dnsruby 1.60.2 → 1.61.5

data/lib/dnsruby/packet_sender.rb

@@ -331,7 +331,14 @@ module Dnsruby
         client_query_id = Time.now + rand(10000) # is this safe?!
       end
 
-      query_packet = make_query_packet(msg, use_tcp)
+      begin
+        query_packet = make_query_packet(msg, use_tcp)
+      rescue EncodeError => err
+        Dnsruby.log.error { "#{err}" }
+        st = SelectThread.instance
+        st.push_exception_to_select(client_query_id, client_queue, err, nil)
+        return
+      end
 
       if (msg.do_caching && (msg.class != Update))
         #  Check the cache!!
@@ -449,7 +456,7 @@ module Dnsruby
                 socket, new_socket = tcp_pipeline_socket(src_port)
                 src_port = @tcp_pipeline_local_port
               else
-                socket = TCPSocket.new(@server, @port, src_address, src_port)
+                socket = Socket.tcp(@server, @port, src_address, src_port, connect_timeout: @packet_timeout)
                 new_socket = true
               end
             rescue Errno::EBADF, Errno::ENETUNREACH => e
@@ -622,6 +629,11 @@ module Dnsruby
           #  Should send error back up to Resolver here, and then NOT QUERY AGAIN!!!
           return sig_value
         end
+        if ((response.header.get_header_rcode == RCode.FORMERR) &&
+            (query.header.arcount == 0))
+          # Raise an error
+          return true
+        end
         #  Should check that question section is same as question that was sent! RFC 5452
         #  If it's not an update...
         if (query.class == Update)

data/lib/dnsruby/recursor.rb

@@ -153,7 +153,7 @@ module Dnsruby
       end
     end
     attr_accessor :nameservers, :callback, :recurse, :ipv6_ok
-    attr_reader :hints
+    attr_reader :hints, :dnssec
     #  The resolver to use for the queries
     attr_accessor :resolver
 
@@ -164,6 +164,11 @@ module Dnsruby
     @@zones_cache = nil
     @@nameservers = nil
 
+    def dnssec=(dnssec_on)
+      @dnssec = dnssec_on
+      @resolver.dnssec = dnssec_on
+    end
+
     def initialize(res = nil)
       if (res)
         @resolver = res
@@ -174,6 +179,7 @@ module Dnsruby
           @resolver = Resolver.new
         end
       end
+      @resolver.dnssec = @dnssec
       @ipv6_ok = false
     end
     # Initialize the hint servers.  Recursive queries need a starting name
@@ -196,6 +202,7 @@ module Dnsruby
       @resolver = resolver
       if (resolver.single_resolvers.length == 0)
         resolver = Resolver.new()
+        resolver.dnssec = @dnssec
       end
       if (hints && hints.length > 0)
         resolver.nameservers=hints
@@ -372,6 +379,7 @@ module Dnsruby
     end
 
     def Recursor.clear_caches(resolver = Resolver.new)
+      resolver.dnssec = @dnssec
       Recursor.set_hints(Hash.new, resolver)
       @@zones_cache = Hash.new # key zone_name, values Hash of servers and AddressCaches
       @@zones_cache["."] = @@hints
@@ -613,6 +621,7 @@ module Dnsruby
         }
       end
       resolver = Resolver.new({:nameserver=>nameservers})
+      resolver.dnssec = @dnssec
       servers = []
       resolver.single_resolvers.each {|s|
         servers.push(s.server)

data/lib/dnsruby/resolver.rb

@@ -891,6 +891,14 @@ module Dnsruby
         return
       end
 
+      begin
+        msg.encode
+      rescue EncodeError => err
+        Dnsruby.log.error { "Can't encode " + msg.to_s + " : #{err}" }
+        client_queue.push([client_query_id, err])
+        return
+      end
+
       tick_needed = false
       #  add to our data structures
       #       @mutex.synchronize{
@@ -1124,6 +1132,9 @@ module Dnsruby
         increment_resolver_priority(resolver) unless response.cached
         stop_querying(client_query_id)
         #  @TODO@ Does the client want notified at this point?
+      elsif error.kind_of?(EncodeError)
+        Dnsruby.log.debug{'Encode error - sending to client'}
+        send_result_and_stop_querying(client_queue, client_query_id, select_queue, response, error)
       else
         #    - if it was any other error, then remove that server from the list for that query
         #    If a Too Many Open Files error, then don't remove, but let retry work.

data/lib/dnsruby/resource/CAA.rb

@@ -43,7 +43,7 @@ module Dnsruby
       end
 
       def from_string(input) #:nodoc: all
-        matches = (/(\d+) (issuewild|issue|iodef) "(.+)"$/).match(input)
+        matches = (/(\d+) (issuewild|issue|iodef|contactemail|contactphone) "(.+)"$/).match(input)
         @flag = matches[1]
         @property_tag = matches[2]
         @property_value = matches[3]

data/lib/dnsruby/resource/CDNSKEY.rb

@@ -0,0 +1,17 @@
+module Dnsruby
+  class RR
+    # RFC4034, section 2
+    # DNSSEC uses public key cryptography to sign and authenticate DNS
+    # resource record sets (RRsets).  The public keys are stored in DNSKEY
+    # resource records and are used in the DNSSEC authentication process
+    # described in [RFC4035]: A zone signs its authoritative RRsets by
+    # using a private key and stores the corresponding public key in a
+    # DNSKEY RR.  A resolver can then use the public key to validate
+    # signatures covering the RRsets in the zone, and thus to authenticate
+    # them.
+    class CDNSKEY < DNSKEY
+      ClassValue = nil #:nodoc: all
+      TypeValue = Types::CDNSKEY #:nodoc: all
+    end
+  end
+end

data/lib/dnsruby/resource/CDS.rb

@@ -0,0 +1,35 @@
+# --
+# Copyright 2018 Caerketton Tech Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ++
+module Dnsruby
+  class RR
+    # RFC4034, section 4
+    # The DS Resource Record refers to a DNSKEY RR and is used in the DNS
+    # DNSKEY authentication process.  A DS RR refers to a DNSKEY RR by
+    # storing the key tag, algorithm number, and a digest of the DNSKEY RR.
+    # Note that while the digest should be sufficient to identify the
+    # public key, storing the key tag and key algorithm helps make the
+    # identification process more efficient.  By authenticating the DS
+    # record, a resolver can authenticate the DNSKEY RR to which the DS
+    # record points.  The key authentication process is described in
+    # [RFC4035].
+
+    class CDS < DS
+
+      ClassValue = nil #:nodoc: all
+      TypeValue = Types::CDS #:nodoc: all
+    end
+  end
+end

data/lib/dnsruby/resource/DNSKEY.rb

@@ -313,6 +313,8 @@ module Dnsruby
           elsif [Algorithms.DSA,
               Algorithms.DSA_NSEC3_SHA1].include?(@algorithm)
             @public_key = dsa_key
+          elsif [Algorithms.ECDSAP256SHA256, Algorithms.ECDSAP384SHA384].include?(@algorithm)
+            @public_key = ec_key(Algorithms.ECDSAP256SHA256 == @algorithm ? 'prime256v1' : 'secp384r1')
           end
         end
         #  @TODO@ Support other key encodings!
@@ -340,8 +342,12 @@ module Dnsruby
         @key_length = (@key.length - pos) * 8
 
         pkey = OpenSSL::PKey::RSA.new
-        pkey.e = exponent
-        pkey.n = modulus
+        begin
+          pkey.set_key(modulus, exponent, nil) # use set_key, present in later versions of openssl gem
+        rescue NoMethodError
+          pkey.e = exponent # set_key not available in earlier versions, use this approach instead
+          pkey.n = modulus
+        end
         return pkey
       end
 
@@ -361,10 +367,31 @@ module Dnsruby
         @key_length = (pgy_len * 8)
 
         pkey = OpenSSL::PKey::DSA.new
-        pkey.p = p
-        pkey.q = q
-        pkey.g = g
-        pkey.pub_key = y
+        begin
+          pkey.set_pgq(p,g,q)
+          pkey.set_key(y, nil) # use set_pgq and set_key, present in later versions of openssl gem
+        rescue NoMethodError
+          pkey.p = p # set_key not available in earlier versions, use this approach instead
+          pkey.q = q
+          pkey.g = g
+          pkey.pub_key = y
+        end
+
+        pkey
+      end
+
+      # RFC6605, section 4
+      # ECDSA public keys consist of a single value, called "Q" in FIPS
+      # 186-3.  In DNSSEC keys, Q is a simple bit string that represents the
+      # uncompressed form of a curve point, "x | y".
+      def ec_key(curve = 'prime256v1')
+        group = OpenSSL::PKey::EC::Group.new(curve)
+        pkey = OpenSSL::PKey::EC.new(group)
+
+        # DNSSEC pub does not have first octet that determines whether it's uncompressed
+        # or compressed form, but it's required by OpenSSL to parse EC point correctly
+        point_from_pub = "\x04" + @key.to_s # octet string, \x04 prefix determines uncompressed
+        pkey.public_key = OpenSSL::PKey::EC::Point.new(group, point_from_pub)
 
         pkey
       end

data/lib/dnsruby/resource/IN.rb

@@ -19,7 +19,11 @@ module Dnsruby
       Types::NS => NS,
       Types::CNAME => CNAME,
       Types::DNAME => DNAME,
+      Types::URI => URI,
+      Types::DS => DS,
+      Types::CDS => CDS,
       Types::DNSKEY => DNSKEY,
+      Types::CDNSKEY => CDNSKEY,
       Types::SOA => SOA,
       Types::PTR => PTR,
       Types::HINFO => HINFO,
@@ -45,7 +49,6 @@ module Dnsruby
       Types::ANY => ANY,
       Types::RRSIG => RRSIG,
       Types::NSEC => NSEC,
-      Types::DS => DS,
       Types::NSEC3 => NSEC3,
       Types::NSEC3PARAM => NSEC3PARAM,
       Types::DLV => DLV,

data/lib/dnsruby/resource/URI.rb

@@ -0,0 +1,57 @@
+module Dnsruby
+  class RR
+      class URI < RR
+        ClassValue = nil #:nodoc: all
+        TypeValue= Types::URI #:nodoc: all
+
+        #  The NAPTR RR order field
+        attr_accessor :priority
+
+        #  The NAPTR RR order field
+        attr_accessor :weight
+
+        #  The NAPTR RR order field
+        attr_accessor :target
+
+        def from_hash(hash) #:nodoc: all
+          @priority = hash[:priority]
+          @weight = hash[:weight]
+          @target = hash[:target]
+        end
+
+        def from_data(data) #:nodoc: all
+          @priority,  @weight, @target = data
+        end
+
+        def from_string(input) #:nodoc: all
+          if (input.strip.length > 0)
+            values = input.split(" ")
+            @priority = values [0].to_i
+            @weight = values [1].to_i
+            @target = values [2].gsub!("\"", "")
+          end
+        end
+
+        def rdata_to_string #:nodoc: all
+            "#{@priority} #{@weight} \"#{@target}\""
+        end
+
+        def encode_rdata(msg, canonical=false) #:nodoc: all
+          if (@priority != nil)
+            msg.put_pack('n', @priority)
+            msg.put_pack('n', @weight)
+            msg.put_bytes(@target)
+          end
+        end
+
+        def self.decode_rdata(msg) #:nodoc: all
+          priority, = msg.get_unpack('n')
+          weight, = msg.get_unpack('n')
+          target = msg.get_bytes
+          return self.new([priority, weight, target])
+        end
+
+
+      end
+  end
+end

data/lib/dnsruby/resource/generic.rb

@@ -152,9 +152,12 @@ require 'dnsruby/resource/OPT'
 require 'dnsruby/resource/TSIG'
 require 'dnsruby/resource/TKEY'
 require 'dnsruby/resource/DNSKEY'
+require 'dnsruby/resource/CDNSKEY'
 require 'dnsruby/resource/RRSIG'
 require 'dnsruby/resource/NSEC'
 require 'dnsruby/resource/DS'
+require 'dnsruby/resource/CDS'
+require 'dnsruby/resource/URI'
 require 'dnsruby/resource/NSEC3'
 require 'dnsruby/resource/NSEC3PARAM'
 require 'dnsruby/resource/DLV'

data/lib/dnsruby/select_thread.rb

@@ -194,7 +194,7 @@ module Dnsruby
         rescue SelectWakeup
           #  If SelectWakeup, then just restart this loop - the select call will be made with the new data
           next
-        rescue IOError => e
+        rescue IOError, EncodeError => e
           #           print "IO Error  =: #{e}\n"
           exceptions = clean_up_closed_sockets
           exceptions.each { |exception| send_exception_to_client(*exception) }

data/lib/dnsruby/single_verifier.rb

@@ -65,6 +65,7 @@ module Dnsruby
           @@recursor = Recursor.new
         end
       end
+      @@recursor.dnssec = true
       return @@recursor
     end
 
@@ -72,12 +73,15 @@ module Dnsruby
       #       if (Dnssec.do_validation_with_recursor?)
       #         return Recursor.new
       #       else
+      resolver = nil
       if (Dnssec.default_resolver)
-        return Dnssec.default_resolver
+        resolver = Dnssec.default_resolver
       else
-        return Resolver.new
+        resolver = Resolver.new
       end
       #       end
+      resolver.dnssec = true
+      return resolver
     end
     def add_dlv_key(key)
       #  Is this a ZSK or a KSK?
@@ -796,6 +800,19 @@ module Dnsruby
 
         asn1 = OpenSSL::ASN1::Sequence.new([r_asn1, s_asn1]).to_der
         verified = keyrec.public_key.verify(OpenSSL::Digest::DSS1.new, asn1, sig_data)
+      elsif [Algorithms.ECDSAP256SHA256, Algorithms.ECDSAP384SHA384].include?(sigrec.algorithm)
+        byte_size = (keyrec.public_key.group.degree + 7) / 8
+        sig_bytes = sigrec.signature[0..(byte_size - 1)]
+        sig_char = sigrec.signature[byte_size..-1] || ''
+        asn1 = OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
+
+        digest_obj = if sigrec.algorithm == Algorithms.ECDSAP384SHA384
+                       OpenSSL::Digest::SHA384.new
+                     else
+                       OpenSSL::Digest::SHA256.new
+                     end
+
+        verified = keyrec.public_key.dsa_verify_asn1(digest_obj.digest(sig_data), asn1)
       else
         raise RuntimeError.new("Algorithm #{sigrec.algorithm.code} unsupported by Dnsruby")
       end
@@ -848,6 +865,7 @@ module Dnsruby
           end
         end
       end
+      res.dnssec = true
       #       query = Message.new(name, Types.DNSKEY)
       #       query.do_validation = false
       ret = nil
@@ -1011,6 +1029,7 @@ module Dnsruby
                 end
               end
             end
+            parent_res.dnssec = true
           end
           #  Use that Resolver to query for DS record and NS for children
           ds_rrset = current_anchor
@@ -1068,6 +1087,7 @@ module Dnsruby
                 child_res = Resolver.new
               end
             end
+            child_res.dnssec = true
           end
         end
         #  Query for DNSKEY record, and verify against DS in parent.
@@ -1143,11 +1163,14 @@ module Dnsruby
       if (Dnssec.do_validation_with_recursor?)
         return get_recursor
       else
+        resolver = nil
         if (Dnssec.default_resolver)
-          return Dnssec.default_resolver
+          resolver = Dnssec.default_resolver
         else
-          return Resolver.new
+          resolver = Resolver.new
         end
+        resolver.dnssec = true
+        return resolver
       end
     end
 

data/lib/dnsruby/validator_thread.rb

@@ -1,12 +1,12 @@
 # --
 # Copyright 2007 Nominet UK
-# 
+#
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-# 
+#
 #     http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -109,7 +109,7 @@ module Dnsruby
           return true
         rescue VerifyError => e
           response.security_error = e
-          response.security_level = BOGUS
+          response.security_level = Message::SecurityLevel.BOGUS
           #  Response security_level should already be set
           return false
         end