1 // Copyright (c) 1999-2004 Brian Wellington (bwelling (at) xbill.org) 2 3 package org.xbill.DNS; 4 5 import java.util.*; 6 import org.xbill.DNS.utils.*; 7 8 /** 9 * Transaction signature handling. This class generates and verifies 10 * TSIG records on messages, which provide transaction security. 11 * @see TSIGRecord 12 * 13 * @author Brian Wellington 14 */ 15 16 public class TSIG { 17 18 private static final String HMAC_MD5_STR = "HMAC-MD5.SIG-ALG.REG.INT."; 19 private static final String HMAC_SHA1_STR = "hmac-sha1."; 20 private static final String HMAC_SHA224_STR = "hmac-sha224."; 21 private static final String HMAC_SHA256_STR = "hmac-sha256."; 22 private static final String HMAC_SHA384_STR = "hmac-sha384."; 23 private static final String HMAC_SHA512_STR = "hmac-sha512."; 24 25 /** The domain name representing the HMAC-MD5 algorithm. */ 26 public static final Name HMAC_MD5 = Name.fromConstantString(HMAC_MD5_STR); 27 28 /** The domain name representing the HMAC-MD5 algorithm (deprecated). */ 29 public static final Name HMAC = HMAC_MD5; 30 31 /** The domain name representing the HMAC-SHA1 algorithm. */ 32 public static final Name HMAC_SHA1 = Name.fromConstantString(HMAC_SHA1_STR); 33 34 /** 35 * The domain name representing the HMAC-SHA224 algorithm. 36 * Note that SHA224 is not supported by Java out-of-the-box, this requires use 37 * of a third party provider like BouncyCastle.org. 38 */ 39 public static final Name HMAC_SHA224 = Name.fromConstantString(HMAC_SHA224_STR); 40 41 /** The domain name representing the HMAC-SHA256 algorithm. */ 42 public static final Name HMAC_SHA256 = Name.fromConstantString(HMAC_SHA256_STR); 43 44 /** The domain name representing the HMAC-SHA384 algorithm. */ 45 public static final Name HMAC_SHA384 = Name.fromConstantString(HMAC_SHA384_STR); 46 47 /** The domain name representing the HMAC-SHA512 algorithm. */ 48 public static final Name HMAC_SHA512 = Name.fromConstantString(HMAC_SHA512_STR); 49 50 /** 51 * The default fudge value for outgoing packets. Can be overriden by the 52 * tsigfudge option. 53 */ 54 public static final short FUDGE = 300; 55 56 private Name name, alg; 57 private String digest; 58 private int digestBlockLength; 59 private byte [] key; 60 61 private void 62 getDigest() { 63 if (alg.equals(HMAC_MD5)) { 64 digest = "md5"; 65 digestBlockLength = 64; 66 } else if (alg.equals(HMAC_SHA1)) { 67 digest = "sha-1"; 68 digestBlockLength = 64; 69 } else if (alg.equals(HMAC_SHA224)) { 70 digest = "sha-224"; 71 digestBlockLength = 64; 72 } else if (alg.equals(HMAC_SHA256)) { 73 digest = "sha-256"; 74 digestBlockLength = 64; 75 } else if (alg.equals(HMAC_SHA512)) { 76 digest = "sha-512"; 77 digestBlockLength = 128; 78 } else if (alg.equals(HMAC_SHA384)) { 79 digest = "sha-384"; 80 digestBlockLength = 128; 81 } else 82 throw new IllegalArgumentException("Invalid algorithm"); 83 } 84 85 /** 86 * Creates a new TSIG key, which can be used to sign or verify a message. 87 * @param algorithm The algorithm of the shared key. 88 * @param name The name of the shared key. 89 * @param key The shared key's data. 90 */ 91 public 92 TSIG(Name algorithm, Name name, byte [] key) { 93 this.name = name; 94 this.alg = algorithm; 95 this.key = key; 96 getDigest(); 97 } 98 99 /** 100 * Creates a new TSIG key with the hmac-md5 algorithm, which can be used to 101 * sign or verify a message. 102 * @param name The name of the shared key. 103 * @param key The shared key's data. 104 */ 105 public 106 TSIG(Name name, byte [] key) { 107 this(HMAC_MD5, name, key); 108 } 109 110 /** 111 * Creates a new TSIG object, which can be used to sign or verify a message. 112 * @param name The name of the shared key. 113 * @param key The shared key's data represented as a base64 encoded string. 114 * @throws IllegalArgumentException The key name is an invalid name 115 * @throws IllegalArgumentException The key data is improperly encoded 116 */ 117 public 118 TSIG(Name algorithm, String name, String key) { 119 this.key = base64.fromString(key); 120 if (this.key == null) 121 throw new IllegalArgumentException("Invalid TSIG key string"); 122 try { 123 this.name = Name.fromString(name, Name.root); 124 } 125 catch (TextParseException e) { 126 throw new IllegalArgumentException("Invalid TSIG key name"); 127 } 128 this.alg = algorithm; 129 getDigest(); 130 } 131 132 /** 133 * Creates a new TSIG object, which can be used to sign or verify a message. 134 * @param name The name of the shared key. 135 * @param algorithm The algorithm of the shared key. The legal values are 136 * "hmac-md5", "hmac-sha1", "hmac-sha224", "hmac-sha256", "hmac-sha384", and 137 * "hmac-sha512". 138 * @param key The shared key's data represented as a base64 encoded string. 139 * @throws IllegalArgumentException The key name is an invalid name 140 * @throws IllegalArgumentException The key data is improperly encoded 141 */ 142 public 143 TSIG(String algorithm, String name, String key) { 144 this(HMAC_MD5, name, key); 145 if (algorithm.equalsIgnoreCase("hmac-md5")) 146 this.alg = HMAC_MD5; 147 else if (algorithm.equalsIgnoreCase("hmac-sha1")) 148 this.alg = HMAC_SHA1; 149 else if (algorithm.equalsIgnoreCase("hmac-sha224")) 150 this.alg = HMAC_SHA224; 151 else if (algorithm.equalsIgnoreCase("hmac-sha256")) 152 this.alg = HMAC_SHA256; 153 else if (algorithm.equalsIgnoreCase("hmac-sha384")) 154 this.alg = HMAC_SHA384; 155 else if (algorithm.equalsIgnoreCase("hmac-sha512")) 156 this.alg = HMAC_SHA512; 157 else 158 throw new IllegalArgumentException("Invalid TSIG algorithm"); 159 getDigest(); 160 } 161 162 /** 163 * Creates a new TSIG object with the hmac-md5 algorithm, which can be used to 164 * sign or verify a message. 165 * @param name The name of the shared key 166 * @param key The shared key's data, represented as a base64 encoded string. 167 * @throws IllegalArgumentException The key name is an invalid name 168 * @throws IllegalArgumentException The key data is improperly encoded 169 */ 170 public 171 TSIG(String name, String key) { 172 this(HMAC_MD5, name, key); 173 } 174 175 /** 176 * Creates a new TSIG object, which can be used to sign or verify a message. 177 * @param str The TSIG key, in the form name:secret, name/secret, 178 * alg:name:secret, or alg/name/secret. If an algorithm is specified, it must 179 * be "hmac-md5", "hmac-sha1", or "hmac-sha256". 180 * @throws IllegalArgumentException The string does not contain both a name 181 * and secret. 182 * @throws IllegalArgumentException The key name is an invalid name 183 * @throws IllegalArgumentException The key data is improperly encoded 184 */ 185 static public TSIG 186 fromString(String str) { 187 String [] parts = str.split("[:/]", 3); 188 if (parts.length < 2) 189 throw new IllegalArgumentException("Invalid TSIG key " + 190 "specification"); 191 if (parts.length == 3) { 192 try { 193 return new TSIG(parts[0], parts[1], parts[2]); 194 } catch (IllegalArgumentException e) { 195 parts = str.split("[:/]", 2); 196 } 197 } 198 return new TSIG(HMAC_MD5, parts[0], parts[1]); 199 } 200 201 /** 202 * Generates a TSIG record with a specific error for a message that has 203 * been rendered. 204 * @param m The message 205 * @param b The rendered message 206 * @param error The error 207 * @param old If this message is a response, the TSIG from the request 208 * @return The TSIG record to be added to the message 209 */ 210 public TSIGRecord 211 generate(Message m, byte [] b, int error, TSIGRecord old) { 212 Date timeSigned; 213 if (error != Rcode.BADTIME) 214 timeSigned = new Date(); 215 else 216 timeSigned = old.getTimeSigned(); 217 int fudge; 218 HMAC hmac = null; 219 if (error == Rcode.NOERROR || error == Rcode.BADTIME) 220 hmac = new HMAC(digest, digestBlockLength, key); 221 222 fudge = Options.intValue("tsigfudge"); 223 if (fudge < 0 || fudge > 0x7FFF) 224 fudge = FUDGE; 225 226 if (old != null) { 227 DNSOutput out = new DNSOutput(); 228 out.writeU16(old.getSignature().length); 229 if (hmac != null) { 230 hmac.update(out.toByteArray()); 231 hmac.update(old.getSignature()); 232 } 233 } 234 235 /* Digest the message */ 236 if (hmac != null) 237 hmac.update(b); 238 239 DNSOutput out = new DNSOutput(); 240 name.toWireCanonical(out); 241 out.writeU16(DClass.ANY); /* class */ 242 out.writeU32(0); /* ttl */ 243 alg.toWireCanonical(out); 244 long time = timeSigned.getTime() / 1000; 245 int timeHigh = (int) (time >> 32); 246 long timeLow = (time & 0xFFFFFFFFL); 247 out.writeU16(timeHigh); 248 out.writeU32(timeLow); 249 out.writeU16(fudge); 250 251 out.writeU16(error); 252 out.writeU16(0); /* No other data */ 253 254 if (hmac != null) 255 hmac.update(out.toByteArray()); 256 257 byte [] signature; 258 if (hmac != null) 259 signature = hmac.sign(); 260 else 261 signature = new byte[0]; 262 263 byte [] other = null; 264 if (error == Rcode.BADTIME) { 265 out = new DNSOutput(); 266 time = new Date().getTime() / 1000; 267 timeHigh = (int) (time >> 32); 268 timeLow = (time & 0xFFFFFFFFL); 269 out.writeU16(timeHigh); 270 out.writeU32(timeLow); 271 other = out.toByteArray(); 272 } 273 274 return (new TSIGRecord(name, DClass.ANY, 0, alg, timeSigned, fudge, 275 signature, m.getHeader().getID(), error, other)); 276 } 277 278 /** 279 * Generates a TSIG record with a specific error for a message and adds it 280 * to the message. 281 * @param m The message 282 * @param error The error 283 * @param old If this message is a response, the TSIG from the request 284 */ 285 public void 286 apply(Message m, int error, TSIGRecord old) { 287 Record r = generate(m, m.toWire(), error, old); 288 m.addRecord(r, Section.ADDITIONAL); 289 m.tsigState = Message.TSIG_SIGNED; 290 } 291 292 /** 293 * Generates a TSIG record for a message and adds it to the message 294 * @param m The message 295 * @param old If this message is a response, the TSIG from the request 296 */ 297 public void 298 apply(Message m, TSIGRecord old) { 299 apply(m, Rcode.NOERROR, old); 300 } 301 302 /** 303 * Generates a TSIG record for a message and adds it to the message 304 * @param m The message 305 * @param old If this message is a response, the TSIG from the request 306 */ 307 public void 308 applyStream(Message m, TSIGRecord old, boolean first) { 309 if (first) { 310 apply(m, old); 311 return; 312 } 313 Date timeSigned = new Date(); 314 int fudge; 315 HMAC hmac = new HMAC(digest, digestBlockLength, key); 316 317 fudge = Options.intValue("tsigfudge"); 318 if (fudge < 0 || fudge > 0x7FFF) 319 fudge = FUDGE; 320 321 DNSOutput out = new DNSOutput(); 322 out.writeU16(old.getSignature().length); 323 hmac.update(out.toByteArray()); 324 hmac.update(old.getSignature()); 325 326 /* Digest the message */ 327 hmac.update(m.toWire()); 328 329 out = new DNSOutput(); 330 long time = timeSigned.getTime() / 1000; 331 int timeHigh = (int) (time >> 32); 332 long timeLow = (time & 0xFFFFFFFFL); 333 out.writeU16(timeHigh); 334 out.writeU32(timeLow); 335 out.writeU16(fudge); 336 337 hmac.update(out.toByteArray()); 338 339 byte [] signature = hmac.sign(); 340 byte [] other = null; 341 342 Record r = new TSIGRecord(name, DClass.ANY, 0, alg, timeSigned, fudge, 343 signature, m.getHeader().getID(), 344 Rcode.NOERROR, other); 345 m.addRecord(r, Section.ADDITIONAL); 346 m.tsigState = Message.TSIG_SIGNED; 347 } 348 349 /** 350 * Verifies a TSIG record on an incoming message. Since this is only called 351 * in the context where a TSIG is expected to be present, it is an error 352 * if one is not present. After calling this routine, Message.isVerified() may 353 * be called on this message. 354 * @param m The message 355 * @param b An array containing the message in unparsed form. This is 356 * necessary since TSIG signs the message in wire format, and we can't 357 * recreate the exact wire format (with the same name compression). 358 * @param length The length of the message in the array. 359 * @param old If this message is a response, the TSIG from the request 360 * @return The result of the verification (as an Rcode) 361 * @see Rcode 362 */ 363 public byte 364 verify(Message m, byte [] b, int length, TSIGRecord old) { 365 m.tsigState = Message.TSIG_FAILED; 366 TSIGRecord tsig = m.getTSIG(); 367 HMAC hmac = new HMAC(digest, digestBlockLength, key); 368 if (tsig == null) 369 return Rcode.FORMERR; 370 371 if (!tsig.getName().equals(name) || !tsig.getAlgorithm().equals(alg)) { 372 if (Options.check("verbose")) 373 System.err.println("BADKEY failure"); 374 return Rcode.BADKEY; 375 } 376 long now = System.currentTimeMillis(); 377 long then = tsig.getTimeSigned().getTime(); 378 long fudge = tsig.getFudge(); 379 if (Math.abs(now - then) > fudge * 1000) { 380 if (Options.check("verbose")) 381 System.err.println("BADTIME failure"); 382 return Rcode.BADTIME; 383 } 384 385 if (old != null && tsig.getError() != Rcode.BADKEY && 386 tsig.getError() != Rcode.BADSIG) 387 { 388 DNSOutput out = new DNSOutput(); 389 out.writeU16(old.getSignature().length); 390 hmac.update(out.toByteArray()); 391 hmac.update(old.getSignature()); 392 } 393 m.getHeader().decCount(Section.ADDITIONAL); 394 byte [] header = m.getHeader().toWire(); 395 m.getHeader().incCount(Section.ADDITIONAL); 396 hmac.update(header); 397 398 int len = m.tsigstart - header.length; 399 hmac.update(b, header.length, len); 400 401 DNSOutput out = new DNSOutput(); 402 tsig.getName().toWireCanonical(out); 403 out.writeU16(tsig.dclass); 404 out.writeU32(tsig.ttl); 405 tsig.getAlgorithm().toWireCanonical(out); 406 long time = tsig.getTimeSigned().getTime() / 1000; 407 int timeHigh = (int) (time >> 32); 408 long timeLow = (time & 0xFFFFFFFFL); 409 out.writeU16(timeHigh); 410 out.writeU32(timeLow); 411 out.writeU16(tsig.getFudge()); 412 out.writeU16(tsig.getError()); 413 if (tsig.getOther() != null) { 414 out.writeU16(tsig.getOther().length); 415 out.writeByteArray(tsig.getOther()); 416 } else { 417 out.writeU16(0); 418 } 419 420 hmac.update(out.toByteArray()); 421 422 byte [] signature = tsig.getSignature(); 423 int digestLength = hmac.digestLength(); 424 int minDigestLength = digest.equals("md5") ? 10 : digestLength / 2; 425 426 if (signature.length > digestLength) { 427 if (Options.check("verbose")) 428 System.err.println("BADSIG: signature too long"); 429 return Rcode.BADSIG; 430 } else if (signature.length < minDigestLength) { 431 if (Options.check("verbose")) 432 System.err.println("BADSIG: signature too short"); 433 return Rcode.BADSIG; 434 } else if (!hmac.verify(signature, true)) { 435 if (Options.check("verbose")) 436 System.err.println("BADSIG: signature verification"); 437 return Rcode.BADSIG; 438 } 439 440 m.tsigState = Message.TSIG_VERIFIED; 441 return Rcode.NOERROR; 442 } 443 444 /** 445 * Verifies a TSIG record on an incoming message. Since this is only called 446 * in the context where a TSIG is expected to be present, it is an error 447 * if one is not present. After calling this routine, Message.isVerified() may 448 * be called on this message. 449 * @param m The message 450 * @param b The message in unparsed form. This is necessary since TSIG 451 * signs the message in wire format, and we can't recreate the exact wire 452 * format (with the same name compression). 453 * @param old If this message is a response, the TSIG from the request 454 * @return The result of the verification (as an Rcode) 455 * @see Rcode 456 */ 457 public int 458 verify(Message m, byte [] b, TSIGRecord old) { 459 return verify(m, b, b.length, old); 460 } 461 462 /** 463 * Returns the maximum length of a TSIG record generated by this key. 464 * @see TSIGRecord 465 */ 466 public int 467 recordLength() { 468 return (name.length() + 10 + 469 alg.length() + 470 8 + // time signed, fudge 471 18 + // 2 byte MAC length, 16 byte MAC 472 4 + // original id, error 473 8); // 2 byte error length, 6 byte max error field. 474 } 475 476 public static class StreamVerifier { 477 /** 478 * A helper class for verifying multiple message responses. 479 */ 480 481 private TSIG key; 482 private HMAC verifier; 483 private int nresponses; 484 private int lastsigned; 485 private TSIGRecord lastTSIG; 486 487 /** Creates an object to verify a multiple message response */ 488 public 489 StreamVerifier(TSIG tsig, TSIGRecord old) { 490 key = tsig; 491 verifier = new HMAC(key.digest, key.digestBlockLength, key.key); 492 nresponses = 0; 493 lastTSIG = old; 494 } 495 496 /** 497 * Verifies a TSIG record on an incoming message that is part of a 498 * multiple message response. 499 * TSIG records must be present on the first and last messages, and 500 * at least every 100 records in between. 501 * After calling this routine, Message.isVerified() may be called on 502 * this message. 503 * @param m The message 504 * @param b The message in unparsed form 505 * @return The result of the verification (as an Rcode) 506 * @see Rcode 507 */ 508 public int 509 verify(Message m, byte [] b) { 510 TSIGRecord tsig = m.getTSIG(); 511 512 nresponses++; 513 514 if (nresponses == 1) { 515 int result = key.verify(m, b, lastTSIG); 516 if (result == Rcode.NOERROR) { 517 byte [] signature = tsig.getSignature(); 518 DNSOutput out = new DNSOutput(); 519 out.writeU16(signature.length); 520 verifier.update(out.toByteArray()); 521 verifier.update(signature); 522 } 523 lastTSIG = tsig; 524 return result; 525 } 526 527 if (tsig != null) 528 m.getHeader().decCount(Section.ADDITIONAL); 529 byte [] header = m.getHeader().toWire(); 530 if (tsig != null) 531 m.getHeader().incCount(Section.ADDITIONAL); 532 verifier.update(header); 533 534 int len; 535 if (tsig == null) 536 len = b.length - header.length; 537 else 538 len = m.tsigstart - header.length; 539 verifier.update(b, header.length, len); 540 541 if (tsig != null) { 542 lastsigned = nresponses; 543 lastTSIG = tsig; 544 } 545 else { 546 boolean required = (nresponses - lastsigned >= 100); 547 if (required) { 548 m.tsigState = Message.TSIG_FAILED; 549 return Rcode.FORMERR; 550 } else { 551 m.tsigState = Message.TSIG_INTERMEDIATE; 552 return Rcode.NOERROR; 553 } 554 } 555 556 if (!tsig.getName().equals(key.name) || 557 !tsig.getAlgorithm().equals(key.alg)) 558 { 559 if (Options.check("verbose")) 560 System.err.println("BADKEY failure"); 561 m.tsigState = Message.TSIG_FAILED; 562 return Rcode.BADKEY; 563 } 564 565 DNSOutput out = new DNSOutput(); 566 long time = tsig.getTimeSigned().getTime() / 1000; 567 int timeHigh = (int) (time >> 32); 568 long timeLow = (time & 0xFFFFFFFFL); 569 out.writeU16(timeHigh); 570 out.writeU32(timeLow); 571 out.writeU16(tsig.getFudge()); 572 verifier.update(out.toByteArray()); 573 574 if (verifier.verify(tsig.getSignature()) == false) { 575 if (Options.check("verbose")) 576 System.err.println("BADSIG failure"); 577 m.tsigState = Message.TSIG_FAILED; 578 return Rcode.BADSIG; 579 } 580 581 verifier.clear(); 582 out = new DNSOutput(); 583 out.writeU16(tsig.getSignature().length); 584 verifier.update(out.toByteArray()); 585 verifier.update(tsig.getSignature()); 586 587 m.tsigState = Message.TSIG_VERIFIED; 588 return Rcode.NOERROR; 589 } 590 } 591 592 } 593
