|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
declare(strict_types=1); |
|
4
|
|
|
|
|
5
|
|
|
/* |
|
6
|
|
|
* This file is part of Badcow DNS Library. |
|
7
|
|
|
* |
|
8
|
|
|
* (c) Samuel Williams <[email protected]> |
|
9
|
|
|
* |
|
10
|
|
|
* For the full copyright and license information, please view the LICENSE |
|
11
|
|
|
* file that was distributed with this source code. |
|
12
|
|
|
*/ |
|
13
|
|
|
|
|
14
|
|
|
namespace Badcow\DNS\Rdata; |
|
15
|
|
|
|
|
16
|
|
|
use Badcow\DNS\Message; |
|
17
|
|
|
use Badcow\DNS\Parser\Tokens; |
|
18
|
|
|
use Badcow\DNS\Validator; |
|
19
|
|
|
|
|
20
|
|
|
/** |
|
21
|
|
|
* {@link https://tools.ietf.org/html/rfc4025}. |
|
22
|
|
|
*/ |
|
23
|
|
|
class IPSECKEY implements RdataInterface |
|
24
|
|
|
{ |
|
25
|
1 |
|
use RdataTrait; |
|
26
|
|
|
|
|
27
|
|
|
const TYPE = 'IPSECKEY'; |
|
28
|
|
|
const TYPE_CODE = 45; |
|
29
|
|
|
const ALGORITHM_NONE = 0; |
|
30
|
|
|
const ALGORITHM_DSA = 1; |
|
31
|
|
|
const ALGORITHM_RSA = 2; |
|
32
|
|
|
const ALGORITHM_ECDSA = 3; |
|
33
|
|
|
|
|
34
|
|
|
/** |
|
35
|
|
|
* This is an 8-bit precedence for this record. It is interpreted in |
|
36
|
|
|
* the same way as the PREFERENCE field described in section 3.3.9 of |
|
37
|
|
|
* RFC 1035. |
|
38
|
|
|
* |
|
39
|
|
|
* Gateways listed in IPSECKEY records with lower precedence are to be |
|
40
|
|
|
* attempted first. Where there is a tie in precedence, the order |
|
41
|
|
|
* should be non-deterministic. |
|
42
|
|
|
* |
|
43
|
|
|
* @var int |
|
44
|
|
|
*/ |
|
45
|
|
|
private $precedence; |
|
46
|
|
|
|
|
47
|
|
|
/** |
|
48
|
|
|
* The gateway type field indicates the format of the information that |
|
49
|
|
|
* is stored in the gateway field. |
|
50
|
|
|
* |
|
51
|
|
|
* The following values are defined: |
|
52
|
|
|
* - 0: No gateway is present. |
|
53
|
|
|
* - 1: A 4-byte IPv4 address is present. |
|
54
|
|
|
* - 2: A 16-byte IPv6 address is present. |
|
55
|
|
|
* - 3: A wire-encoded domain name is present. The wire-encoded format is |
|
56
|
|
|
* self-describing, so the length is implicit. The domain name MUST |
|
57
|
|
|
* NOT be compressed. (See Section 3.3 of RFC 1035.) |
|
58
|
|
|
* |
|
59
|
|
|
* @var int |
|
60
|
|
|
*/ |
|
61
|
|
|
private $gatewayType; |
|
62
|
|
|
|
|
63
|
|
|
/** |
|
64
|
|
|
* 7-bit The algorithm type field identifies the public key's crypto- |
|
65
|
|
|
* graphic algorithm and determines the format of the public key field. |
|
66
|
|
|
* A value of 0 indicates that no key is present. |
|
67
|
|
|
* |
|
68
|
|
|
* The following values are defined: |
|
69
|
|
|
* - 1: A DSA key is present, in the format defined in RFC 2536. |
|
70
|
|
|
* - 2: A RSA key is present, in the format defined in RFC 3110. |
|
71
|
|
|
* - 3: An ECDSA key is present, in the format defined in RFC 6605. |
|
72
|
|
|
* |
|
73
|
|
|
* @var int |
|
74
|
|
|
*/ |
|
75
|
|
|
private $algorithm = 0; |
|
76
|
|
|
|
|
77
|
|
|
/** |
|
78
|
|
|
* The gateway field indicates a gateway to which an IPsec tunnel may be. |
|
79
|
|
|
* created in order to reach the entity named by this resource record. |
|
80
|
|
|
* |
|
81
|
|
|
* There are three formats: |
|
82
|
|
|
* |
|
83
|
|
|
* A 32-bit IPv4 address is present in the gateway field. The data |
|
84
|
|
|
* portion is an IPv4 address as described in section 3.4.1 of RFC 1035. |
|
85
|
|
|
* This is a 32-bit number in network byte order. |
|
86
|
|
|
* |
|
87
|
|
|
* A 128-bit IPv6 address is present in the gateway field. The data |
|
88
|
|
|
* portion is an IPv6 address as described in section 2.2 of RFC 3596 |
|
89
|
|
|
* This is a 128-bit number in network byte order. |
|
90
|
|
|
* |
|
91
|
|
|
* The gateway field is a normal wire-encoded domain name, as described |
|
92
|
|
|
* in section 3.3 of RFC 1035. Compression MUST NOT be used. |
|
93
|
|
|
* |
|
94
|
|
|
* @var string|null |
|
95
|
|
|
*/ |
|
96
|
|
|
private $gateway; |
|
97
|
|
|
|
|
98
|
|
|
/** |
|
99
|
|
|
* Both the public key types defined in this document (RSA and DSA) |
|
100
|
|
|
* inherit their public key formats from the corresponding KEY RR |
|
101
|
|
|
* formats. Specifically, the public key field contains the |
|
102
|
|
|
* algorithm-specific portion of the KEY RR RDATA, which is all the KEY |
|
103
|
|
|
* RR DATA after the first four octets. This is the same portion of the |
|
104
|
|
|
* KEY RR that must be specified by documents that define a DNSSEC |
|
105
|
|
|
* algorithm. Those documents also specify a message digest to be used |
|
106
|
|
|
* for generation of SIG RRs; that specification is not relevant for |
|
107
|
|
|
* IPSECKEY RRs. |
|
108
|
|
|
* |
|
109
|
|
|
* @var string|null |
|
110
|
|
|
*/ |
|
111
|
|
|
private $publicKey = null; |
|
112
|
|
|
|
|
113
|
12 |
|
public function getPrecedence(): int |
|
114
|
|
|
{ |
|
115
|
12 |
|
return $this->precedence; |
|
116
|
|
|
} |
|
117
|
|
|
|
|
118
|
|
|
/** |
|
119
|
|
|
* @throws \InvalidArgumentException |
|
120
|
|
|
*/ |
|
121
|
24 |
|
public function setPrecedence(int $precedence): void |
|
122
|
|
|
{ |
|
123
|
24 |
|
if (!Validator::isUnsignedInteger($precedence, 8)) { |
|
124
|
|
|
throw new \InvalidArgumentException('IPSECKEY precedence must be an 8-bit integer.'); |
|
125
|
|
|
} |
|
126
|
24 |
|
$this->precedence = $precedence; |
|
127
|
24 |
|
} |
|
128
|
|
|
|
|
129
|
12 |
|
public function getGatewayType(): int |
|
130
|
|
|
{ |
|
131
|
12 |
|
return $this->gatewayType; |
|
132
|
|
|
} |
|
133
|
|
|
|
|
134
|
12 |
|
public function getAlgorithm(): int |
|
135
|
|
|
{ |
|
136
|
12 |
|
return $this->algorithm; |
|
137
|
|
|
} |
|
138
|
|
|
|
|
139
|
|
|
/** |
|
140
|
|
|
* @throws \InvalidArgumentException |
|
141
|
|
|
*/ |
|
142
|
24 |
|
private function setAlgorithm(int $algorithm): void |
|
143
|
|
|
{ |
|
144
|
24 |
|
if (!Validator::isUnsignedInteger($algorithm, 8)) { |
|
145
|
|
|
throw new \InvalidArgumentException('IPSECKEY algorithm type must be an 8-bit integer.'); |
|
146
|
|
|
} |
|
147
|
24 |
|
$this->algorithm = $algorithm; |
|
148
|
24 |
|
} |
|
149
|
|
|
|
|
150
|
12 |
|
public function getGateway(): ?string |
|
151
|
|
|
{ |
|
152
|
12 |
|
return $this->gateway; |
|
153
|
|
|
} |
|
154
|
|
|
|
|
155
|
|
|
/** |
|
156
|
|
|
* @param string|null $gateway either &null for no gateway, a fully qualified domain name, or an IPv4 or IPv6 address |
|
157
|
|
|
* |
|
158
|
|
|
* @throws \InvalidArgumentException |
|
159
|
|
|
*/ |
|
160
|
24 |
|
public function setGateway(?string $gateway): void |
|
161
|
|
|
{ |
|
162
|
24 |
|
if (null === $gateway || '.' === $gateway) { |
|
163
|
4 |
|
$gateway = null; |
|
164
|
4 |
|
$this->gatewayType = 0; |
|
165
|
20 |
|
} elseif (Validator::ipv4($gateway)) { |
|
166
|
8 |
|
$this->gatewayType = 1; |
|
167
|
12 |
|
} elseif (Validator::ipv6($gateway)) { |
|
168
|
4 |
|
$this->gatewayType = 2; |
|
169
|
8 |
|
} elseif (Validator::fullyQualifiedDomainName($gateway)) { |
|
170
|
8 |
|
$this->gatewayType = 3; |
|
171
|
|
|
} else { |
|
172
|
|
|
throw new \InvalidArgumentException('The gateway must be a fully qualified domain name, null, or a valid IPv4 or IPv6 address.'); |
|
173
|
|
|
} |
|
174
|
|
|
|
|
175
|
24 |
|
$this->gateway = $gateway; |
|
176
|
24 |
|
} |
|
177
|
|
|
|
|
178
|
|
|
/** |
|
179
|
|
|
* @return string|null base64 encoded public key |
|
180
|
|
|
*/ |
|
181
|
12 |
|
public function getPublicKey(): ?string |
|
182
|
|
|
{ |
|
183
|
12 |
|
return $this->publicKey; |
|
184
|
|
|
} |
|
185
|
|
|
|
|
186
|
|
|
/** |
|
187
|
|
|
* @param int $algorithm either IPSECKEY::ALGORITHM_NONE, IPSECKEY::ALGORITHM_DSA, IPSECKEY::ALGORITHM_RSA, or IPSECKEY::ALGORITHM_ECDSA |
|
188
|
|
|
* @param string|null $publicKey base64 encoded public key |
|
189
|
|
|
* |
|
190
|
|
|
* @throws \InvalidArgumentException |
|
191
|
|
|
*/ |
|
192
|
24 |
|
public function setPublicKey(int $algorithm, ?string $publicKey): void |
|
193
|
|
|
{ |
|
194
|
24 |
|
$this->publicKey = $publicKey; |
|
195
|
24 |
|
$this->setAlgorithm((null === $publicKey) ? 0 : $algorithm); |
|
196
|
24 |
|
} |
|
197
|
|
|
|
|
198
|
12 |
|
public function toText(): string |
|
199
|
|
|
{ |
|
200
|
12 |
|
return rtrim(sprintf('%d %d %d %s %s', |
|
201
|
12 |
|
$this->precedence, |
|
202
|
12 |
|
$this->gatewayType, |
|
203
|
12 |
|
$this->algorithm, |
|
204
|
12 |
|
(0 === $this->gatewayType) ? '.' : $this->gateway, |
|
205
|
12 |
|
(0 === $this->algorithm) ? '' : base64_encode($this->publicKey ?? '') |
|
206
|
|
|
)); |
|
207
|
|
|
} |
|
208
|
|
|
|
|
209
|
6 |
|
public function toWire(): string |
|
210
|
|
|
{ |
|
211
|
6 |
|
$wire = pack('CCC', $this->precedence, $this->gatewayType, $this->algorithm); |
|
212
|
6 |
|
if (1 === $this->gatewayType || 2 === $this->gatewayType) { |
|
213
|
3 |
|
if (null === $this->gateway) { |
|
214
|
|
|
throw new \RuntimeException('Gateway cannot be null if IPSECKEY::gatewayType > 0.'); |
|
215
|
|
|
} |
|
216
|
3 |
|
$wire .= inet_pton($this->gateway); |
|
217
|
|
|
} else { |
|
218
|
3 |
|
$wire .= Message::encodeName($this->gateway ?? '.'); |
|
219
|
|
|
} |
|
220
|
|
|
|
|
221
|
6 |
|
if (self::ALGORITHM_NONE !== $this->algorithm && null !== $this->publicKey) { |
|
222
|
5 |
|
$wire .= $this->publicKey; |
|
223
|
|
|
} |
|
224
|
|
|
|
|
225
|
6 |
|
return $wire; |
|
226
|
|
|
} |
|
227
|
|
|
|
|
228
|
6 |
|
public function fromText(string $text): void |
|
229
|
|
|
{ |
|
230
|
6 |
|
$rdata = explode(Tokens::SPACE, $text); |
|
231
|
6 |
|
$this->setPrecedence((int) array_shift($rdata)); |
|
232
|
6 |
|
array_shift($rdata); //Gateway type is inferred from setGateway. |
|
233
|
6 |
|
$algorithm = (int) array_shift($rdata); |
|
234
|
6 |
|
$this->setGateway((string) array_shift($rdata)); |
|
235
|
6 |
|
$publicKey = (0 === $algorithm) ? null : base64_decode(implode('', $rdata)); |
|
236
|
6 |
|
$this->setPublicKey($algorithm, $publicKey); |
|
237
|
6 |
|
} |
|
238
|
|
|
|
|
239
|
|
|
/** |
|
240
|
|
|
* @throws DecodeException |
|
241
|
|
|
*/ |
|
242
|
6 |
|
public function fromWire(string $rdata, int &$offset = 0, ?int $rdLength = null): void |
|
243
|
|
|
{ |
|
244
|
6 |
|
$end = $offset + $rdLength ?? strlen($rdata); |
|
245
|
|
|
|
|
246
|
6 |
|
if (false === $integers = unpack('CPrecedence/CGatewayType/CAlgorithm', $rdata, $offset)) { |
|
247
|
6 |
|
throw new DecodeException(static::TYPE, $rdata); |
|
248
|
6 |
|
} |
|
249
|
6 |
|
$offset += 3; |
|
250
|
6 |
|
$this->setPrecedence((int) $integers['Precedence']); |
|
251
|
|
|
$gatewayType = $integers['GatewayType']; |
|
252
|
6 |
|
$algorithm = $integers['Algorithm']; |
|
253
|
|
|
|
|
254
|
6 |
|
$this->setGateway(self::extractGateway($gatewayType, $rdata, $offset)); |
|
255
|
5 |
|
|
|
256
|
|
|
if (self::ALGORITHM_NONE !== $algorithm) { |
|
257
|
|
|
$this->setPublicKey($algorithm, substr($rdata, $offset, $end - $offset)); |
|
258
|
6 |
|
} |
|
259
|
6 |
|
|
|
260
|
|
|
$offset = $end; |
|
261
|
|
|
} |
|
262
|
|
|
|
|
263
|
|
|
/** |
|
264
|
6 |
|
* @throws DecodeException |
|
265
|
|
|
*/ |
|
266
|
6 |
|
private static function extractGateway(int $gatewayType, string $rdata, int &$offset): string |
|
267
|
6 |
|
{ |
|
268
|
5 |
|
switch ($gatewayType) { |
|
269
|
3 |
|
case 0: |
|
270
|
3 |
|
case 3: |
|
271
|
3 |
|
$gateway = Message::decodeName($rdata, $offset); |
|
272
|
2 |
|
break; |
|
273
|
2 |
|
case 1: |
|
274
|
2 |
|
$gateway = @inet_ntop(substr($rdata, $offset, 4)); |
|
275
|
1 |
|
$offset += 4; |
|
276
|
1 |
|
break; |
|
277
|
1 |
|
case 2: |
|
278
|
1 |
|
$gateway = @inet_ntop(substr($rdata, $offset, 16)); |
|
279
|
|
|
$offset += 16; |
|
280
|
|
|
break; |
|
281
|
|
|
default: |
|
282
|
|
|
$invalidArgumentException = new \InvalidArgumentException(sprintf('Expected gateway type to be integer on [0,3], got "%d".', $gatewayType)); |
|
283
|
|
|
throw new DecodeException(static::TYPE, $rdata, 0, $invalidArgumentException); |
|
284
|
6 |
|
} |
|
285
|
|
|
|
|
286
|
|
|
if (false === $gateway) { |
|
287
|
|
|
throw new DecodeException(static::TYPE, $rdata); |
|
288
|
6 |
|
} |
|
289
|
|
|
|
|
290
|
|
|
return $gateway; |
|
291
|
|
|
} |
|
292
|
|
|
} |
|
293
|
|
|
|
Badcow /
DNS
