1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
|
// Copyright (c) 1999-2004 Brian Wellington (bwelling@xbill.org)
package org.xbill.DNS;
import java.util.*;
import org.xbill.DNS.utils.*;
/**
* Transaction signature handling. This class generates and verifies
* TSIG records on messages, which provide transaction security.
* @see TSIGRecord
*
* @author Brian Wellington
*/
public class TSIG {
private static final String HMAC_MD5_STR = "HMAC-MD5.SIG-ALG.REG.INT.";
private static final String HMAC_SHA1_STR = "hmac-sha1.";
private static final String HMAC_SHA224_STR = "hmac-sha224.";
private static final String HMAC_SHA256_STR = "hmac-sha256.";
private static final String HMAC_SHA384_STR = "hmac-sha384.";
private static final String HMAC_SHA512_STR = "hmac-sha512.";
/** The domain name representing the HMAC-MD5 algorithm. */
public static final Name HMAC_MD5 = Name.fromConstantString(HMAC_MD5_STR);
/** The domain name representing the HMAC-MD5 algorithm (deprecated). */
public static final Name HMAC = HMAC_MD5;
/** The domain name representing the HMAC-SHA1 algorithm. */
public static final Name HMAC_SHA1 = Name.fromConstantString(HMAC_SHA1_STR);
/**
* The domain name representing the HMAC-SHA224 algorithm.
* Note that SHA224 is not supported by Java out-of-the-box, this requires use
* of a third party provider like BouncyCastle.org.
*/
public static final Name HMAC_SHA224 = Name.fromConstantString(HMAC_SHA224_STR);
/** The domain name representing the HMAC-SHA256 algorithm. */
public static final Name HMAC_SHA256 = Name.fromConstantString(HMAC_SHA256_STR);
/** The domain name representing the HMAC-SHA384 algorithm. */
public static final Name HMAC_SHA384 = Name.fromConstantString(HMAC_SHA384_STR);
/** The domain name representing the HMAC-SHA512 algorithm. */
public static final Name HMAC_SHA512 = Name.fromConstantString(HMAC_SHA512_STR);
/**
* The default fudge value for outgoing packets. Can be overriden by the
* tsigfudge option.
*/
public static final short FUDGE = 300;
private Name name, alg;
private String digest;
private int digestBlockLength;
private byte [] key;
private void
getDigest() {
if (alg.equals(HMAC_MD5)) {
digest = "md5";
digestBlockLength = 64;
} else if (alg.equals(HMAC_SHA1)) {
digest = "sha-1";
digestBlockLength = 64;
} else if (alg.equals(HMAC_SHA224)) {
digest = "sha-224";
digestBlockLength = 64;
} else if (alg.equals(HMAC_SHA256)) {
digest = "sha-256";
digestBlockLength = 64;
} else if (alg.equals(HMAC_SHA512)) {
digest = "sha-512";
digestBlockLength = 128;
} else if (alg.equals(HMAC_SHA384)) {
digest = "sha-384";
digestBlockLength = 128;
} else
throw new IllegalArgumentException("Invalid algorithm");
}
/**
* Creates a new TSIG key, which can be used to sign or verify a message.
* @param algorithm The algorithm of the shared key.
* @param name The name of the shared key.
* @param key The shared key's data.
*/
public
TSIG(Name algorithm, Name name, byte [] key) {
this.name = name;
this.alg = algorithm;
this.key = key;
getDigest();
}
/**
* Creates a new TSIG key with the hmac-md5 algorithm, which can be used to
* sign or verify a message.
* @param name The name of the shared key.
* @param key The shared key's data.
*/
public
TSIG(Name name, byte [] key) {
this(HMAC_MD5, name, key);
}
/**
* Creates a new TSIG object, which can be used to sign or verify a message.
* @param name The name of the shared key.
* @param key The shared key's data represented as a base64 encoded string.
* @throws IllegalArgumentException The key name is an invalid name
* @throws IllegalArgumentException The key data is improperly encoded
*/
public
TSIG(Name algorithm, String name, String key) {
this.key = base64.fromString(key);
if (this.key == null)
throw new IllegalArgumentException("Invalid TSIG key string");
try {
this.name = Name.fromString(name, Name.root);
}
catch (TextParseException e) {
throw new IllegalArgumentException("Invalid TSIG key name");
}
this.alg = algorithm;
getDigest();
}
/**
* Creates a new TSIG object, which can be used to sign or verify a message.
* @param name The name of the shared key.
* @param algorithm The algorithm of the shared key. The legal values are
* "hmac-md5", "hmac-sha1", "hmac-sha224", "hmac-sha256", "hmac-sha384", and
* "hmac-sha512".
* @param key The shared key's data represented as a base64 encoded string.
* @throws IllegalArgumentException The key name is an invalid name
* @throws IllegalArgumentException The key data is improperly encoded
*/
public
TSIG(String algorithm, String name, String key) {
this(HMAC_MD5, name, key);
if (algorithm.equalsIgnoreCase("hmac-md5"))
this.alg = HMAC_MD5;
else if (algorithm.equalsIgnoreCase("hmac-sha1"))
this.alg = HMAC_SHA1;
else if (algorithm.equalsIgnoreCase("hmac-sha224"))
this.alg = HMAC_SHA224;
else if (algorithm.equalsIgnoreCase("hmac-sha256"))
this.alg = HMAC_SHA256;
else if (algorithm.equalsIgnoreCase("hmac-sha384"))
this.alg = HMAC_SHA384;
else if (algorithm.equalsIgnoreCase("hmac-sha512"))
this.alg = HMAC_SHA512;
else
throw new IllegalArgumentException("Invalid TSIG algorithm");
getDigest();
}
/**
* Creates a new TSIG object with the hmac-md5 algorithm, which can be used to
* sign or verify a message.
* @param name The name of the shared key
* @param key The shared key's data, represented as a base64 encoded string.
* @throws IllegalArgumentException The key name is an invalid name
* @throws IllegalArgumentException The key data is improperly encoded
*/
public
TSIG(String name, String key) {
this(HMAC_MD5, name, key);
}
/**
* Creates a new TSIG object, which can be used to sign or verify a message.
* @param str The TSIG key, in the form name:secret, name/secret,
* alg:name:secret, or alg/name/secret. If an algorithm is specified, it must
* be "hmac-md5", "hmac-sha1", or "hmac-sha256".
* @throws IllegalArgumentException The string does not contain both a name
* and secret.
* @throws IllegalArgumentException The key name is an invalid name
* @throws IllegalArgumentException The key data is improperly encoded
*/
static public TSIG
fromString(String str) {
String [] parts = str.split("[:/]", 3);
if (parts.length < 2)
throw new IllegalArgumentException("Invalid TSIG key " +
"specification");
if (parts.length == 3) {
try {
return new TSIG(parts[0], parts[1], parts[2]);
} catch (IllegalArgumentException e) {
parts = str.split("[:/]", 2);
}
}
return new TSIG(HMAC_MD5, parts[0], parts[1]);
}
/**
* Generates a TSIG record with a specific error for a message that has
* been rendered.
* @param m The message
* @param b The rendered message
* @param error The error
* @param old If this message is a response, the TSIG from the request
* @return The TSIG record to be added to the message
*/
public TSIGRecord
generate(Message m, byte [] b, int error, TSIGRecord old) {
Date timeSigned;
if (error != Rcode.BADTIME)
timeSigned = new Date();
else
timeSigned = old.getTimeSigned();
int fudge;
HMAC hmac = null;
if (error == Rcode.NOERROR || error == Rcode.BADTIME)
hmac = new HMAC(digest, digestBlockLength, key);
fudge = Options.intValue("tsigfudge");
if (fudge < 0 || fudge > 0x7FFF)
fudge = FUDGE;
if (old != null) {
DNSOutput out = new DNSOutput();
out.writeU16(old.getSignature().length);
if (hmac != null) {
hmac.update(out.toByteArray());
hmac.update(old.getSignature());
}
}
/* Digest the message */
if (hmac != null)
hmac.update(b);
DNSOutput out = new DNSOutput();
name.toWireCanonical(out);
out.writeU16(DClass.ANY); /* class */
out.writeU32(0); /* ttl */
alg.toWireCanonical(out);
long time = timeSigned.getTime() / 1000;
int timeHigh = (int) (time >> 32);
long timeLow = (time & 0xFFFFFFFFL);
out.writeU16(timeHigh);
out.writeU32(timeLow);
out.writeU16(fudge);
out.writeU16(error);
out.writeU16(0); /* No other data */
if (hmac != null)
hmac.update(out.toByteArray());
byte [] signature;
if (hmac != null)
signature = hmac.sign();
else
signature = new byte[0];
byte [] other = null;
if (error == Rcode.BADTIME) {
out = new DNSOutput();
time = new Date().getTime() / 1000;
timeHigh = (int) (time >> 32);
timeLow = (time & 0xFFFFFFFFL);
out.writeU16(timeHigh);
out.writeU32(timeLow);
other = out.toByteArray();
}
return (new TSIGRecord(name, DClass.ANY, 0, alg, timeSigned, fudge,
signature, m.getHeader().getID(), error, other));
}
/**
* Generates a TSIG record with a specific error for a message and adds it
* to the message.
* @param m The message
* @param error The error
* @param old If this message is a response, the TSIG from the request
*/
public void
apply(Message m, int error, TSIGRecord old) {
Record r = generate(m, m.toWire(), error, old);
m.addRecord(r, Section.ADDITIONAL);
m.tsigState = Message.TSIG_SIGNED;
}
/**
* Generates a TSIG record for a message and adds it to the message
* @param m The message
* @param old If this message is a response, the TSIG from the request
*/
public void
apply(Message m, TSIGRecord old) {
apply(m, Rcode.NOERROR, old);
}
/**
* Generates a TSIG record for a message and adds it to the message
* @param m The message
* @param old If this message is a response, the TSIG from the request
*/
public void
applyStream(Message m, TSIGRecord old, boolean first) {
if (first) {
apply(m, old);
return;
}
Date timeSigned = new Date();
int fudge;
HMAC hmac = new HMAC(digest, digestBlockLength, key);
fudge = Options.intValue("tsigfudge");
if (fudge < 0 || fudge > 0x7FFF)
fudge = FUDGE;
DNSOutput out = new DNSOutput();
out.writeU16(old.getSignature().length);
hmac.update(out.toByteArray());
hmac.update(old.getSignature());
/* Digest the message */
hmac.update(m.toWire());
out = new DNSOutput();
long time = timeSigned.getTime() / 1000;
int timeHigh = (int) (time >> 32);
long timeLow = (time & 0xFFFFFFFFL);
out.writeU16(timeHigh);
out.writeU32(timeLow);
out.writeU16(fudge);
hmac.update(out.toByteArray());
byte [] signature = hmac.sign();
byte [] other = null;
Record r = new TSIGRecord(name, DClass.ANY, 0, alg, timeSigned, fudge,
signature, m.getHeader().getID(),
Rcode.NOERROR, other);
m.addRecord(r, Section.ADDITIONAL);
m.tsigState = Message.TSIG_SIGNED;
}
/**
* Verifies a TSIG record on an incoming message. Since this is only called
* in the context where a TSIG is expected to be present, it is an error
* if one is not present. After calling this routine, Message.isVerified() may
* be called on this message.
* @param m The message
* @param b An array containing the message in unparsed form. This is
* necessary since TSIG signs the message in wire format, and we can't
* recreate the exact wire format (with the same name compression).
* @param length The length of the message in the array.
* @param old If this message is a response, the TSIG from the request
* @return The result of the verification (as an Rcode)
* @see Rcode
*/
public byte
verify(Message m, byte [] b, int length, TSIGRecord old) {
m.tsigState = Message.TSIG_FAILED;
TSIGRecord tsig = m.getTSIG();
HMAC hmac = new HMAC(digest, digestBlockLength, key);
if (tsig == null)
return Rcode.FORMERR;
if (!tsig.getName().equals(name) || !tsig.getAlgorithm().equals(alg)) {
if (Options.check("verbose"))
System.err.println("BADKEY failure");
return Rcode.BADKEY;
}
long now = System.currentTimeMillis();
long then = tsig.getTimeSigned().getTime();
long fudge = tsig.getFudge();
if (Math.abs(now - then) > fudge * 1000) {
if (Options.check("verbose"))
System.err.println("BADTIME failure");
return Rcode.BADTIME;
}
if (old != null && tsig.getError() != Rcode.BADKEY &&
tsig.getError() != Rcode.BADSIG)
{
DNSOutput out = new DNSOutput();
out.writeU16(old.getSignature().length);
hmac.update(out.toByteArray());
hmac.update(old.getSignature());
}
m.getHeader().decCount(Section.ADDITIONAL);
byte [] header = m.getHeader().toWire();
m.getHeader().incCount(Section.ADDITIONAL);
hmac.update(header);
int len = m.tsigstart - header.length;
hmac.update(b, header.length, len);
DNSOutput out = new DNSOutput();
tsig.getName().toWireCanonical(out);
out.writeU16(tsig.dclass);
out.writeU32(tsig.ttl);
tsig.getAlgorithm().toWireCanonical(out);
long time = tsig.getTimeSigned().getTime() / 1000;
int timeHigh = (int) (time >> 32);
long timeLow = (time & 0xFFFFFFFFL);
out.writeU16(timeHigh);
out.writeU32(timeLow);
out.writeU16(tsig.getFudge());
out.writeU16(tsig.getError());
if (tsig.getOther() != null) {
out.writeU16(tsig.getOther().length);
out.writeByteArray(tsig.getOther());
} else {
out.writeU16(0);
}
hmac.update(out.toByteArray());
byte [] signature = tsig.getSignature();
int digestLength = hmac.digestLength();
int minDigestLength = digest.equals("md5") ? 10 : digestLength / 2;
if (signature.length > digestLength) {
if (Options.check("verbose"))
System.err.println("BADSIG: signature too long");
return Rcode.BADSIG;
} else if (signature.length < minDigestLength) {
if (Options.check("verbose"))
System.err.println("BADSIG: signature too short");
return Rcode.BADSIG;
} else if (!hmac.verify(signature, true)) {
if (Options.check("verbose"))
System.err.println("BADSIG: signature verification");
return Rcode.BADSIG;
}
m.tsigState = Message.TSIG_VERIFIED;
return Rcode.NOERROR;
}
/**
* Verifies a TSIG record on an incoming message. Since this is only called
* in the context where a TSIG is expected to be present, it is an error
* if one is not present. After calling this routine, Message.isVerified() may
* be called on this message.
* @param m The message
* @param b The message in unparsed form. This is necessary since TSIG
* signs the message in wire format, and we can't recreate the exact wire
* format (with the same name compression).
* @param old If this message is a response, the TSIG from the request
* @return The result of the verification (as an Rcode)
* @see Rcode
*/
public int
verify(Message m, byte [] b, TSIGRecord old) {
return verify(m, b, b.length, old);
}
/**
* Returns the maximum length of a TSIG record generated by this key.
* @see TSIGRecord
*/
public int
recordLength() {
return (name.length() + 10 +
alg.length() +
8 + // time signed, fudge
18 + // 2 byte MAC length, 16 byte MAC
4 + // original id, error
8); // 2 byte error length, 6 byte max error field.
}
public static class StreamVerifier {
/**
* A helper class for verifying multiple message responses.
*/
private TSIG key;
private HMAC verifier;
private int nresponses;
private int lastsigned;
private TSIGRecord lastTSIG;
/** Creates an object to verify a multiple message response */
public
StreamVerifier(TSIG tsig, TSIGRecord old) {
key = tsig;
verifier = new HMAC(key.digest, key.digestBlockLength, key.key);
nresponses = 0;
lastTSIG = old;
}
/**
* Verifies a TSIG record on an incoming message that is part of a
* multiple message response.
* TSIG records must be present on the first and last messages, and
* at least every 100 records in between.
* After calling this routine, Message.isVerified() may be called on
* this message.
* @param m The message
* @param b The message in unparsed form
* @return The result of the verification (as an Rcode)
* @see Rcode
*/
public int
verify(Message m, byte [] b) {
TSIGRecord tsig = m.getTSIG();
nresponses++;
if (nresponses == 1) {
int result = key.verify(m, b, lastTSIG);
if (result == Rcode.NOERROR) {
byte [] signature = tsig.getSignature();
DNSOutput out = new DNSOutput();
out.writeU16(signature.length);
verifier.update(out.toByteArray());
verifier.update(signature);
}
lastTSIG = tsig;
return result;
}
if (tsig != null)
m.getHeader().decCount(Section.ADDITIONAL);
byte [] header = m.getHeader().toWire();
if (tsig != null)
m.getHeader().incCount(Section.ADDITIONAL);
verifier.update(header);
int len;
if (tsig == null)
len = b.length - header.length;
else
len = m.tsigstart - header.length;
verifier.update(b, header.length, len);
if (tsig != null) {
lastsigned = nresponses;
lastTSIG = tsig;
}
else {
boolean required = (nresponses - lastsigned >= 100);
if (required) {
m.tsigState = Message.TSIG_FAILED;
return Rcode.FORMERR;
} else {
m.tsigState = Message.TSIG_INTERMEDIATE;
return Rcode.NOERROR;
}
}
if (!tsig.getName().equals(key.name) ||
!tsig.getAlgorithm().equals(key.alg))
{
if (Options.check("verbose"))
System.err.println("BADKEY failure");
m.tsigState = Message.TSIG_FAILED;
return Rcode.BADKEY;
}
DNSOutput out = new DNSOutput();
long time = tsig.getTimeSigned().getTime() / 1000;
int timeHigh = (int) (time >> 32);
long timeLow = (time & 0xFFFFFFFFL);
out.writeU16(timeHigh);
out.writeU32(timeLow);
out.writeU16(tsig.getFudge());
verifier.update(out.toByteArray());
if (verifier.verify(tsig.getSignature()) == false) {
if (Options.check("verbose"))
System.err.println("BADSIG failure");
m.tsigState = Message.TSIG_FAILED;
return Rcode.BADSIG;
}
verifier.clear();
out = new DNSOutput();
out.writeU16(tsig.getSignature().length);
verifier.update(out.toByteArray());
verifier.update(tsig.getSignature());
m.tsigState = Message.TSIG_VERIFIED;
return Rcode.NOERROR;
}
}
}
|
