Skip to content

Fix handling of multi-message TSIG responses #303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ibauersachs merged 6 commits into from
Nov 4, 2023
+647 −97
Merged

Fix handling of multi-message TSIG responses #303

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
36a0c7f
Fix handling of multi-message TSIG responses
ibauersachs Oct 29, 2023
781ebd9
Fix order of signature in TSIG mac
ibauersachs Oct 30, 2023
a9ed360
Verify that the last message is signed as required
ibauersachs Nov 2, 2023
14f083d
Add tests based on data from an actual transfer
ibauersachs Nov 4, 2023
b3eff09
Treat tcp dumps as binary, extend Javadoc
ibauersachs Nov 4, 2023
1f28212
Fix test assertions and reduce method complexity
ibauersachs Nov 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Fix order of signature in TSIG mac 
Co-authored-by: Frank Hill <frank@arin.net>
  • Loading branch information
@ibauersachs @frankarinnet
ibauersachs and frankarinnet committed Oct 30, 2023
commit 781ebd956703a7bf2545812de1ab4c426ef8001f
26 changes: 12 additions & 14 deletions src/main/java/org/xbill/DNS/TSIG.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -765,31 +765,29 @@ private static void writeTsigTime(Instant instant, DNSOutput out) {
/** A helper class for generating signed message responses. */
public static class StreamGenerator {
private final TSIG key;

private final Mac sharedHmac;

private final int signEveryNthMessage;

private int numGenerated;
private TSIGRecord lastTsigRecord;

public StreamGenerator(TSIG key, TSIGRecord lastTsigRecord) {
public StreamGenerator(TSIG key, TSIGRecord queryTsig) {
// https://www.rfc-editor.org/rfc/rfc8945.html#section-5.3.1
// The TSIG MUST be included on all DNS messages in the response.
this(key, lastTsigRecord, 1);
this(key, queryTsig, 1);
}

/**
* This constructor is <b>only</b> for unit-testing {@link StreamVerifier} with responses where
* not every message is signed.
*/
StreamGenerator(TSIG key, TSIGRecord lastTsigRecord, int signEveryNthMessage) {
StreamGenerator(TSIG key, TSIGRecord queryTsig, int signEveryNthMessage) {
if (signEveryNthMessage < 1 || signEveryNthMessage > 100) {
throw new IllegalArgumentException("signEveryNthMessage must be between 1 and 100");
}

this.key = key;
this.lastTsigRecord = lastTsigRecord;
this.lastTsigRecord = queryTsig;
this.signEveryNthMessage = signEveryNthMessage;
sharedHmac = this.key.initHmac();
}
Expand All @@ -803,12 +801,13 @@ public void generate(Message message, boolean isLastMessage) {
message,
message.toWire(),
Rcode.NOERROR,
lastTsigRecord,
isFirstMessage ? lastTsigRecord : null,
isFirstMessage,
sharedHmac);
message.addRecord(r, Section.ADDITIONAL);
message.tsigState = Message.TSIG_SIGNED;
lastTsigRecord = r;
hmacAddSignature(sharedHmac, r);
} else {
byte[] responseBytes = message.toWire(Message.MAXLENGTH);
sharedHmac.update(responseBytes);
Expand All @@ -821,19 +820,18 @@ public void generate(Message message, boolean isLastMessage) {
/** A helper class for verifying multiple message responses. */
public static class StreamVerifier {
private final TSIG key;

private final Mac sharedHmac;
private final TSIGRecord queryTsig;

private int nresponses;
private int lastsigned;
private TSIGRecord lastTSIG;

/** Creates an object to verify a multiple message response */
public StreamVerifier(TSIG tsig, TSIGRecord queryTsig) {
key = tsig;
sharedHmac = key.initHmac();
nresponses = 0;
lastTSIG = queryTsig;
this.queryTsig = queryTsig;
}

/**
Expand All @@ -851,16 +849,16 @@ public int verify(Message m, byte[] b) {

nresponses++;
if (nresponses == 1) {
int result = key.verify(m, b, lastTSIG, true, sharedHmac);
lastTSIG = tsig;
int result = key.verify(m, b, queryTsig, true, sharedHmac);
hmacAddSignature(sharedHmac, tsig);
lastsigned = nresponses;
return result;
}

if (tsig != null) {
int result = key.verify(m, b, lastTSIG, false, sharedHmac);
int result = key.verify(m, b, null, false, sharedHmac);
lastsigned = nresponses;
lastTSIG = tsig;
hmacAddSignature(sharedHmac, tsig);
return result;
} else {
boolean required = nresponses - lastsigned >= 100;
Expand Down