1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
|
#!/usr/bin/perl
# $Id: 05-TSIG.t 1980 2024-06-02 10:16:33Z willem $ -*-perl-*-
#
use strict;
use warnings;
use Test::More;
use TestToolkit;
use Net::DNS;
my @prerequisite = qw(
Digest::HMAC
Digest::MD5
Digest::SHA
MIME::Base64
);
foreach my $package (@prerequisite) {
next if eval "require $package"; ## no critic
plan skip_all => "$package not installed";
exit;
}
plan tests => 63;
sub mysign {
my ( $key, $data ) = @_;
my $hmac = Digest::HMAC->new( $key, 'Digest::MD5' );
$hmac->add($data);
return $hmac->digest;
}
my $name = '123456789-test';
my $type = 'TSIG';
my $code = 250;
my @attr = qw( algorithm time_signed fudge sig_function );
my @data = ( qw( fake.alg 100001 600 ), \&mysign );
my @also = qw( mac prior_mac request_mac error sign_func other_data _size );
my $wire = '0466616b6503616c67000000000186a102580010a5d31d3ce3b7122b4a598c225d9c3f2a04d200000000';
my $typecode = unpack 'xn', Net::DNS::RR->new( type => $type )->encode;
is( $typecode, $code, "$type RR type code = $code" );
my $hash = {keybin => pack( 'H*', '66616b65206b6579' )};
@{$hash}{@attr} = @data;
for my $rr ( Net::DNS::RR->new( name => $name, type => $type, %$hash ) ) {
my $string = $rr->string;
like( $rr->string, "/$$hash{algorithm}/", 'got expected rr->string' );
foreach (@attr) {
is( $rr->$_, $hash->{$_}, "expected result from rr->$_()" );
}
foreach (@also) {
ok( defined $rr->$_, "additional attribute rr->$_()" );
}
my $packet = Net::DNS::Packet->new( $name, 'TKEY', 'IN' );
$packet->header->id(1234); # fix packet id
$packet->header->rd(1);
my $buffer;
my $encoded = $buffer = $rr->encode( 0, {}, $packet );
my $decoded = Net::DNS::RR->decode( \$buffer );
my $hex1 = unpack 'H*', $encoded;
my $hex2 = unpack 'H*', $decoded->encode;
my $hex3 = unpack 'H*', $rr->rdata;
is( $hex2, $hex1, 'encode/decode transparent' );
is( $hex3, $wire, 'encoded RDATA matches example' );
my $wireformat = pack 'a* x', $encoded;
exception( "misplaced $type RR", sub { Net::DNS::RR->decode( \$wireformat ) } );
}
for my $rr ( Net::DNS::RR->new( type => 'TSIG', key => '' ) ) {
ok( !$rr->verify(), 'verify() fails on empty TSIG' );
ok( $rr->vrfyerrstr(), 'vrfyerrstr() reports failure' );
ok( !$rr->other(), 'other() undefined' );
ok( $rr->time_signed(), 'time_signed() defined' );
exception( "TSIG key write-only", sub { $rr->key() } );
}
foreach my $method (qw(mac request_mac prior_mac)) {
my $mac = 'kpRyejY4uxwT9I74FYv8nQ==';
my $rr = Net::DNS::RR->new( type => 'TSIG', $method => $mac );
is( $rr->$method(), $mac, "correct $method" );
}
for my $tsig ( Net::DNS::RR->new( type => 'TSIG', fudge => 300 ) ) {
my $function = $tsig->sig_function; # default signing function
my $algorithm = $tsig->algorithm; # default algorithm
my $expected = 'HMAC-MD5.SIG-ALG.REG.INT';
is( $algorithm, $expected, 'Check algorithm correctly identified' );
# Check default signing function using test cases from RFC2202, section 2.
{
my $data = pack 'H*', '4869205468657265';
my $key = "\x0b" x 16;
my $result = lc unpack( 'H*', &$function( $key, $data ) );
my $expect = '9294727a3638bb1c13f48ef8158bfc9d';
is( $result, $expect, "Check signing function for $algorithm" );
}
{
my $data = pack 'H*', '7768617420646f2079612077616e7420666f72206e6f7468696e673f';
my $key = pack 'H*', '4a656665';
my $result = lc unpack( 'H*', &$function( $key, $data ) );
my $expect = '750c783e6ab0b503eaa86e310a5db738';
is( $result, $expect, "Check $algorithm with key shorter than hash size" );
}
{
my $data = "\xdd" x 50;
my $key = "\xaa" x 16;
my $result = lc unpack( 'H*', &$function( $key, $data ) );
my $expect = '56be34521d144c88dbb8c733f0e8b3f6';
is( $result, $expect, "Check $algorithm with data longer than hash size" );
}
{
my $data = "\xcd" x 50;
my $key = pack 'H*', '0102030405060708090a0b0c0d0e0f10111213141516171819';
my $result = lc unpack( 'H*', &$function( $key, $data ) );
my $expect = '697eaf0aca3a3aea3a75164746ffaa79';
is( $result, $expect, "Check $algorithm with key and data longer than hash" );
}
{
my $data = pack 'H*', join '', qw(
54657374205573696e67204c61726765
72205468616e20426c6f636b2d53697a
65204b6579202d2048617368204b6579
204669727374 );
my $key = "\xaa" x 80;
my $result = lc unpack( 'H*', &$function( $key, $data ) );
my $expect = '6b1ab7fe4bd7bf8f0b62e6ce61b9d0cd';
is( $result, $expect, "Check $algorithm with key longer than block size" );
}
{
my $data = pack 'H*', join '', qw(
54657374205573696e67204c61726765
72205468616e20426c6f636b2d53697a
65204b657920616e64204c6172676572
205468616e204f6e6520426c6f636b2d
53697a652044617461 );
my $key = "\xaa" x 80;
my $result = lc unpack( 'H*', &$function( $key, $data ) );
my $expect = '6f630fad67cda0ee1fb1f562db3aa53e';
is( $result, $expect, "Check $algorithm with both long key and long data" );
}
}
for my $tsig ( Net::DNS::RR->new( type => 'TSIG', algorithm => 'HMAC-SHA' ) ) { # alias HMAC-SHA1
my $algorithm = $tsig->algorithm;
my $function = $tsig->sig_function;
is( $algorithm, 'HMAC-SHA1', 'Check algorithm correctly identified' );
# Check HMAC-SHA1 signing function using test cases from RFC2202, section 3.
{
my $data = pack 'H*', '4869205468657265';
my $key = "\x0b" x 20;
my $result = lc unpack( 'H*', &$function( $key, $data ) );
my $expect = 'b617318655057264e28bc0b6fb378c8ef146be00';
is( $result, $expect, "Check signing function for $algorithm" );
}
{
my $data = pack 'H*', '7768617420646f2079612077616e7420666f72206e6f7468696e673f';
my $key = pack 'H*', '4a656665';
my $result = lc unpack( 'H*', &$function( $key, $data ) );
my $expect = 'effcdf6ae5eb2fa2d27416d5f184df9c259a7c79';
is( $result, $expect, "Check $algorithm with key shorter than hash size" );
}
{
my $data = "\xdd" x 50;
my $key = "\xaa" x 20;
my $result = lc unpack( 'H*', &$function( $key, $data ) );
my $expect = '125d7342b9ac11cd91a39af48aa17b4f63f175d3';
is( $result, $expect, "Check $algorithm with data longer than hash size" );
}
{
my $data = "\xcd" x 50;
my $key = pack 'H*', '0102030405060708090a0b0c0d0e0f10111213141516171819';
my $result = lc unpack( 'H*', &$function( $key, $data ) );
my $expect = '4c9007f4026250c6bc8414f9bf50c86c2d7235da';
is( $result, $expect, "Check $algorithm with key and data longer than hash" );
}
{
my $data = pack 'H*', join '', qw(
54657374205573696e67204c61726765
72205468616e20426c6f636b2d53697a
65204b6579202d2048617368204b6579
204669727374 );
my $key = "\xaa" x 80;
my $result = lc unpack( 'H*', &$function( $key, $data ) );
my $expect = 'aa4ae5e15272d00e95705637ce8a3b55ed402112';
is( $result, $expect, "Check $algorithm with key longer than block size" );
}
{
my $data = pack 'H*', join '', qw(
54657374205573696e67204c61726765
72205468616e20426c6f636b2d53697a
65204b657920616e64204c6172676572
205468616e204f6e6520426c6f636b2d
53697a652044617461 );
my $key = "\xaa" x 80;
my $result = lc unpack( 'H*', &$function( $key, $data ) );
my $expect = 'e8e99d0f45237d786d6bbaa7965c7808bbff1a91';
is( $result, $expect, "Check $algorithm with both long key and long data" );
}
}
for my $tsig ( Net::DNS::RR->new( type => 'TSIG', algorithm => 162 ) ) { # alias HMAC-SHA224
my $algorithm = $tsig->algorithm;
my $function = $tsig->sig_function;
is( $algorithm, 'HMAC-SHA224', 'Check algorithm correctly identified' );
# Check HMAC-SHA224 signing function using test cases from RFC4634, section 8.4.
{
my $data = pack 'H*', '4869205468657265';
my $key = "\x0b" x 20;
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = '896FB1128ABBDF196832107CD49DF33F47B4B1169912BA4F53684B22';
is( $result, $expect, "Check signing function for $algorithm" );
}
{
my $data = pack 'H*', '7768617420646f2079612077616e7420666f72206e6f7468696e673f';
my $key = pack 'H*', '4a656665';
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = 'A30E01098BC6DBBF45690F3A7E9E6D0F8BBEA2A39E6148008FD05E44';
is( $result, $expect, "Check $algorithm with key shorter than hash size" );
}
{
my $data = "\xdd" x 50;
my $key = "\xaa" x 20;
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = '7FB3CB3588C6C1F6FFA9694D7D6AD2649365B0C1F65D69D1EC8333EA';
is( $result, $expect, "Check $algorithm with data longer than hash size" );
}
{
my $data = "\xcd" x 50;
my $key = pack 'H*', '0102030405060708090a0b0c0d0e0f10111213141516171819';
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = '6C11506874013CAC6A2ABC1BB382627CEC6A90D86EFC012DE7AFEC5A';
is( $result, $expect, "Check $algorithm with key and data longer than hash" );
}
{
my $data = pack 'H*', join '', qw(
54657374205573696e67204c61726765
72205468616e20426c6f636b2d53697a
65204b6579202d2048617368204b6579
204669727374 );
my $key = "\xaa" x 131;
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = '95E9A0DB962095ADAEBE9B2D6F0DBCE2D499F112F2D2B7273FA6870E';
is( $result, $expect, "Check $algorithm with key longer than block size" );
}
{
my $data = pack 'H*', join '', qw(
54686973206973206120746573742075
73696e672061206c6172676572207468
616e20626c6f636b2d73697a65206b65
7920616e642061206c61726765722074
68616e20626c6f636b2d73697a652064
6174612e20546865206b6579206e6565
647320746f2062652068617368656420
6265666f7265206265696e6720757365
642062792074686520484d414320616c
676f726974686d2e );
my $key = "\xaa" x 131;
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = '3A854166AC5D9F023F54D517D0B39DBD946770DB9C2B95C9F6F565D1';
is( $result, $expect, "Check $algorithm with both long key and long data" );
}
}
for my $tsig ( Net::DNS::RR->new( type => 'TSIG', algorithm => 'HMAC-SHA256' ) ) {
my $algorithm = $tsig->algorithm;
my $function = $tsig->sig_function;
# Check HMAC-SHA256 signing function using test cases from RFC4634, section 8.4.
{
my $data = pack 'H*', '4869205468657265';
my $key = "\x0b" x 20;
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = 'B0344C61D8DB38535CA8AFCEAF0BF12B881DC200C9833DA726E9376C2E32CFF7';
is( $result, $expect, "Check signing function for $algorithm" );
}
{
my $data = pack 'H*', '7768617420646f2079612077616e7420666f72206e6f7468696e673f';
my $key = pack 'H*', '4a656665';
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = '5BDCC146BF60754E6A042426089575C75A003F089D2739839DEC58B964EC3843';
is( $result, $expect, "Check $algorithm with key shorter than hash size" );
}
{
my $data = "\xdd" x 50;
my $key = "\xaa" x 20;
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = '773EA91E36800E46854DB8EBD09181A72959098B3EF8C122D9635514CED565FE';
is( $result, $expect, "Check $algorithm with data longer than hash size" );
}
{
my $data = "\xcd" x 50;
my $key = pack 'H*', '0102030405060708090a0b0c0d0e0f10111213141516171819';
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = '82558A389A443C0EA4CC819899F2083A85F0FAA3E578F8077A2E3FF46729665B';
is( $result, $expect, "Check $algorithm with key and data longer than hash" );
}
{
my $data = pack 'H*', join '', qw(
54657374205573696e67204c61726765
72205468616e20426c6f636b2d53697a
65204b6579202d2048617368204b6579
204669727374 );
my $key = "\xaa" x 131;
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = '60E431591EE0B67F0D8A26AACBF5B77F8E0BC6213728C5140546040F0EE37F54';
is( $result, $expect, "Check $algorithm with key longer than block size" );
}
{
my $data = pack 'H*', join '', qw(
54686973206973206120746573742075
73696e672061206c6172676572207468
616e20626c6f636b2d73697a65206b65
7920616e642061206c61726765722074
68616e20626c6f636b2d73697a652064
6174612e20546865206b6579206e6565
647320746f2062652068617368656420
6265666f7265206265696e6720757365
642062792074686520484d414320616c
676f726974686d2e );
my $key = "\xaa" x 131;
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = '9B09FFA71B942FCB27635FBCD5B0E944BFDC63644F0713938A7F51535C3A35E2';
is( $result, $expect, "Check $algorithm with both long key and long data" );
}
}
for my $tsig ( Net::DNS::RR->new( type => 'TSIG', algorithm => 'HMAC-SHA384' ) ) {
my $algorithm = $tsig->algorithm;
my $function = $tsig->sig_function;
# Check HMAC-SHA384 signing function using test cases from RFC4634, section 8.4.
{
my $data = pack 'H*', '4869205468657265';
my $key = "\x0b" x 20;
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = join '', qw(
AFD03944D84895626B0825F4AB46907F
15F9DADBE4101EC682AA034C7CEBC59C
FAEA9EA9076EDE7F4AF152E8B2FA9CB6 );
is( $result, $expect, "Check signing function for $algorithm" );
}
{
my $data = pack 'H*', '7768617420646f2079612077616e7420666f72206e6f7468696e673f';
my $key = pack 'H*', '4a656665';
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = join '', qw(
AF45D2E376484031617F78D2B58A6B1B
9C7EF464F5A01B47E42EC3736322445E
8E2240CA5E69E2C78B3239ECFAB21649 );
is( $result, $expect, "Check $algorithm with key shorter than hash size" );
}
{
my $data = "\xdd" x 50;
my $key = "\xaa" x 20;
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = join '', qw(
88062608D3E6AD8A0AA2ACE014C8A86F
0AA635D947AC9FEBE83EF4E55966144B
2A5AB39DC13814B94E3AB6E101A34F27 );
is( $result, $expect, "Check $algorithm with data longer than hash size" );
}
{
my $data = "\xcd" x 50;
my $key = pack 'H*', '0102030405060708090a0b0c0d0e0f10111213141516171819';
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = join '', qw(
3E8A69B7783C25851933AB6290AF6CA7
7A9981480850009CC5577C6E1F573B4E
6801DD23C4A7D679CCF8A386C674CFFB );
is( $result, $expect, "Check $algorithm with key and data longer than hash" );
}
{
my $data = pack 'H*', join '', qw(
54657374205573696e67204c61726765
72205468616e20426c6f636b2d53697a
65204b6579202d2048617368204b6579
204669727374 );
my $key = "\xaa" x 131;
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = join '', qw(
4ECE084485813E9088D2C63A041BC5B4
4F9EF1012A2B588F3CD11F05033AC4C6
0C2EF6AB4030FE8296248DF163F44952 );
is( $result, $expect, "Check $algorithm with key longer than block size" );
}
{
my $data = pack 'H*', join '', qw(
54686973206973206120746573742075
73696e672061206c6172676572207468
616e20626c6f636b2d73697a65206b65
7920616e642061206c61726765722074
68616e20626c6f636b2d73697a652064
6174612e20546865206b6579206e6565
647320746f2062652068617368656420
6265666f7265206265696e6720757365
642062792074686520484d414320616c
676f726974686d2e );
my $key = "\xaa" x 131;
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = join '', qw(
6617178E941F020D351E2F254E8FD32C
602420FEB0B8FB9ADCCEBB82461E99C5
A678CC31E799176D3860E6110C46523E );
is( $result, $expect, "Check $algorithm with both long key and long data" );
}
}
for my $tsig ( Net::DNS::RR->new( type => 'TSIG', algorithm => 'HMAC-SHA512' ) ) {
my $algorithm = $tsig->algorithm;
my $function = $tsig->sig_function;
# Check HMAC-SHA512 signing function using test cases from RFC4634, section 8.4.
{
my $data = pack 'H*', '4869205468657265';
my $key = "\x0b" x 20;
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = join '', qw(
87AA7CDEA5EF619D4FF0B4241A1D6CB0
2379F4E2CE4EC2787AD0B30545E17CDE
DAA833B7D6B8A702038B274EAEA3F4E4
BE9D914EEB61F1702E696C203A126854 );
is( $result, $expect, "Check signing function for $algorithm" );
}
{
my $data = pack 'H*', '7768617420646f2079612077616e7420666f72206e6f7468696e673f';
my $key = pack 'H*', '4a656665';
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = join '', qw(
164B7A7BFCF819E2E395FBE73B56E0A3
87BD64222E831FD610270CD7EA250554
9758BF75C05A994A6D034F65F8F0E6FD
CAEAB1A34D4A6B4B636E070A38BCE737 );
is( $result, $expect, "Check $algorithm with key shorter than hash size" );
}
{
my $data = "\xdd" x 50;
my $key = "\xaa" x 20;
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = join '', qw(
FA73B0089D56A284EFB0F0756C890BE9
B1B5DBDD8EE81A3655F83E33B2279D39
BF3E848279A722C806B485A47E67C807
B946A337BEE8942674278859E13292FB );
is( $result, $expect, "Check $algorithm with data longer than hash size" );
}
{
my $data = "\xcd" x 50;
my $key = pack 'H*', '0102030405060708090a0b0c0d0e0f10111213141516171819';
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = join '', qw(
B0BA465637458C6990E5A8C5F61D4AF7
E576D97FF94B872DE76F8050361EE3DB
A91CA5C11AA25EB4D679275CC5788063
A5F19741120C4F2DE2ADEBEB10A298DD );
is( $result, $expect, "Check $algorithm with key and data longer than hash" );
}
{
my $data = pack 'H*', join '', qw(
54657374205573696e67204c61726765
72205468616e20426c6f636b2d53697a
65204b6579202d2048617368204b6579
204669727374 );
my $key = "\xaa" x 131;
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = join '', qw(
80B24263C7C1A3EBB71493C1DD7BE8B4
9B46D1F41B4AEEC1121B013783F8F352
6B56D037E05F2598BD0FD2215D6A1E52
95E64F73F63F0AEC8B915A985D786598 );
is( $result, $expect, "Check $algorithm with key longer than block size" );
}
{
my $data = pack 'H*', join '', qw(
54686973206973206120746573742075
73696e672061206c6172676572207468
616e20626c6f636b2d73697a65206b65
7920616e642061206c61726765722074
68616e20626c6f636b2d73697a652064
6174612e20546865206b6579206e6565
647320746f2062652068617368656420
6265666f7265206265696e6720757365
642062792074686520484d414320616c
676f726974686d2e );
my $key = "\xaa" x 131;
my $result = uc unpack( 'H*', &$function( $key, $data ) );
my $expect = join '', qw(
E37B6A775DC87DBAA4DFA9F96E5E3FFD
DEBD71F8867289865DF5A32D20CDC944
B6022CAC3C4982B10D5EEB55C3E4DE15
134676FB6DE0446065C97440FA8C6A58 );
is( $result, $expect, "Check $algorithm with both long key and long data" );
}
}
exit;
|
