if (filename.has_value()) {
  49         throw std::runtime_error("Can't create key from PEM file `" + filename->get() + "`");
  50       }
  51
  52       throw std::runtime_error("Can't create key from PEM contents");
  53     }
  54
  55     /**
  56      * \brief Creates a key engine from a PEM string.
  57      *
  58      * Receives PEM contents and creates a key engine.
  59      *
  60      * \param[in] drc Key record contents to be populated.
  61      *
  62      * \param[in] contents The PEM string contents.
  63      *
  64      * \return A key engine populated with the contents of the PEM string.
  65      */
  66     void createFromPEMString(DNSKEYRecordContent& drc, const std::string& contents)
  67     {
  68       // NOLINTNEXTLINE(*-cast): POSIX APIs.
  69       unique_ptr<std::FILE, decltype(&std::fclose)> inputFile{fmemopen(const_cast<char*>(contents.data()), contents.length(), "r"), &std::fclose};
  70       createFromPEMFile(drc, *inputFile);
  71     }
  72
  73     [[nodiscard]] virtual storvector_t convertToISCVector() const =0;
  74     [[nodiscard]] std::string convertToISC() const ;
  75
  76     virtual void convertToPEMFile(std::FILE& /* outputFile */) const
  77     {
  78       throw std::runtime_error(getName() + ": Conversion to PEM not supported");
  79     };
  80
  81     /**
  82      * \brief Converts the key into a PEM string.
  83      *
  84      * \return A string containing the key's PEM contents.
  85      */
  86     [[nodiscard]] auto convertToPEMString() const -> std::string
  87     {
  88       const size_t buflen = 4096;
  89
  90       std::string output{};
  91       output.resize(buflen);
  92       unique_ptr<std::FILE, decltype(&std::fclose)> outputFile{fmemopen(output.data(), output.length() - 1, "w"), &std::fclose};
  93       convertToPEMFile(*outputFile);
  94       std::fflush(outputFile.get());
  95       output.resize(std::ftell(outputFile.get()));
  96
  97       return output;
  98     };
  99
 100     [[nodiscard]] virtual std::string sign(const std::string& msg) const =0;
 101
 102     [[nodiscard]] virtual std::string hash(const std::string& msg) const
 103     {
 104        throw std::runtime_error("hash() function not implemented");
 105        return msg;
 106     }
 107
 108     [[nodiscard]] virtual bool verify(const std::string& msg, const std::string& signature) const =0;
 109
 110     [[nodiscard]] virtual std::string getPublicKeyString()const =0;
 111     [[nodiscard]] virtual int getBits() const =0;
 112     [[nodiscard]] virtual unsigned int getAlgorithm() const
 113     {
 114       return d_algorithm;
 115     }
 116
 117     virtual void fromISCMap(DNSKEYRecordContent& drc, stormap_t& stormap) = 0;
 118     virtual void fromPublicKeyString(const std::string& content) = 0;
 119
 120     [[nodiscard]] virtual bool checkKey(std::optional<std::reference_wrapper<std::vector<std::string>>> /* errorMessages */ = std::nullopt) const
 121     {
 122       return true;
 123     }
 124
 125     static std::unique_ptr<DNSCryptoKeyEngine> makeFromISCFile(DNSKEYRecordContent& drc, const char* fname);
 126
 127     /**
 128      * \brief Creates a key engine from a PEM file.
 129      *
 130      * Receives an open file handle with PEM contents and creates a key engine
 131      * corresponding to the algorithm requested.
 132      *
 133      * \param[in] drc Key record contents to be populated.
 134      *
 135      * \param[in] algorithm Which algorithm to use. See
 136      * https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
 137      *
 138      * \param[in] fp An open file handle to a file containing PEM contents.
 139      *
 140      * \param[in] filename Only used for providing filename information in error messages.
 141      *
 142      * \return A key engine corresponding to the requested algorithm and populated with
 143      * the contents of the PEM file.
 144      */
 145     static std::unique_ptr<DNSCryptoKeyEngine> makeFromPEMFile(DNSKEYRecordContent& drc, uint8_t algorithm, std::FILE& inputFile, const std::string& filename);
 146
 147     /**
 148      * \brief Creates a key engine from a PEM string.
 149      *
 150      * Receives PEM contents and creates a key engine corresponding to the algorithm
 151      * requested.
 152      *
 153      * \param[in] drc Key record contents to be populated.
 154      *
 155      * \param[in] algorithm Which algorithm to use. See
 156      * https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
 157      *
 158      * \param[in] contents The PEM contents.
 159      *
 160      * \return A key engine corresponding to the requested algorithm and populated with
 161      * the contents of the PEM string.
 162      */
 163     static std::unique_ptr<DNSCryptoKeyEngine> makeFromPEMString(DNSKEYRecordContent& drc, uint8_t algorithm, const std::string& contents);
 164
 165     static std::unique_ptr<DNSCryptoKeyEngine> makeFromISCString(DNSKEYRecordContent& drc, const std::string& content);
 166     static std::unique_ptr<DNSCryptoKeyEngine> makeFromPublicKeyString(unsigned int algorithm, const std::string& raw);
 167     static std::unique_ptr<DNSCryptoKeyEngine> make(unsigned int algorithm);
 168     static bool isAlgorithmSupported(unsigned int algo);
 169     static bool isAlgorithmSwitchedOff(unsigned int algo);
 170     static void switchOffAlgorithm(unsigned int algo);
 171     static bool isDigestSupported(uint8_t digest);
 172
 173     using maker_t = std::unique_ptr<DNSCryptoKeyEngine> (unsigned int);
 174
 175     static void report(unsigned int algorithm, maker_t* maker, bool fallback=false);
 176     static void testMakers(unsigned int algorithm, maker_t* creator, maker_t* signer, maker_t* verifier);
 177     static vector<pair<uint8_t, string>> listAllAlgosWithBackend();
 178     static bool testAll();
 179     static bool testOne(int algo);
 180     static bool verifyOne(unsigned int algo);
 181     static bool testVerify(unsigned int algo, maker_t* verifier);
 182     static string listSupportedAlgoNames();
 183
 184   private:
 185     using makers_t = std::map<unsigned int, maker_t *>;
 186     using allmakers_t = std::map<unsigned int, vector<maker_t *>>;
 187     static makers_t& getMakers()
 188     {
 189       static makers_t s_makers;
 190       return s_makers;
 191     }
 192     static allmakers_t& getAllMakers()
 193     {
 194       static allmakers_t s_allmakers;
 195       return s_allmakers;
 196     }
 197     // Must be set before going multi-threaded and not changed after that
 198     static std::unordered_set<unsigned int> s_switchedOff;
 199
 200   protected:
 201     const unsigned int d_algorithm;
 202 };
 203
 204 struct DNSSECPrivateKey
 205 {
 206   uint16_t getTag() const
 207   {
 208     return getDNSKEY().getTag();
 209   }
 210
 211   const std::shared_ptr<DNSCryptoKeyEngine>& getKey() const
 212   {
 213     return d_key;
 214   }
 215
 216   // be aware that calling setKey() will also set the algorithm
 217   void setKey(std::shared_ptr<DNSCryptoKeyEngine>& key, uint16_t flags, std::optional<uint8_t> algorithm = std::nullopt)
 218   {
 219     d_key = key;
 220     d_flags = flags;
 221     d_algorithm = algorithm ? *algorithm : d_key->getAlgorithm();
 222     computeDNSKEY();
 223   }
 224
 225   // be aware that calling setKey() will also set the algorithm
 226   void setKey(std::unique_ptr<DNSCryptoKeyEngine>&& key, uint16_t flags, std::optional<uint8_t> algorithm = std::nullopt)
 227   {
 228     d_key = std::move(key);
 229     d_flags = flags;
 230     d_algorithm = algorithm ? *algorithm : d_key->getAlgorithm();
 231     computeDNSKEY();
 232   }
 233
 234   const DNSKEYRecordContent& getDNSKEY() const;
 235
 236   uint16_t getFlags() const
 237   {
 238     return d_flags;
 239   }
 240
 241   uint8_t getAlgorithm() const
 242   {
 243     return d_algorithm;
 244   }
 245
 246 private:
 247   void computeDNSKEY();
 248
 249   DNSKEYRecordContent d_dnskey;
 250   std::shared_ptr<DNSCryptoKeyEngine> d_key;
 251   uint16_t d_flags{0};
 252   uint8_t d_algorithm{0};
 253 };
 254
 255
 256
 257 struct CanonicalCompare
 258 {
 259   bool operator()(const std::string& a, const std::string& b) {
 260     std::vector<std::string> avect, bvect;
 261
 262     stringtok(avect, a, ".");
 263     stringtok(bvect, b, ".");
 264
 265     reverse(avect.begin(), avect.end());
 266     reverse(bvect.begin(), bvect.end());
 267
 268     return avect < bvect;
 269   }
 270 };
 271
 272 struct sharedDNSSECRecordCompare {
 273     bool operator() (const shared_ptr<const DNSRecordContent>& a, const shared_ptr<const DNSRecordContent>& b) const {
 274       return a->serialize(g_rootdnsname, true, true) < b->serialize(g_rootdnsname, true, true);
 275     }
 276 };
 277
 278 typedef std::set<std::shared_ptr<const DNSRecordContent>, sharedDNSSECRecordCompare> sortedRecords_t;
 279
 280 string getMessageForRRSET(const DNSName& qname, const RRSIGRecordContent& rrc, const sortedRecords_t& signRecords, bool processRRSIGLabels = false, bool includeRRSIG_RDATA = true);
 281
 282 DSRecordContent makeDSFromDNSKey(const DNSName& qname, const DNSKEYRecordContent& drc, uint8_t digest);
 283
 284 class DNSSECKeeper;
 285
 286 uint32_t getStartOfWeek();
 287
 288 string hashQNameWithSalt(const NSEC3PARAMRecordContent& ns3prc, const DNSName& qname);
 289 string hashQNameWithSalt(const std::string& salt, unsigned int iterations, const DNSName& qname);
 290
 291 void incrementHash(std::string& raw);
 292 void decrementHash(std::string& raw);
 293
 294 void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const std::set<DNSName>& authMap, vector<DNSZoneRecord>& rrs);
 295
 296 void addTSIG(DNSPacketWriter& pw, TSIGRecordContent& trc, const DNSName& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly);
 297 bool validateTSIG(const std::string& packet, size_t sigPos, const TSIGTriplet& tt, const TSIGRecordContent& trc, const std::string& previousMAC, const std::string& theirMAC, bool timersOnly, unsigned int dnsHeaderOffset=0);
 298
 299 uint64_t signatureCacheSize(const std::string& str);