1 // Copyright (C) 2010-2016 Internet Systems Consortium, Inc. ("ISC")
2 //
3 // This Source Code Form is subject to the terms of the Mozilla Public
4 // License, v. 2.0. If a copy of the MPL was not distributed with this
5 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
6
7 #include <config.h>
8
9 #include <iostream>
10 #include <string>
11 #include <sstream>
12 #include <vector>
13
14 #include <boost/lexical_cast.hpp>
15 #include <boost/foreach.hpp>
16
17 #include <util/encode/base64.h>
18 #include <util/buffer.h>
19 #include <dns/messagerenderer.h>
20 #include <dns/name.h>
21 #include <dns/rdata.h>
22 #include <dns/rdataclass.h>
23
24 #include <memory>
25
26 #include <stdio.h>
27 #include <time.h>
28
29 using namespace std;
30 using namespace isc::util;
31 using namespace isc::util::encode;
32
33 // BEGIN_ISC_NAMESPACE
34 // BEGIN_RDATA_NAMESPACE
35
36 struct DNSKEYImpl {
37 // straightforward representation of DNSKEY RDATA fields
DNSKEYImplDNSKEYImpl38 DNSKEYImpl(uint16_t flags, uint8_t protocol, uint8_t algorithm,
39 const vector<uint8_t>& keydata) :
40 flags_(flags), protocol_(protocol), algorithm_(algorithm),
41 keydata_(keydata)
42 {}
43
44 uint16_t flags_;
45 uint8_t protocol_;
46 uint8_t algorithm_;
47 const vector<uint8_t> keydata_;
48 };
49
50 /// \brief Constructor from string.
51 ///
52 /// The given string must represent a valid DNSKEY RDATA. There can be
53 /// extra space characters at the beginning or end of the text (which
54 /// are simply ignored), but other extra text, including a new line,
55 /// will make the construction fail with an exception.
56 ///
57 /// The Protocol and Algorithm fields must be within their valid
58 /// ranges. The Public Key field must be present and must contain a
59 /// Base64 encoding of the public key. Whitespace is allowed within the
60 /// Base64 text.
61 ///
62 /// It is okay for the key data to be missing. Note: BIND 9 also accepts
63 /// DNSKEY missing key data. While the RFC is silent in this case, and it
64 /// may be debatable what an implementation should do, but since this field
65 /// is algorithm dependent and this implementations doesn't reject unknown
66 /// algorithms, it's lenient here.
67 ///
68 /// \throw InvalidRdataText if any fields are out of their valid range,
69 /// or are incorrect.
70 ///
71 /// \param dnskey_str A string containing the RDATA to be created
DNSKEY(const std::string & dnskey_str)72 DNSKEY::DNSKEY(const std::string& dnskey_str) :
73 impl_(NULL)
74 {
75 // We use unique_ptr here because if there is an exception in this
76 // constructor, the destructor is not called and there could be a
77 // leak of the DNSKEYImpl that constructFromLexer() returns.
78 std::unique_ptr<DNSKEYImpl> impl_ptr;
79
80 try {
81 std::istringstream ss(dnskey_str);
82 MasterLexer lexer;
83 lexer.pushSource(ss);
84
85 impl_ptr.reset(constructFromLexer(lexer));
86
87 if (lexer.getNextToken().getType() != MasterToken::END_OF_FILE) {
88 isc_throw(InvalidRdataText,
89 "Extra input text for DNSKEY: " << dnskey_str);
90 }
91 } catch (const MasterLexer::LexerError& ex) {
92 isc_throw(InvalidRdataText,
93 "Failed to construct DNSKEY from '" << dnskey_str << "': "
94 << ex.what());
95 }
96
97 impl_ = impl_ptr.release();
98 }
99
100 /// \brief Constructor from InputBuffer.
101 ///
102 /// The passed buffer must contain a valid DNSKEY RDATA.
103 ///
104 /// The Protocol and Algorithm fields are not checked for unknown
105 /// values. It is okay for the key data to be missing (see the description
106 /// of the constructor from string).
DNSKEY(InputBuffer & buffer,size_t rdata_len)107 DNSKEY::DNSKEY(InputBuffer& buffer, size_t rdata_len) :
108 impl_(NULL)
109 {
110 if (rdata_len < 4) {
111 isc_throw(InvalidRdataLength, "DNSKEY too short: " << rdata_len);
112 }
113
114 const uint16_t flags = buffer.readUint16();
115 const uint16_t protocol = buffer.readUint8();
116 const uint16_t algorithm = buffer.readUint8();
117
118 rdata_len -= 4;
119
120 vector<uint8_t> keydata;
121 // If key data is missing, it's OK. See the API documentation of the
122 // constructor.
123 if (rdata_len > 0) {
124 keydata.resize(rdata_len);
125 buffer.readData(&keydata[0], rdata_len);
126 }
127
128 impl_ = new DNSKEYImpl(flags, protocol, algorithm, keydata);
129 }
130
131 /// \brief Constructor with a context of MasterLexer.
132 ///
133 /// The \c lexer should point to the beginning of valid textual
134 /// representation of an DNSKEY RDATA.
135 ///
136 /// See \c DNSKEY::DNSKEY(const std::string&) for description of the
137 /// expected RDATA fields.
138 ///
139 /// \throw MasterLexer::LexerError General parsing error such as
140 /// missing field.
141 /// \throw InvalidRdataText if any fields are out of their valid range,
142 /// or are incorrect.
143 ///
144 /// \param lexer A \c MasterLexer object parsing a master file for the
145 /// RDATA to be created
DNSKEY(MasterLexer & lexer,const Name *,MasterLoader::Options,MasterLoaderCallbacks &)146 DNSKEY::DNSKEY(MasterLexer& lexer, const Name*,
147 MasterLoader::Options, MasterLoaderCallbacks&) :
148 impl_(NULL)
149 {
150 impl_ = constructFromLexer(lexer);
151 }
152
153 DNSKEYImpl*
constructFromLexer(MasterLexer & lexer)154 DNSKEY::constructFromLexer(MasterLexer& lexer) {
155 const uint32_t flags = lexer.getNextToken(MasterToken::NUMBER).getNumber();
156 if (flags > 0xffff) {
157 isc_throw(InvalidRdataText,
158 "DNSKEY flags out of range: " << flags);
159 }
160
161 const uint32_t protocol =
162 lexer.getNextToken(MasterToken::NUMBER).getNumber();
163 if (protocol > 0xff) {
164 isc_throw(InvalidRdataText,
165 "DNSKEY protocol out of range: " << protocol);
166 }
167
168 const uint32_t algorithm =
169 lexer.getNextToken(MasterToken::NUMBER).getNumber();
170 if (algorithm > 0xff) {
171 isc_throw(InvalidRdataText,
172 "DNSKEY algorithm out of range: " << algorithm);
173 }
174
175 std::string keydata_str;
176 std::string keydata_substr;
177 while (true) {
178 const MasterToken& token =
179 lexer.getNextToken(MasterToken::STRING, true);
180 if ((token.getType() == MasterToken::END_OF_FILE) ||
181 (token.getType() == MasterToken::END_OF_LINE)) {
182 break;
183 }
184
185 // token is now assured to be of type STRING.
186
187 token.getString(keydata_substr);
188 keydata_str.append(keydata_substr);
189 }
190
191 lexer.ungetToken();
192
193 vector<uint8_t> keydata;
194 // If key data is missing, it's OK. See the API documentation of the
195 // constructor.
196 if (keydata_str.size() > 0) {
197 decodeBase64(keydata_str, keydata);
198 }
199
200 return (new DNSKEYImpl(flags, protocol, algorithm, keydata));
201 }
202
DNSKEY(const DNSKEY & source)203 DNSKEY::DNSKEY(const DNSKEY& source) :
204 Rdata(), impl_(new DNSKEYImpl(*source.impl_))
205 {}
206
207 DNSKEY&
operator =(const DNSKEY & source)208 DNSKEY::operator=(const DNSKEY& source) {
209 if (this == &source) {
210 return (*this);
211 }
212
213 DNSKEYImpl* newimpl = new DNSKEYImpl(*source.impl_);
214 delete impl_;
215 impl_ = newimpl;
216
217 return (*this);
218 }
219
~DNSKEY()220 DNSKEY::~DNSKEY() {
221 delete impl_;
222 }
223
224 string
toText() const225 DNSKEY::toText() const {
226 return (boost::lexical_cast<string>(static_cast<int>(impl_->flags_)) +
227 " " + boost::lexical_cast<string>(static_cast<int>(impl_->protocol_)) +
228 " " + boost::lexical_cast<string>(static_cast<int>(impl_->algorithm_)) +
229 " " + encodeBase64(impl_->keydata_));
230 }
231
232 void
toWire(OutputBuffer & buffer) const233 DNSKEY::toWire(OutputBuffer& buffer) const {
234 buffer.writeUint16(impl_->flags_);
235 buffer.writeUint8(impl_->protocol_);
236 buffer.writeUint8(impl_->algorithm_);
237 buffer.writeData(&impl_->keydata_[0], impl_->keydata_.size());
238 }
239
240 void
toWire(AbstractMessageRenderer & renderer) const241 DNSKEY::toWire(AbstractMessageRenderer& renderer) const {
242 renderer.writeUint16(impl_->flags_);
243 renderer.writeUint8(impl_->protocol_);
244 renderer.writeUint8(impl_->algorithm_);
245 renderer.writeData(&impl_->keydata_[0], impl_->keydata_.size());
246 }
247
248 int
compare(const Rdata & other) const249 DNSKEY::compare(const Rdata& other) const {
250 const DNSKEY& other_dnskey = dynamic_cast<const DNSKEY&>(other);
251
252 if (impl_->flags_ != other_dnskey.impl_->flags_) {
253 return (impl_->flags_ < other_dnskey.impl_->flags_ ? -1 : 1);
254 }
255 if (impl_->protocol_ != other_dnskey.impl_->protocol_) {
256 return (impl_->protocol_ < other_dnskey.impl_->protocol_ ? -1 : 1);
257 }
258 if (impl_->algorithm_ != other_dnskey.impl_->algorithm_) {
259 return (impl_->algorithm_ < other_dnskey.impl_->algorithm_ ? -1 : 1);
260 }
261
262 const size_t this_len = impl_->keydata_.size();
263 const size_t other_len = other_dnskey.impl_->keydata_.size();
264 const size_t cmplen = min(this_len, other_len);
265 if (cmplen == 0) {
266 return ((this_len == other_len) ? 0 : (this_len < other_len) ? -1 : 1);
267 }
268 const int cmp = memcmp(&impl_->keydata_[0],
269 &other_dnskey.impl_->keydata_[0], cmplen);
270 if (cmp != 0) {
271 return (cmp);
272 } else {
273 return ((this_len == other_len) ? 0 : (this_len < other_len) ? -1 : 1);
274 }
275 }
276
277 uint16_t
getTag() const278 DNSKEY::getTag() const {
279 if (impl_->algorithm_ == 1) {
280 // See RFC 4034 appendix B.1 for why the key data must contain
281 // at least 4 bytes with RSA/MD5: 3 trailing bytes to extract
282 // the tag from, and 1 byte of exponent length subfield before
283 // modulus.
284 const int len = impl_->keydata_.size();
285 if (len < 4) {
286 isc_throw(isc::OutOfRange,
287 "DNSKEY keydata too short for tag extraction");
288 }
289
290 return ((impl_->keydata_[len - 3] << 8) + impl_->keydata_[len - 2]);
291 }
292
293 uint32_t ac = impl_->flags_;
294 ac += (impl_->protocol_ << 8);
295 ac += impl_->algorithm_;
296
297 const size_t size = impl_->keydata_.size();
298 for (size_t i = 0; i < size; i ++) {
299 ac += (i & 1) ? impl_->keydata_[i] : (impl_->keydata_[i] << 8);
300 }
301 ac += (ac >> 16) & 0xffff;
302 return (ac & 0xffff);
303 }
304
305 uint16_t
getFlags() const306 DNSKEY::getFlags() const {
307 return (impl_->flags_);
308 }
309
310 uint8_t
getAlgorithm() const311 DNSKEY::getAlgorithm() const {
312 return (impl_->algorithm_);
313 }
314
315 // END_RDATA_NAMESPACE
316 // END_ISC_NAMESPACE
317