search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
nrelease - fix/improve livecd
[dragonfly.git] / crypto / openssh / dns.c
blobf2310bec2b08865ef14dd2f334ec5f96ecc8d71b
1 /* $OpenBSD: dns.c,v 1.42 2022/02/01 23:32:51 djm Exp $ */
2
3 /*
4 * Copyright (c) 2003 Wesley Griffin. All rights reserved.
5 * Copyright (c) 2003 Jakob Schlyter. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28 #include "includes.h"
29
30 #include <sys/types.h>
31 #include <sys/socket.h>
32
33 #include <netdb.h>
34 #include <stdarg.h>
35 #include <stdio.h>
36 #include <string.h>
37 #include <stdlib.h>
38
39 #include "xmalloc.h"
40 #include "sshkey.h"
41 #include "ssherr.h"
42 #include "dns.h"
43 #include "log.h"
44 #include "digest.h"
45
46 static const char * const errset_text[] = {
47 "success", /* 0 ERRSET_SUCCESS */
48 "out of memory", /* 1 ERRSET_NOMEMORY */
49 "general failure", /* 2 ERRSET_FAIL */
50 "invalid parameter", /* 3 ERRSET_INVAL */
51 "name does not exist", /* 4 ERRSET_NONAME */
52 "data does not exist", /* 5 ERRSET_NODATA */
53 };
54
55 static const char *
56 dns_result_totext(unsigned int res)
57 {
58 switch (res) {
59 case ERRSET_SUCCESS:
60 return errset_text[ERRSET_SUCCESS];
61 case ERRSET_NOMEMORY:
62 return errset_text[ERRSET_NOMEMORY];
63 case ERRSET_FAIL:
64 return errset_text[ERRSET_FAIL];
65 case ERRSET_INVAL:
66 return errset_text[ERRSET_INVAL];
67 case ERRSET_NONAME:
68 return errset_text[ERRSET_NONAME];
69 case ERRSET_NODATA:
70 return errset_text[ERRSET_NODATA];
71 default:
72 return "unknown error";
73 }
74 }
75
76 /*
77 * Read SSHFP parameters from key buffer.
78 * Caller must free digest which is allocated by sshkey_fingerprint_raw().
79 */
80 static int
81 dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
82 u_char **digest, size_t *digest_len, struct sshkey *key)
83 {
84 int r, success = 0;
85 int fp_alg = -1;
86
87 switch (key->type) {
88 case KEY_RSA:
89 *algorithm = SSHFP_KEY_RSA;
90 break;
91 case KEY_DSA:
92 *algorithm = SSHFP_KEY_DSA;
93 break;
94 case KEY_ECDSA:
95 *algorithm = SSHFP_KEY_ECDSA;
96 break;
97 case KEY_ED25519:
98 *algorithm = SSHFP_KEY_ED25519;
99 break;
100 case KEY_XMSS:
101 *algorithm = SSHFP_KEY_XMSS;
102 break;
103 default:
104 *algorithm = SSHFP_KEY_RESERVED; /* 0 */
105 }
106
107 switch (*digest_type) {
108 case SSHFP_HASH_SHA1:
109 fp_alg = SSH_DIGEST_SHA1;
110 break;
111 case SSHFP_HASH_SHA256:
112 fp_alg = SSH_DIGEST_SHA256;
113 break;
114 default:
115 *digest_type = SSHFP_HASH_RESERVED; /* 0 */
116 }
117
118 if (*algorithm && *digest_type) {
119 if ((r = sshkey_fingerprint_raw(key, fp_alg, digest,
120 digest_len)) != 0)
121 fatal_fr(r, "sshkey_fingerprint_raw");
122 success = 1;
123 } else {
124 *digest = NULL;
125 *digest_len = 0;
126 }
127
128 return success;
129 }
130
131 /*
132 * Read SSHFP parameters from rdata buffer.
133 */
134 static int
135 dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type,
136 u_char **digest, size_t *digest_len, u_char *rdata, int rdata_len)
137 {
138 int success = 0;
139
140 *algorithm = SSHFP_KEY_RESERVED;
141 *digest_type = SSHFP_HASH_RESERVED;
142
143 if (rdata_len >= 2) {
144 *algorithm = rdata[0];
145 *digest_type = rdata[1];
146 *digest_len = rdata_len - 2;
147
148 if (*digest_len > 0) {
149 *digest = xmalloc(*digest_len);
150 memcpy(*digest, rdata + 2, *digest_len);
151 } else {
152 *digest = (u_char *)xstrdup("");
153 }
154
155 success = 1;
156 }
157
158 return success;
159 }
160
161 /*
162 * Check if hostname is numerical.
163 * Returns -1 if hostname is numeric, 0 otherwise
164 */
165 static int
166 is_numeric_hostname(const char *hostname)
167 {
168 struct addrinfo hints, *ai;
169
170 /*
171 * We shouldn't ever get a null host but if we do then log an error
172 * and return -1 which stops DNS key fingerprint processing.
173 */
174 if (hostname == NULL) {
175 error("is_numeric_hostname called with NULL hostname");
176 return -1;
177 }
178
179 memset(&hints, 0, sizeof(hints));
180 hints.ai_socktype = SOCK_DGRAM;
181 hints.ai_flags = AI_NUMERICHOST;
182
183 if (getaddrinfo(hostname, NULL, &hints, &ai) == 0) {
184 freeaddrinfo(ai);
185 return -1;
186 }
187
188 return 0;
189 }
190
191 /*
192 * Verify the given hostname, address and host key using DNS.
193 * Returns 0 if lookup succeeds, -1 otherwise
194 */
195 int
196 verify_host_key_dns(const char *hostname, struct sockaddr *address,
197 struct sshkey *hostkey, int *flags)
198 {
199 u_int counter;
200 int result;
201 struct rrsetinfo *fingerprints = NULL;
202
203 u_int8_t hostkey_algorithm;
204 u_char *hostkey_digest;
205 size_t hostkey_digest_len;
206
207 u_int8_t dnskey_algorithm;
208 u_int8_t dnskey_digest_type;
209 u_char *dnskey_digest;
210 size_t dnskey_digest_len;
211
212 *flags = 0;
213
214 debug3("verify_host_key_dns");
215 if (hostkey == NULL)
216 fatal("No key to look up!");
217
218 if (is_numeric_hostname(hostname)) {
219 debug("skipped DNS lookup for numerical hostname");
220 return -1;
221 }
222
223 result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
224 DNS_RDATATYPE_SSHFP, 0, &fingerprints);
225 if (result) {
226 verbose("DNS lookup error: %s", dns_result_totext(result));
227 return -1;
228 }
229
230 if (fingerprints->rri_flags & RRSET_VALIDATED) {
231 *flags |= DNS_VERIFY_SECURE;
232 debug("found %d secure fingerprints in DNS",
233 fingerprints->rri_nrdatas);
234 } else {
235 debug("found %d insecure fingerprints in DNS",
236 fingerprints->rri_nrdatas);
237 }
238
239 if (fingerprints->rri_nrdatas)
240 *flags |= DNS_VERIFY_FOUND;
241
242 for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) {
243 /*
244 * Extract the key from the answer. Ignore any badly
245 * formatted fingerprints.
246 */
247 if (!dns_read_rdata(&dnskey_algorithm, &dnskey_digest_type,
248 &dnskey_digest, &dnskey_digest_len,
249 fingerprints->rri_rdatas[counter].rdi_data,
250 fingerprints->rri_rdatas[counter].rdi_length)) {
251 verbose("Error parsing fingerprint from DNS.");
252 continue;
253 }
254 debug3_f("checking SSHFP type %d fptype %d", dnskey_algorithm,
255 dnskey_digest_type);
256
257 /* Calculate host key fingerprint. */
258 if (!dns_read_key(&hostkey_algorithm, &dnskey_digest_type,
259 &hostkey_digest, &hostkey_digest_len, hostkey)) {
260 error("Error calculating key fingerprint.");
261 freerrset(fingerprints);
262 return -1;
263 }
264
265 /* Check if the current key is the same as the given key */
266 if (hostkey_algorithm == dnskey_algorithm &&
267 hostkey_digest_len == dnskey_digest_len) {
268 if (timingsafe_bcmp(hostkey_digest, dnskey_digest,
269 hostkey_digest_len) == 0) {
270 debug_f("matched SSHFP type %d fptype %d",
271 dnskey_algorithm, dnskey_digest_type);
272 *flags |= DNS_VERIFY_MATCH;
273 } else {
274 debug_f("failed SSHFP type %d fptype %d",
275 dnskey_algorithm, dnskey_digest_type);
276 *flags |= DNS_VERIFY_FAILED;
277 }
278 }
279 free(dnskey_digest);
280 free(hostkey_digest); /* from sshkey_fingerprint_raw() */
281 }
282
283 freerrset(fingerprints);
284
285 /* If any fingerprint failed to validate, return failure. */
286 if (*flags & DNS_VERIFY_FAILED)
287 *flags &= ~DNS_VERIFY_MATCH;
288
289 if (*flags & DNS_VERIFY_FOUND)
290 if (*flags & DNS_VERIFY_MATCH)
291 debug("matching host key fingerprint found in DNS");
292 else
293 debug("mismatching host key fingerprint found in DNS");
294 else
295 debug("no host key fingerprint found in DNS");
296
297 return 0;
298 }
299
300 /*
301 * Export the fingerprint of a key as a DNS resource record
302 */
303 int
304 export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic)
305 {
306 u_int8_t rdata_pubkey_algorithm = 0;
307 u_int8_t rdata_digest_type = SSHFP_HASH_RESERVED;
308 u_int8_t dtype;
309 u_char *rdata_digest;
310 size_t i, rdata_digest_len;
311 int success = 0;
312
313 for (dtype = SSHFP_HASH_SHA1; dtype < SSHFP_HASH_MAX; dtype++) {
314 rdata_digest_type = dtype;
315 if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
316 &rdata_digest, &rdata_digest_len, key)) {
317 if (generic) {
318 fprintf(f, "%s IN TYPE%d \\# %zu %02x %02x ",
319 hostname, DNS_RDATATYPE_SSHFP,
320 2 + rdata_digest_len,
321 rdata_pubkey_algorithm, rdata_digest_type);
322 } else {
323 fprintf(f, "%s IN SSHFP %d %d ", hostname,
324 rdata_pubkey_algorithm, rdata_digest_type);
325 }
326 for (i = 0; i < rdata_digest_len; i++)
327 fprintf(f, "%02x", rdata_digest[i]);
328 fprintf(f, "\n");
329 free(rdata_digest); /* from sshkey_fingerprint_raw() */
330 success = 1;
331 }
332 }
333
334 /* No SSHFP record was generated at all */
335 if (success == 0) {
336 error_f("unsupported algorithm and/or digest_type");
337 }
338
339 return success;
340 }
DragonFly BSD