Annotation of src/crypto/external/bsd/openssh/dist/dns.c, Revision 1.1.1.1
1.1 christos 1: /* $NetBSD$ */
2: /* $OpenBSD: dns.c,v 1.25 2008/06/12 00:03:49 dtucker Exp $ */
3:
4: /*
5: * Copyright (c) 2003 Wesley Griffin. All rights reserved.
6: * Copyright (c) 2003 Jakob Schlyter. All rights reserved.
7: *
8: * Redistribution and use in source and binary forms, with or without
9: * modification, are permitted provided that the following conditions
10: * are met:
11: * 1. Redistributions of source code must retain the above copyright
12: * notice, this list of conditions and the following disclaimer.
13: * 2. Redistributions in binary form must reproduce the above copyright
14: * notice, this list of conditions and the following disclaimer in the
15: * documentation and/or other materials provided with the distribution.
16: *
17: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27: */
28:
29: #include <sys/types.h>
30: #include <sys/socket.h>
31:
32: #include <netdb.h>
33: #include <stdio.h>
34: #include <string.h>
35:
36: #include "xmalloc.h"
37: #include "key.h"
38: #include "dns.h"
39: #include "log.h"
40:
41: static const char *errset_text[] = {
42: "success", /* 0 ERRSET_SUCCESS */
43: "out of memory", /* 1 ERRSET_NOMEMORY */
44: "general failure", /* 2 ERRSET_FAIL */
45: "invalid parameter", /* 3 ERRSET_INVAL */
46: "name does not exist", /* 4 ERRSET_NONAME */
47: "data does not exist", /* 5 ERRSET_NODATA */
48: };
49:
50: static const char *
51: dns_result_totext(unsigned int res)
52: {
53: switch (res) {
54: case ERRSET_SUCCESS:
55: return errset_text[ERRSET_SUCCESS];
56: case ERRSET_NOMEMORY:
57: return errset_text[ERRSET_NOMEMORY];
58: case ERRSET_FAIL:
59: return errset_text[ERRSET_FAIL];
60: case ERRSET_INVAL:
61: return errset_text[ERRSET_INVAL];
62: case ERRSET_NONAME:
63: return errset_text[ERRSET_NONAME];
64: case ERRSET_NODATA:
65: return errset_text[ERRSET_NODATA];
66: default:
67: return "unknown error";
68: }
69: }
70:
71: /*
72: * Read SSHFP parameters from key buffer.
73: */
74: static int
75: dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
76: u_char **digest, u_int *digest_len, const Key *key)
77: {
78: int success = 0;
79:
80: switch (key->type) {
81: case KEY_RSA:
82: *algorithm = SSHFP_KEY_RSA;
83: break;
84: case KEY_DSA:
85: *algorithm = SSHFP_KEY_DSA;
86: break;
87: default:
88: *algorithm = SSHFP_KEY_RESERVED; /* 0 */
89: }
90:
91: if (*algorithm) {
92: *digest_type = SSHFP_HASH_SHA1;
93: *digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len);
94: if (*digest == NULL)
95: fatal("dns_read_key: null from key_fingerprint_raw()");
96: success = 1;
97: } else {
98: *digest_type = SSHFP_HASH_RESERVED;
99: *digest = NULL;
100: *digest_len = 0;
101: success = 0;
102: }
103:
104: return success;
105: }
106:
107: /*
108: * Read SSHFP parameters from rdata buffer.
109: */
110: static int
111: dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type,
112: u_char **digest, u_int *digest_len, u_char *rdata, int rdata_len)
113: {
114: int success = 0;
115:
116: *algorithm = SSHFP_KEY_RESERVED;
117: *digest_type = SSHFP_HASH_RESERVED;
118:
119: if (rdata_len >= 2) {
120: *algorithm = rdata[0];
121: *digest_type = rdata[1];
122: *digest_len = rdata_len - 2;
123:
124: if (*digest_len > 0) {
125: *digest = (u_char *) xmalloc(*digest_len);
126: memcpy(*digest, rdata + 2, *digest_len);
127: } else {
128: *digest = (u_char *)xstrdup("");
129: }
130:
131: success = 1;
132: }
133:
134: return success;
135: }
136:
137: /*
138: * Check if hostname is numerical.
139: * Returns -1 if hostname is numeric, 0 otherwise
140: */
141: static int
142: is_numeric_hostname(const char *hostname)
143: {
144: struct addrinfo hints, *ai;
145:
146: /*
147: * We shouldn't ever get a null host but if we do then log an error
148: * and return -1 which stops DNS key fingerprint processing.
149: */
150: if (hostname == NULL) {
151: error("is_numeric_hostname called with NULL hostname");
152: return -1;
153: }
154:
155: memset(&hints, 0, sizeof(hints));
156: hints.ai_socktype = SOCK_DGRAM;
157: hints.ai_flags = AI_NUMERICHOST;
158:
159: if (getaddrinfo(hostname, NULL, &hints, &ai) == 0) {
160: freeaddrinfo(ai);
161: return -1;
162: }
163:
164: return 0;
165: }
166:
167: /*
168: * Verify the given hostname, address and host key using DNS.
169: * Returns 0 if lookup succeeds, -1 otherwise
170: */
171: int
172: verify_host_key_dns(const char *hostname, struct sockaddr *address,
173: const Key *hostkey, int *flags)
174: {
175: u_int counter;
176: int result;
177: struct rrsetinfo *fingerprints = NULL;
178:
179: u_int8_t hostkey_algorithm;
180: u_int8_t hostkey_digest_type;
181: u_char *hostkey_digest;
182: u_int hostkey_digest_len;
183:
184: u_int8_t dnskey_algorithm;
185: u_int8_t dnskey_digest_type;
186: u_char *dnskey_digest;
187: u_int dnskey_digest_len;
188:
189: *flags = 0;
190:
191: debug3("verify_host_key_dns");
192: if (hostkey == NULL)
193: fatal("No key to look up!");
194:
195: if (is_numeric_hostname(hostname)) {
196: debug("skipped DNS lookup for numerical hostname");
197: return -1;
198: }
199:
200: result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
201: DNS_RDATATYPE_SSHFP, 0, &fingerprints);
202: if (result) {
203: verbose("DNS lookup error: %s", dns_result_totext(result));
204: return -1;
205: }
206:
207: if (fingerprints->rri_flags & RRSET_VALIDATED) {
208: *flags |= DNS_VERIFY_SECURE;
209: debug("found %d secure fingerprints in DNS",
210: fingerprints->rri_nrdatas);
211: } else {
212: debug("found %d insecure fingerprints in DNS",
213: fingerprints->rri_nrdatas);
214: }
215:
216: /* Initialize host key parameters */
217: if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,
218: &hostkey_digest, &hostkey_digest_len, hostkey)) {
219: error("Error calculating host key fingerprint.");
220: freerrset(fingerprints);
221: return -1;
222: }
223:
224: if (fingerprints->rri_nrdatas)
225: *flags |= DNS_VERIFY_FOUND;
226:
227: for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) {
228: /*
229: * Extract the key from the answer. Ignore any badly
230: * formatted fingerprints.
231: */
232: if (!dns_read_rdata(&dnskey_algorithm, &dnskey_digest_type,
233: &dnskey_digest, &dnskey_digest_len,
234: fingerprints->rri_rdatas[counter].rdi_data,
235: fingerprints->rri_rdatas[counter].rdi_length)) {
236: verbose("Error parsing fingerprint from DNS.");
237: continue;
238: }
239:
240: /* Check if the current key is the same as the given key */
241: if (hostkey_algorithm == dnskey_algorithm &&
242: hostkey_digest_type == dnskey_digest_type) {
243:
244: if (hostkey_digest_len == dnskey_digest_len &&
245: memcmp(hostkey_digest, dnskey_digest,
246: hostkey_digest_len) == 0) {
247:
248: *flags |= DNS_VERIFY_MATCH;
249: }
250: }
251: xfree(dnskey_digest);
252: }
253:
254: xfree(hostkey_digest); /* from key_fingerprint_raw() */
255: freerrset(fingerprints);
256:
257: if (*flags & DNS_VERIFY_FOUND)
258: if (*flags & DNS_VERIFY_MATCH)
259: debug("matching host key fingerprint found in DNS");
260: else
261: debug("mismatching host key fingerprint found in DNS");
262: else
263: debug("no host key fingerprint found in DNS");
264:
265: return 0;
266: }
267:
268: /*
269: * Export the fingerprint of a key as a DNS resource record
270: */
271: int
272: export_dns_rr(const char *hostname, const Key *key, FILE *f, int generic)
273: {
274: u_int8_t rdata_pubkey_algorithm = 0;
275: u_int8_t rdata_digest_type = SSHFP_HASH_SHA1;
276: u_char *rdata_digest;
277: u_int rdata_digest_len;
278:
279: u_int i;
280: int success = 0;
281:
282: if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
283: &rdata_digest, &rdata_digest_len, key)) {
284:
285: if (generic)
286: fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname,
287: DNS_RDATATYPE_SSHFP, 2 + rdata_digest_len,
288: rdata_pubkey_algorithm, rdata_digest_type);
289: else
290: fprintf(f, "%s IN SSHFP %d %d ", hostname,
291: rdata_pubkey_algorithm, rdata_digest_type);
292:
293: for (i = 0; i < rdata_digest_len; i++)
294: fprintf(f, "%02x", rdata_digest[i]);
295: fprintf(f, "\n");
296: xfree(rdata_digest); /* from key_fingerprint_raw() */
297: success = 1;
298: } else {
299: error("export_dns_rr: unsupported algorithm");
300: }
301:
302: return success;
303: }
CVSweb <webmaster@jp.NetBSD.org>