xref: /netbsd-src/crypto/external/bsd/openssh/dist/dns.c (revision b1c86f5f087524e68db12794ee9c3e3da1ab17a0) 
1 /*	$NetBSD: dns.c,v 1.2 2009/06/07 22:38:46 christos Exp $	*/
2 /* $OpenBSD: dns.c,v 1.25 2008/06/12 00:03:49 dtucker Exp $ */
3 
4 /*
5  * Copyright (c) 2003 Wesley Griffin. All rights reserved.
6  * Copyright (c) 2003 Jakob Schlyter. All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 #include "includes.h"
30 __RCSID("$NetBSD: dns.c,v 1.2 2009/06/07 22:38:46 christos Exp $");
31 #include <sys/types.h>
32 #include <sys/socket.h>
33 
34 #include <netdb.h>
35 #include <stdio.h>
36 #include <string.h>
37 
38 #include "xmalloc.h"
39 #include "key.h"
40 #include "dns.h"
41 #include "log.h"
42 #include "getrrsetbyname.h"
43 
44 static const char *errset_text[] = {
45 	"success",		/* 0 ERRSET_SUCCESS */
46 	"out of memory",	/* 1 ERRSET_NOMEMORY */
47 	"general failure",	/* 2 ERRSET_FAIL */
48 	"invalid parameter",	/* 3 ERRSET_INVAL */
49 	"name does not exist",	/* 4 ERRSET_NONAME */
50 	"data does not exist",	/* 5 ERRSET_NODATA */
51 };
52 
53 static const char *
54 dns_result_totext(unsigned int res)
55 {
56 	switch (res) {
57 	case ERRSET_SUCCESS:
58 		return errset_text[ERRSET_SUCCESS];
59 	case ERRSET_NOMEMORY:
60 		return errset_text[ERRSET_NOMEMORY];
61 	case ERRSET_FAIL:
62 		return errset_text[ERRSET_FAIL];
63 	case ERRSET_INVAL:
64 		return errset_text[ERRSET_INVAL];
65 	case ERRSET_NONAME:
66 		return errset_text[ERRSET_NONAME];
67 	case ERRSET_NODATA:
68 		return errset_text[ERRSET_NODATA];
69 	default:
70 		return "unknown error";
71 	}
72 }
73 
74 /*
75  * Read SSHFP parameters from key buffer.
76  */
77 static int
78 dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
79     u_char **digest, u_int *digest_len, const Key *key)
80 {
81 	int success = 0;
82 
83 	switch (key->type) {
84 	case KEY_RSA:
85 		*algorithm = SSHFP_KEY_RSA;
86 		break;
87 	case KEY_DSA:
88 		*algorithm = SSHFP_KEY_DSA;
89 		break;
90 	default:
91 		*algorithm = SSHFP_KEY_RESERVED; /* 0 */
92 	}
93 
94 	if (*algorithm) {
95 		*digest_type = SSHFP_HASH_SHA1;
96 		*digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len);
97 		if (*digest == NULL)
98 			fatal("dns_read_key: null from key_fingerprint_raw()");
99 		success = 1;
100 	} else {
101 		*digest_type = SSHFP_HASH_RESERVED;
102 		*digest = NULL;
103 		*digest_len = 0;
104 		success = 0;
105 	}
106 
107 	return success;
108 }
109 
110 /*
111  * Read SSHFP parameters from rdata buffer.
112  */
113 static int
114 dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type,
115     u_char **digest, u_int *digest_len, u_char *rdata, int rdata_len)
116 {
117 	int success = 0;
118 
119 	*algorithm = SSHFP_KEY_RESERVED;
120 	*digest_type = SSHFP_HASH_RESERVED;
121 
122 	if (rdata_len >= 2) {
123 		*algorithm = rdata[0];
124 		*digest_type = rdata[1];
125 		*digest_len = rdata_len - 2;
126 
127 		if (*digest_len > 0) {
128 			*digest = (u_char *) xmalloc(*digest_len);
129 			memcpy(*digest, rdata + 2, *digest_len);
130 		} else {
131 			*digest = (u_char *)xstrdup("");
132 		}
133 
134 		success = 1;
135 	}
136 
137 	return success;
138 }
139 
140 /*
141  * Check if hostname is numerical.
142  * Returns -1 if hostname is numeric, 0 otherwise
143  */
144 static int
145 is_numeric_hostname(const char *hostname)
146 {
147 	struct addrinfo hints, *ai;
148 
149 	/*
150 	 * We shouldn't ever get a null host but if we do then log an error
151 	 * and return -1 which stops DNS key fingerprint processing.
152 	 */
153 	if (hostname == NULL) {
154 		error("is_numeric_hostname called with NULL hostname");
155 		return -1;
156 	}
157 
158 	memset(&hints, 0, sizeof(hints));
159 	hints.ai_socktype = SOCK_DGRAM;
160 	hints.ai_flags = AI_NUMERICHOST;
161 
162 	if (getaddrinfo(hostname, NULL, &hints, &ai) == 0) {
163 		freeaddrinfo(ai);
164 		return -1;
165 	}
166 
167 	return 0;
168 }
169 
170 /*
171  * Verify the given hostname, address and host key using DNS.
172  * Returns 0 if lookup succeeds, -1 otherwise
173  */
174 int
175 verify_host_key_dns(const char *hostname, struct sockaddr *address,
176     const Key *hostkey, int *flags)
177 {
178 	u_int counter;
179 	int result;
180 	struct rrsetinfo *fingerprints = NULL;
181 
182 	u_int8_t hostkey_algorithm;
183 	u_int8_t hostkey_digest_type;
184 	u_char *hostkey_digest;
185 	u_int hostkey_digest_len;
186 
187 	u_int8_t dnskey_algorithm;
188 	u_int8_t dnskey_digest_type;
189 	u_char *dnskey_digest;
190 	u_int dnskey_digest_len;
191 
192 	*flags = 0;
193 
194 	debug3("verify_host_key_dns");
195 	if (hostkey == NULL)
196 		fatal("No key to look up!");
197 
198 	if (is_numeric_hostname(hostname)) {
199 		debug("skipped DNS lookup for numerical hostname");
200 		return -1;
201 	}
202 
203 	result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
204 	    DNS_RDATATYPE_SSHFP, 0, &fingerprints);
205 	if (result) {
206 		verbose("DNS lookup error: %s", dns_result_totext(result));
207 		return -1;
208 	}
209 
210 	if (fingerprints->rri_flags & RRSET_VALIDATED) {
211 		*flags |= DNS_VERIFY_SECURE;
212 		debug("found %d secure fingerprints in DNS",
213 		    fingerprints->rri_nrdatas);
214 	} else {
215 		debug("found %d insecure fingerprints in DNS",
216 		    fingerprints->rri_nrdatas);
217 	}
218 
219 	/* Initialize host key parameters */
220 	if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,
221 	    &hostkey_digest, &hostkey_digest_len, hostkey)) {
222 		error("Error calculating host key fingerprint.");
223 		freerrset(fingerprints);
224 		return -1;
225 	}
226 
227 	if (fingerprints->rri_nrdatas)
228 		*flags |= DNS_VERIFY_FOUND;
229 
230 	for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) {
231 		/*
232 		 * Extract the key from the answer. Ignore any badly
233 		 * formatted fingerprints.
234 		 */
235 		if (!dns_read_rdata(&dnskey_algorithm, &dnskey_digest_type,
236 		    &dnskey_digest, &dnskey_digest_len,
237 		    fingerprints->rri_rdatas[counter].rdi_data,
238 		    fingerprints->rri_rdatas[counter].rdi_length)) {
239 			verbose("Error parsing fingerprint from DNS.");
240 			continue;
241 		}
242 
243 		/* Check if the current key is the same as the given key */
244 		if (hostkey_algorithm == dnskey_algorithm &&
245 		    hostkey_digest_type == dnskey_digest_type) {
246 
247 			if (hostkey_digest_len == dnskey_digest_len &&
248 			    memcmp(hostkey_digest, dnskey_digest,
249 			    hostkey_digest_len) == 0) {
250 
251 				*flags |= DNS_VERIFY_MATCH;
252 			}
253 		}
254 		xfree(dnskey_digest);
255 	}
256 
257 	xfree(hostkey_digest); /* from key_fingerprint_raw() */
258 	freerrset(fingerprints);
259 
260 	if (*flags & DNS_VERIFY_FOUND)
261 		if (*flags & DNS_VERIFY_MATCH)
262 			debug("matching host key fingerprint found in DNS");
263 		else
264 			debug("mismatching host key fingerprint found in DNS");
265 	else
266 		debug("no host key fingerprint found in DNS");
267 
268 	return 0;
269 }
270 
271 /*
272  * Export the fingerprint of a key as a DNS resource record
273  */
274 int
275 export_dns_rr(const char *hostname, const Key *key, FILE *f, int generic)
276 {
277 	u_int8_t rdata_pubkey_algorithm = 0;
278 	u_int8_t rdata_digest_type = SSHFP_HASH_SHA1;
279 	u_char *rdata_digest;
280 	u_int rdata_digest_len;
281 
282 	u_int i;
283 	int success = 0;
284 
285 	if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
286 	    &rdata_digest, &rdata_digest_len, key)) {
287 
288 		if (generic)
289 			fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname,
290 			    DNS_RDATATYPE_SSHFP, 2 + rdata_digest_len,
291 			    rdata_pubkey_algorithm, rdata_digest_type);
292 		else
293 			fprintf(f, "%s IN SSHFP %d %d ", hostname,
294 			    rdata_pubkey_algorithm, rdata_digest_type);
295 
296 		for (i = 0; i < rdata_digest_len; i++)
297 			fprintf(f, "%02x", rdata_digest[i]);
298 		fprintf(f, "\n");
299 		xfree(rdata_digest); /* from key_fingerprint_raw() */
300 		success = 1;
301 	} else {
302 		error("export_dns_rr: unsupported algorithm");
303 	}
304 
305 	return success;
306 }
307