xref: /netbsd-src/crypto/external/bsd/openssh/dist/dns.c (revision b757af438b42b93f8c6571f026d8b8ef3eaf5fc9) 
1 /*	$NetBSD: dns.c,v 1.4 2011/07/25 03:03:10 christos Exp $	*/
2 /* $OpenBSD: dns.c,v 1.27 2010/08/31 11:54:45 djm Exp $ */
3 
4 /*
5  * Copyright (c) 2003 Wesley Griffin. All rights reserved.
6  * Copyright (c) 2003 Jakob Schlyter. All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 #include "includes.h"
30 __RCSID("$NetBSD: dns.c,v 1.4 2011/07/25 03:03:10 christos Exp $");
31 #include <sys/types.h>
32 #include <sys/socket.h>
33 
34 #include <netdb.h>
35 #include <stdio.h>
36 #include <string.h>
37 
38 #include "xmalloc.h"
39 #include "key.h"
40 #include "dns.h"
41 #include "log.h"
42 #include "getrrsetbyname.h"
43 
44 static const char *errset_text[] = {
45 	"success",		/* 0 ERRSET_SUCCESS */
46 	"out of memory",	/* 1 ERRSET_NOMEMORY */
47 	"general failure",	/* 2 ERRSET_FAIL */
48 	"invalid parameter",	/* 3 ERRSET_INVAL */
49 	"name does not exist",	/* 4 ERRSET_NONAME */
50 	"data does not exist",	/* 5 ERRSET_NODATA */
51 };
52 
53 static const char *
54 dns_result_totext(unsigned int res)
55 {
56 	switch (res) {
57 	case ERRSET_SUCCESS:
58 		return errset_text[ERRSET_SUCCESS];
59 	case ERRSET_NOMEMORY:
60 		return errset_text[ERRSET_NOMEMORY];
61 	case ERRSET_FAIL:
62 		return errset_text[ERRSET_FAIL];
63 	case ERRSET_INVAL:
64 		return errset_text[ERRSET_INVAL];
65 	case ERRSET_NONAME:
66 		return errset_text[ERRSET_NONAME];
67 	case ERRSET_NODATA:
68 		return errset_text[ERRSET_NODATA];
69 	default:
70 		return "unknown error";
71 	}
72 }
73 
74 /*
75  * Read SSHFP parameters from key buffer.
76  */
77 static int
78 dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
79     u_char **digest, u_int *digest_len, Key *key)
80 {
81 	int success = 0;
82 
83 	switch (key->type) {
84 	case KEY_RSA:
85 		*algorithm = SSHFP_KEY_RSA;
86 		break;
87 	case KEY_DSA:
88 		*algorithm = SSHFP_KEY_DSA;
89 		break;
90 	/* XXX KEY_ECDSA */
91 	default:
92 		*algorithm = SSHFP_KEY_RESERVED; /* 0 */
93 	}
94 
95 	if (*algorithm) {
96 		*digest_type = SSHFP_HASH_SHA1;
97 		*digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len);
98 		if (*digest == NULL)
99 			fatal("dns_read_key: null from key_fingerprint_raw()");
100 		success = 1;
101 	} else {
102 		*digest_type = SSHFP_HASH_RESERVED;
103 		*digest = NULL;
104 		*digest_len = 0;
105 		success = 0;
106 	}
107 
108 	return success;
109 }
110 
111 /*
112  * Read SSHFP parameters from rdata buffer.
113  */
114 static int
115 dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type,
116     u_char **digest, u_int *digest_len, u_char *rdata, int rdata_len)
117 {
118 	int success = 0;
119 
120 	*algorithm = SSHFP_KEY_RESERVED;
121 	*digest_type = SSHFP_HASH_RESERVED;
122 
123 	if (rdata_len >= 2) {
124 		*algorithm = rdata[0];
125 		*digest_type = rdata[1];
126 		*digest_len = rdata_len - 2;
127 
128 		if (*digest_len > 0) {
129 			*digest = (u_char *) xmalloc(*digest_len);
130 			memcpy(*digest, rdata + 2, *digest_len);
131 		} else {
132 			*digest = (u_char *)xstrdup("");
133 		}
134 
135 		success = 1;
136 	}
137 
138 	return success;
139 }
140 
141 /*
142  * Check if hostname is numerical.
143  * Returns -1 if hostname is numeric, 0 otherwise
144  */
145 static int
146 is_numeric_hostname(const char *hostname)
147 {
148 	struct addrinfo hints, *ai;
149 
150 	/*
151 	 * We shouldn't ever get a null host but if we do then log an error
152 	 * and return -1 which stops DNS key fingerprint processing.
153 	 */
154 	if (hostname == NULL) {
155 		error("is_numeric_hostname called with NULL hostname");
156 		return -1;
157 	}
158 
159 	memset(&hints, 0, sizeof(hints));
160 	hints.ai_socktype = SOCK_DGRAM;
161 	hints.ai_flags = AI_NUMERICHOST;
162 
163 	if (getaddrinfo(hostname, NULL, &hints, &ai) == 0) {
164 		freeaddrinfo(ai);
165 		return -1;
166 	}
167 
168 	return 0;
169 }
170 
171 /*
172  * Verify the given hostname, address and host key using DNS.
173  * Returns 0 if lookup succeeds, -1 otherwise
174  */
175 int
176 verify_host_key_dns(const char *hostname, struct sockaddr *address,
177     Key *hostkey, int *flags)
178 {
179 	u_int counter;
180 	int result;
181 	struct rrsetinfo *fingerprints = NULL;
182 
183 	u_int8_t hostkey_algorithm;
184 	u_int8_t hostkey_digest_type;
185 	u_char *hostkey_digest;
186 	u_int hostkey_digest_len;
187 
188 	u_int8_t dnskey_algorithm;
189 	u_int8_t dnskey_digest_type;
190 	u_char *dnskey_digest;
191 	u_int dnskey_digest_len;
192 
193 	*flags = 0;
194 
195 	debug3("verify_host_key_dns");
196 	if (hostkey == NULL)
197 		fatal("No key to look up!");
198 
199 	if (is_numeric_hostname(hostname)) {
200 		debug("skipped DNS lookup for numerical hostname");
201 		return -1;
202 	}
203 
204 	result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
205 	    DNS_RDATATYPE_SSHFP, 0, &fingerprints);
206 	if (result) {
207 		verbose("DNS lookup error: %s", dns_result_totext(result));
208 		return -1;
209 	}
210 
211 	if (fingerprints->rri_flags & RRSET_VALIDATED) {
212 		*flags |= DNS_VERIFY_SECURE;
213 		debug("found %d secure fingerprints in DNS",
214 		    fingerprints->rri_nrdatas);
215 	} else {
216 		debug("found %d insecure fingerprints in DNS",
217 		    fingerprints->rri_nrdatas);
218 	}
219 
220 	/* Initialize host key parameters */
221 	if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,
222 	    &hostkey_digest, &hostkey_digest_len, hostkey)) {
223 		error("Error calculating host key fingerprint.");
224 		freerrset(fingerprints);
225 		return -1;
226 	}
227 
228 	if (fingerprints->rri_nrdatas)
229 		*flags |= DNS_VERIFY_FOUND;
230 
231 	for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) {
232 		/*
233 		 * Extract the key from the answer. Ignore any badly
234 		 * formatted fingerprints.
235 		 */
236 		if (!dns_read_rdata(&dnskey_algorithm, &dnskey_digest_type,
237 		    &dnskey_digest, &dnskey_digest_len,
238 		    fingerprints->rri_rdatas[counter].rdi_data,
239 		    fingerprints->rri_rdatas[counter].rdi_length)) {
240 			verbose("Error parsing fingerprint from DNS.");
241 			continue;
242 		}
243 
244 		/* Check if the current key is the same as the given key */
245 		if (hostkey_algorithm == dnskey_algorithm &&
246 		    hostkey_digest_type == dnskey_digest_type) {
247 
248 			if (hostkey_digest_len == dnskey_digest_len &&
249 			    memcmp(hostkey_digest, dnskey_digest,
250 			    hostkey_digest_len) == 0) {
251 
252 				*flags |= DNS_VERIFY_MATCH;
253 			}
254 		}
255 		xfree(dnskey_digest);
256 	}
257 
258 	xfree(hostkey_digest); /* from key_fingerprint_raw() */
259 	freerrset(fingerprints);
260 
261 	if (*flags & DNS_VERIFY_FOUND)
262 		if (*flags & DNS_VERIFY_MATCH)
263 			debug("matching host key fingerprint found in DNS");
264 		else
265 			debug("mismatching host key fingerprint found in DNS");
266 	else
267 		debug("no host key fingerprint found in DNS");
268 
269 	return 0;
270 }
271 
272 /*
273  * Export the fingerprint of a key as a DNS resource record
274  */
275 int
276 export_dns_rr(const char *hostname, Key *key, FILE *f, int generic)
277 {
278 	u_int8_t rdata_pubkey_algorithm = 0;
279 	u_int8_t rdata_digest_type = SSHFP_HASH_SHA1;
280 	u_char *rdata_digest;
281 	u_int rdata_digest_len;
282 
283 	u_int i;
284 	int success = 0;
285 
286 	if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
287 	    &rdata_digest, &rdata_digest_len, key)) {
288 
289 		if (generic)
290 			fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname,
291 			    DNS_RDATATYPE_SSHFP, 2 + rdata_digest_len,
292 			    rdata_pubkey_algorithm, rdata_digest_type);
293 		else
294 			fprintf(f, "%s IN SSHFP %d %d ", hostname,
295 			    rdata_pubkey_algorithm, rdata_digest_type);
296 
297 		for (i = 0; i < rdata_digest_len; i++)
298 			fprintf(f, "%02x", rdata_digest[i]);
299 		fprintf(f, "\n");
300 		xfree(rdata_digest); /* from key_fingerprint_raw() */
301 		success = 1;
302 	} else {
303 		error("export_dns_rr: unsupported algorithm");
304 	}
305 
306 	return success;
307 }
308