1 # Copyright (C) 2001-2007, 2009-2011 Nominum, Inc.
3 # Permission to use, copy, modify, and distribute this software and its
4 # documentation for any purpose with or without fee is hereby granted,
5 # provided that the above copyright notice and this permission notice
6 # appear in all copies.
8 # THE SOFTWARE IS PROVIDED "AS IS" AND NOMINUM DISCLAIMS ALL WARRANTIES
9 # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NOMINUM BE LIABLE FOR
11 # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
14 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 """DNS TSIG support."""
27 class BadTime(dns.exception.DNSException):
28 """Raised if the current time is not within the TSIG's validity time."""
31 class BadSignature(dns.exception.DNSException):
32 """Raised if the TSIG signature fails to verify."""
35 class PeerError(dns.exception.DNSException):
36 """Base class for all TSIG errors generated by the remote peer"""
39 class PeerBadKey(PeerError):
40 """Raised if the peer didn't know the key we used"""
43 class PeerBadSignature(PeerError):
44 """Raised if the peer didn't like the signature we sent"""
47 class PeerBadTime(PeerError):
48 """Raised if the peer didn't like the time we sent"""
51 class PeerBadTruncation(PeerError):
52 """Raised if the peer didn't like amount of truncation in the TSIG we sent"""
57 HMAC_MD5 = dns.name.from_text("HMAC-MD5.SIG-ALG.REG.INT")
58 HMAC_SHA1 = dns.name.from_text("hmac-sha1")
59 HMAC_SHA224 = dns.name.from_text("hmac-sha224")
60 HMAC_SHA256 = dns.name.from_text("hmac-sha256")
61 HMAC_SHA384 = dns.name.from_text("hmac-sha384")
62 HMAC_SHA512 = dns.name.from_text("hmac-sha512")
64 default_algorithm = HMAC_MD5
71 def sign(wire, keyname, secret, time, fudge, original_id, error,
72 other_data, request_mac, ctx=None, multi=False, first=True,
73 algorithm=default_algorithm):
74 """Return a (tsig_rdata, mac, ctx) tuple containing the HMAC TSIG rdata
75 for the input parameters, the HMAC MAC calculated by applying the
76 TSIG signature algorithm, and the TSIG digest context.
77 @rtype: (string, string, hmac.HMAC object)
78 @raises ValueError: I{other_data} is too long
79 @raises NotImplementedError: I{algorithm} is not supported
82 (algorithm_name, digestmod) = get_algorithm(algorithm)
84 ctx = hmac.new(secret, digestmod=digestmod)
87 ctx.update(struct.pack('!H', ml))
88 ctx.update(request_mac)
89 id = struct.pack('!H', original_id)
93 ctx.update(keyname.to_digestable())
94 ctx.update(struct.pack('!H', dns.rdataclass.ANY))
95 ctx.update(struct.pack('!I', 0))
97 upper_time = (long_time >> 32) & 0xffffL
98 lower_time = long_time & 0xffffffffL
99 time_mac = struct.pack('!HIH', upper_time, lower_time, fudge)
100 pre_mac = algorithm_name + time_mac
103 raise ValueError('TSIG Other Data is > 65535 bytes')
104 post_mac = struct.pack('!HH', error, ol) + other_data
111 mpack = struct.pack('!H', len(mac))
112 tsig_rdata = pre_mac + mpack + mac + id + post_mac
114 ctx = hmac.new(secret)
116 ctx.update(struct.pack('!H', ml))
120 return (tsig_rdata, mac, ctx)
122 def hmac_md5(wire, keyname, secret, time, fudge, original_id, error,
123 other_data, request_mac, ctx=None, multi=False, first=True,
124 algorithm=default_algorithm):
125 return sign(wire, keyname, secret, time, fudge, original_id, error,
126 other_data, request_mac, ctx, multi, first, algorithm)
128 def validate(wire, keyname, secret, now, request_mac, tsig_start, tsig_rdata,
129 tsig_rdlen, ctx=None, multi=False, first=True):
130 """Validate the specified TSIG rdata against the other input parameters.
132 @raises FormError: The TSIG is badly formed.
133 @raises BadTime: There is too much time skew between the client and the
135 @raises BadSignature: The TSIG signature did not validate
136 @rtype: hmac.HMAC object"""
138 (adcount,) = struct.unpack("!H", wire[10:12])
140 raise dns.exception.FormError
142 new_wire = wire[0:10] + struct.pack("!H", adcount) + wire[12:tsig_start]
144 (aname, used) = dns.name.from_wire(wire, current)
145 current = current + used
146 (upper_time, lower_time, fudge, mac_size) = \
147 struct.unpack("!HIHH", wire[current:current + 10])
148 time = ((upper_time + 0L) << 32) + (lower_time + 0L)
150 mac = wire[current:current + mac_size]
152 (original_id, error, other_size) = \
153 struct.unpack("!HHH", wire[current:current + 6])
155 other_data = wire[current:current + other_size]
156 current += other_size
157 if current != tsig_rdata + tsig_rdlen:
158 raise dns.exception.FormError
161 raise PeerBadSignature
162 elif error == BADKEY:
164 elif error == BADTIME:
166 elif error == BADTRUNC:
167 raise PeerBadTruncation
169 raise PeerError('unknown TSIG error code %d' % error)
170 time_low = time - fudge
171 time_high = time + fudge
172 if now < time_low or now > time_high:
174 (junk, our_mac, ctx) = sign(new_wire, keyname, secret, time, fudge,
175 original_id, error, other_data,
176 request_mac, ctx, multi, first, aname)
183 def _maybe_add_hash(tsig_alg, hash_alg):
185 _hashes[tsig_alg] = dns.hash.get(hash_alg)
192 _maybe_add_hash(HMAC_SHA224, 'SHA224')
193 _maybe_add_hash(HMAC_SHA256, 'SHA256')
194 _maybe_add_hash(HMAC_SHA384, 'SHA384')
195 _maybe_add_hash(HMAC_SHA512, 'SHA512')
196 _maybe_add_hash(HMAC_SHA1, 'SHA1')
197 _maybe_add_hash(HMAC_MD5, 'MD5')
199 def get_algorithm(algorithm):
200 """Returns the wire format string and the hash module to use for the
201 specified TSIG algorithm
203 @rtype: (string, hash constructor)
204 @raises NotImplementedError: I{algorithm} is not supported
211 if isinstance(algorithm, (str, unicode)):
212 algorithm = dns.name.from_text(algorithm)
214 if sys.hexversion < 0x02050200 and \
215 (algorithm == HMAC_SHA384 or algorithm == HMAC_SHA512):
216 raise NotImplementedError("TSIG algorithm " + str(algorithm) +
217 " requires Python 2.5.2 or later")
220 return (algorithm.to_digestable(), _hashes[algorithm])
222 raise NotImplementedError("TSIG algorithm " + str(algorithm) +