2011-01-09 07:51:20 +11:00
|
|
|
package dns
|
|
|
|
|
|
2011-01-18 07:10:48 +11:00
|
|
|
// Implementation of TSIG: generation and validation
|
2011-01-27 01:13:06 +11:00
|
|
|
// RFC 2845 and RFC 4635
|
2011-01-09 08:39:15 +11:00
|
|
|
import (
|
2011-01-18 07:10:48 +11:00
|
|
|
"io"
|
2011-01-09 20:31:23 +11:00
|
|
|
"strconv"
|
2011-01-10 01:54:23 +11:00
|
|
|
"strings"
|
2011-01-18 07:10:48 +11:00
|
|
|
"crypto/hmac"
|
2011-01-10 01:54:23 +11:00
|
|
|
"encoding/hex"
|
2011-01-09 08:39:15 +11:00
|
|
|
)
|
|
|
|
|
|
2011-03-21 06:55:27 +11:00
|
|
|
// Structure used in Read/Write lowlevel functions
|
|
|
|
|
// for TSIG generation and verification.
|
2011-03-21 05:58:55 +11:00
|
|
|
type Tsig struct {
|
|
|
|
|
// The name of the key.
|
|
|
|
|
Name string
|
|
|
|
|
Fudge uint16
|
|
|
|
|
TimeSigned uint64
|
|
|
|
|
Algorithm string
|
|
|
|
|
// Tsig secret encoded in base64.
|
|
|
|
|
Secret string
|
|
|
|
|
// MAC (if known)
|
|
|
|
|
MAC string
|
2011-03-21 06:55:27 +11:00
|
|
|
// Request MAC
|
|
|
|
|
RequestMAC string
|
|
|
|
|
// Include the timers if true
|
|
|
|
|
Timers bool
|
2011-03-21 05:58:55 +11:00
|
|
|
}
|
|
|
|
|
|
2011-01-27 19:29:11 +11:00
|
|
|
// HMAC hashing codes. These are transmitted as domain names.
|
2011-01-09 08:39:15 +11:00
|
|
|
const (
|
2011-03-14 22:28:04 +11:00
|
|
|
HmacMD5 = "hmac-md5.sig-alg.reg.int."
|
|
|
|
|
HmacSHA1 = "hmac-sha1."
|
|
|
|
|
HmacSHA256 = "hmac-sha256."
|
2011-01-09 08:39:15 +11:00
|
|
|
)
|
|
|
|
|
|
2011-01-09 20:31:23 +11:00
|
|
|
type RR_TSIG struct {
|
|
|
|
|
Hdr RR_Header
|
2011-01-10 01:54:23 +11:00
|
|
|
Algorithm string "domain-name"
|
2011-01-10 01:30:45 +11:00
|
|
|
TimeSigned uint64
|
2011-01-09 20:31:23 +11:00
|
|
|
Fudge uint16
|
|
|
|
|
MACSize uint16
|
2011-02-04 06:39:43 +11:00
|
|
|
MAC string "size-hex"
|
2011-01-18 07:10:48 +11:00
|
|
|
OrigId uint16
|
2011-01-09 20:31:23 +11:00
|
|
|
Error uint16
|
|
|
|
|
OtherLen uint16
|
2011-02-04 06:39:43 +11:00
|
|
|
OtherData string "size-hex"
|
2011-01-09 20:31:23 +11:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (rr *RR_TSIG) Header() *RR_Header {
|
|
|
|
|
return &rr.Hdr
|
|
|
|
|
}
|
|
|
|
|
|
2011-03-14 04:18:00 +11:00
|
|
|
func (rr *RR_TSIG) SetDefaults() {
|
2011-03-15 07:16:45 +11:00
|
|
|
rr.Header().Ttl = 0
|
|
|
|
|
rr.Header().Class = ClassANY
|
|
|
|
|
rr.Header().Rrtype = TypeTSIG
|
|
|
|
|
rr.Fudge = 300
|
|
|
|
|
rr.Algorithm = HmacMD5
|
2011-03-14 04:16:35 +11:00
|
|
|
}
|
|
|
|
|
|
2011-01-27 19:29:11 +11:00
|
|
|
// TSIG has no official presentation format, but this will suffice.
|
2011-01-09 20:31:23 +11:00
|
|
|
func (rr *RR_TSIG) String() string {
|
|
|
|
|
return rr.Hdr.String() +
|
2011-01-10 01:30:45 +11:00
|
|
|
" " + rr.Algorithm +
|
2011-01-10 01:54:23 +11:00
|
|
|
" " + tsigTimeToDate(rr.TimeSigned) +
|
2011-01-09 20:31:23 +11:00
|
|
|
" " + strconv.Itoa(int(rr.Fudge)) +
|
2011-03-12 00:24:33 +11:00
|
|
|
" " + strconv.Itoa(int(rr.MACSize)) +
|
2011-03-15 07:16:45 +11:00
|
|
|
" " + strings.ToUpper(rr.MAC) +
|
2011-01-09 20:31:23 +11:00
|
|
|
" " + strconv.Itoa(int(rr.OrigId)) +
|
|
|
|
|
" " + strconv.Itoa(int(rr.Error)) +
|
2011-03-12 00:24:33 +11:00
|
|
|
" " + strconv.Itoa(int(rr.OtherLen)) +
|
2011-01-09 20:31:23 +11:00
|
|
|
" " + rr.OtherData
|
|
|
|
|
}
|
|
|
|
|
|
2011-01-18 07:10:48 +11:00
|
|
|
// The following values must be put in wireformat, so that the MAC can be calculated.
|
|
|
|
|
// RFC 2845, section 3.4.2. TSIG Variables.
|
2011-01-14 21:57:28 +11:00
|
|
|
type tsigWireFmt struct {
|
2011-01-09 07:51:20 +11:00
|
|
|
// From RR_HEADER
|
|
|
|
|
Name string "domain-name"
|
|
|
|
|
Class uint16
|
|
|
|
|
Ttl uint32
|
|
|
|
|
// Rdata of the TSIG
|
2011-01-10 01:54:23 +11:00
|
|
|
Algorithm string "domain-name"
|
2011-01-10 01:30:45 +11:00
|
|
|
TimeSigned uint64
|
2011-01-09 07:51:20 +11:00
|
|
|
Fudge uint16
|
|
|
|
|
// MACSize, MAC and OrigId excluded
|
|
|
|
|
Error uint16
|
|
|
|
|
OtherLen uint16
|
2011-02-04 06:39:43 +11:00
|
|
|
OtherData string "size-hex"
|
2011-01-09 07:51:20 +11:00
|
|
|
}
|
|
|
|
|
|
2011-03-16 05:36:03 +11:00
|
|
|
// If we have the MAC use this type to convert it to wiredata.
|
|
|
|
|
// Section 3.4.3. Request MAC
|
2011-03-14 22:28:04 +11:00
|
|
|
type macWireFmt struct {
|
2011-03-15 07:16:45 +11:00
|
|
|
MACSize uint16
|
|
|
|
|
MAC string "size-hex"
|
2011-03-14 22:28:04 +11:00
|
|
|
}
|
|
|
|
|
|
2011-03-16 05:36:03 +11:00
|
|
|
// 3.3. Time values used in TSIG calculations
|
|
|
|
|
type timerWireFmt struct {
|
|
|
|
|
TimeSigned uint64
|
|
|
|
|
Fudge uint16
|
|
|
|
|
}
|
|
|
|
|
|
2011-03-21 06:55:27 +11:00
|
|
|
// In a message and out a new message with the tsig
|
|
|
|
|
// added
|
|
|
|
|
func (t *Tsig) Generate(msg []byte) ([]byte, bool) {
|
|
|
|
|
rawsecret, err := packBase64([]byte(t.Secret))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, false
|
|
|
|
|
}
|
|
|
|
|
buf, ok := t.Buffer(msg)
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
h := hmac.NewMD5([]byte(rawsecret))
|
|
|
|
|
io.WriteString(h, string(buf))
|
|
|
|
|
|
|
|
|
|
t.MAC = hex.EncodeToString(h.Sum()) // Size is half!
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, false
|
|
|
|
|
}
|
|
|
|
|
// okay, create TSIG, add to message
|
|
|
|
|
return nil, true
|
|
|
|
|
}
|
|
|
|
|
|
2011-01-27 19:29:11 +11:00
|
|
|
// Generate the HMAC for message. The TSIG RR is modified
|
2011-01-09 10:11:22 +11:00
|
|
|
// to include the MAC and MACSize. Note the the msg Id must
|
2011-01-27 19:29:11 +11:00
|
|
|
// already be set, otherwise the MAC will not be correct when
|
|
|
|
|
// the message is send.
|
|
|
|
|
// The string 'secret' must be encoded in base64.
|
2011-01-27 02:04:51 +11:00
|
|
|
func (t *RR_TSIG) Generate(m *Msg, secret string) bool {
|
2011-01-27 01:54:31 +11:00
|
|
|
rawsecret, err := packBase64([]byte(secret))
|
2011-03-15 07:16:45 +11:00
|
|
|
if err != nil {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2011-01-27 01:54:31 +11:00
|
|
|
t.OrigId = m.MsgHdr.Id
|
|
|
|
|
|
2011-03-16 04:56:27 +11:00
|
|
|
msg, ok := m.Pack()
|
2011-03-16 05:36:03 +11:00
|
|
|
if !ok {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
buf, ok1 := tsigToBuf(t, msg, "", true)
|
|
|
|
|
if !ok1 {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2011-01-27 01:54:31 +11:00
|
|
|
h := hmac.NewMD5([]byte(rawsecret))
|
|
|
|
|
io.WriteString(h, string(buf))
|
|
|
|
|
|
2011-03-15 07:16:45 +11:00
|
|
|
t.MAC = hex.EncodeToString(h.Sum())
|
|
|
|
|
t.MACSize = uint16(len(h.Sum())) // Needs to be "on-the-wire" size.
|
2011-01-09 20:31:23 +11:00
|
|
|
if !ok {
|
2011-01-27 02:04:51 +11:00
|
|
|
return false
|
2011-01-09 20:31:23 +11:00
|
|
|
}
|
2011-01-27 02:04:51 +11:00
|
|
|
return true
|
2011-01-09 07:51:20 +11:00
|
|
|
}
|
2011-01-09 20:31:23 +11:00
|
|
|
|
2011-03-21 06:55:27 +11:00
|
|
|
// Verify a TSIG on a message. All relevant data should
|
|
|
|
|
// be set in the Tsig structure.
|
|
|
|
|
func (t *Tsig) Verify(msg []byte) bool {
|
|
|
|
|
rawsecret, err := packBase64([]byte(t.Secret))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
// Stipped the TSIG from the incoming msg
|
|
|
|
|
stripped, ok := stripTsig(msg)
|
|
|
|
|
if !ok {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
buf, ok := t.Buffer(stripped)
|
|
|
|
|
if !ok {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
h := hmac.NewMD5([]byte(rawsecret))
|
|
|
|
|
io.WriteString(h, string(buf))
|
|
|
|
|
return strings.ToUpper(hex.EncodeToString(h.Sum())) == strings.ToUpper(t.MAC)
|
|
|
|
|
}
|
|
|
|
|
|
2011-01-27 19:29:11 +11:00
|
|
|
// Verify a TSIG. The message should be the complete with
|
2011-01-09 20:31:23 +11:00
|
|
|
// the TSIG record still attached (as the last rr in the Additional
|
2011-01-27 19:29:11 +11:00
|
|
|
// section). Return true on success.
|
|
|
|
|
// The secret is a base64 encoded string with the secret.
|
2011-03-16 05:36:03 +11:00
|
|
|
func (t *RR_TSIG) Verify(msg []byte, secret, reqmac string, timers bool) bool {
|
2011-01-27 01:13:06 +11:00
|
|
|
rawsecret, err := packBase64([]byte(secret))
|
2011-03-15 07:16:45 +11:00
|
|
|
if err != nil {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2011-01-26 09:40:45 +11:00
|
|
|
|
2011-03-15 07:16:45 +11:00
|
|
|
if t.Header().Rrtype != TypeTSIG {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2011-03-16 02:18:13 +11:00
|
|
|
|
2011-03-16 04:43:05 +11:00
|
|
|
// t.OrigId -- need to check
|
2011-03-21 06:55:27 +11:00
|
|
|
stripped, ok := stripTsig(msg)
|
2011-03-16 04:43:05 +11:00
|
|
|
if !ok {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2011-03-16 05:36:03 +11:00
|
|
|
buf, ok := tsigToBuf(t, stripped, reqmac, timers)
|
2011-03-15 07:16:45 +11:00
|
|
|
if !ok {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2011-03-14 22:28:04 +11:00
|
|
|
|
2011-03-15 07:16:45 +11:00
|
|
|
h := hmac.NewMD5([]byte(rawsecret))
|
|
|
|
|
io.WriteString(h, string(buf))
|
2011-03-16 04:56:27 +11:00
|
|
|
return strings.ToUpper(hex.EncodeToString(h.Sum())) == strings.ToUpper(t.MAC)
|
2011-01-26 08:29:48 +11:00
|
|
|
}
|
|
|
|
|
|
2011-03-21 06:55:27 +11:00
|
|
|
// Create a wiredata buffer for the MAC calculation
|
|
|
|
|
func (t *Tsig) Buffer(msg []byte) ([]byte, bool) {
|
|
|
|
|
var (
|
|
|
|
|
macbuf []byte
|
|
|
|
|
buf []byte
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
if t.RequestMAC != "" {
|
|
|
|
|
m := new(macWireFmt)
|
|
|
|
|
m.MACSize = uint16(len(t.RequestMAC) / 2)
|
|
|
|
|
m.MAC = t.RequestMAC
|
|
|
|
|
macbuf = make([]byte, len(t.RequestMAC)) // reqmac should be twice as long
|
|
|
|
|
n, ok := packStruct(m, macbuf, 0)
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, false
|
|
|
|
|
}
|
|
|
|
|
macbuf = macbuf[:n]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tsigvar := make([]byte, DefaultMsgSize)
|
|
|
|
|
if t.Timers {
|
|
|
|
|
tsig := new(tsigWireFmt)
|
|
|
|
|
tsig.Name = strings.ToLower(t.Name)
|
|
|
|
|
tsig.Class = ClassANY
|
|
|
|
|
tsig.Ttl = 0
|
|
|
|
|
tsig.Algorithm = strings.ToLower(t.Algorithm)
|
|
|
|
|
tsig.TimeSigned = t.TimeSigned
|
|
|
|
|
tsig.Fudge = t.Fudge
|
|
|
|
|
tsig.Error = 0
|
|
|
|
|
tsig.OtherLen = 0
|
|
|
|
|
tsig.OtherData = ""
|
|
|
|
|
n, ok1 := packStruct(tsig, tsigvar, 0)
|
|
|
|
|
if !ok1 {
|
|
|
|
|
return nil, false
|
|
|
|
|
}
|
|
|
|
|
tsigvar = tsigvar[:n]
|
|
|
|
|
} else {
|
|
|
|
|
tsig := new(timerWireFmt)
|
|
|
|
|
tsig.TimeSigned = t.TimeSigned
|
|
|
|
|
tsig.Fudge = t.Fudge
|
|
|
|
|
n, ok1 := packStruct(tsig, tsigvar, 0)
|
|
|
|
|
if !ok1 {
|
|
|
|
|
return nil, false
|
|
|
|
|
}
|
|
|
|
|
tsigvar = tsigvar[:n]
|
|
|
|
|
}
|
|
|
|
|
if t.RequestMAC != "" {
|
|
|
|
|
x := append(macbuf, msg...)
|
|
|
|
|
buf = append(x, tsigvar...)
|
|
|
|
|
} else {
|
|
|
|
|
buf = append(msg, tsigvar...)
|
|
|
|
|
}
|
|
|
|
|
return buf, true
|
|
|
|
|
}
|
|
|
|
|
|
2011-03-16 04:56:27 +11:00
|
|
|
// Create the buffer which we use for the MAC calculation.
|
2011-03-16 05:36:03 +11:00
|
|
|
func tsigToBuf(rr *RR_TSIG, msg []byte, reqmac string, timers bool) ([]byte, bool) {
|
2011-03-16 04:43:05 +11:00
|
|
|
var (
|
2011-03-16 05:36:03 +11:00
|
|
|
macbuf []byte
|
|
|
|
|
buf []byte
|
2011-03-16 04:43:05 +11:00
|
|
|
)
|
2011-03-15 08:05:57 +11:00
|
|
|
|
|
|
|
|
if reqmac != "" {
|
|
|
|
|
m := new(macWireFmt)
|
|
|
|
|
m.MACSize = uint16(len(reqmac) / 2)
|
|
|
|
|
m.MAC = reqmac
|
2011-03-16 04:56:27 +11:00
|
|
|
macbuf = make([]byte, len(reqmac)) // reqmac should be twice as long
|
|
|
|
|
n, ok := packStruct(m, macbuf, 0)
|
2011-03-15 08:05:57 +11:00
|
|
|
if !ok {
|
|
|
|
|
return nil, false
|
|
|
|
|
}
|
2011-03-16 04:56:27 +11:00
|
|
|
macbuf = macbuf[:n]
|
2011-03-15 08:05:57 +11:00
|
|
|
}
|
|
|
|
|
|
2011-03-15 07:16:45 +11:00
|
|
|
tsigvar := make([]byte, DefaultMsgSize)
|
2011-03-16 05:36:03 +11:00
|
|
|
if timers {
|
|
|
|
|
tsig := new(tsigWireFmt)
|
|
|
|
|
tsig.Name = strings.ToLower(rr.Header().Name)
|
|
|
|
|
tsig.Class = rr.Header().Class
|
|
|
|
|
tsig.Ttl = rr.Header().Ttl
|
|
|
|
|
tsig.Algorithm = strings.ToLower(rr.Algorithm)
|
|
|
|
|
tsig.TimeSigned = rr.TimeSigned
|
|
|
|
|
tsig.Fudge = rr.Fudge
|
|
|
|
|
tsig.Error = rr.Error
|
|
|
|
|
tsig.OtherLen = rr.OtherLen
|
|
|
|
|
tsig.OtherData = rr.OtherData
|
|
|
|
|
n, ok1 := packStruct(tsig, tsigvar, 0)
|
|
|
|
|
if !ok1 {
|
|
|
|
|
return nil, false
|
|
|
|
|
}
|
|
|
|
|
tsigvar = tsigvar[:n]
|
|
|
|
|
} else {
|
|
|
|
|
tsig := new(timerWireFmt)
|
|
|
|
|
tsig.TimeSigned = rr.TimeSigned
|
|
|
|
|
tsig.Fudge = rr.Fudge
|
|
|
|
|
n, ok1 := packStruct(tsig, tsigvar, 0)
|
|
|
|
|
if !ok1 {
|
|
|
|
|
return nil, false
|
|
|
|
|
}
|
|
|
|
|
tsigvar = tsigvar[:n]
|
2011-01-26 08:29:48 +11:00
|
|
|
}
|
2011-03-15 07:16:45 +11:00
|
|
|
if reqmac != "" {
|
2011-03-16 04:56:27 +11:00
|
|
|
x := append(macbuf, msg...)
|
2011-03-15 07:16:45 +11:00
|
|
|
buf = append(x, tsigvar...)
|
2011-03-15 08:05:57 +11:00
|
|
|
} else {
|
2011-03-16 04:43:05 +11:00
|
|
|
buf = append(msg, tsigvar...)
|
|
|
|
|
}
|
2011-01-26 08:29:48 +11:00
|
|
|
return buf, true
|
2011-01-09 20:31:23 +11:00
|
|
|
}
|
2011-03-16 02:18:13 +11:00
|
|
|
|
|
|
|
|
// Strip the TSIG from the pkt.
|
2011-03-21 06:55:27 +11:00
|
|
|
func stripTsig(orig []byte) ([]byte, bool) {
|
2011-03-16 04:43:05 +11:00
|
|
|
// Copied from msg.go's Unpack()
|
|
|
|
|
// Header.
|
|
|
|
|
var dh Header
|
|
|
|
|
dns := new(Msg)
|
|
|
|
|
msg := make([]byte, len(orig))
|
|
|
|
|
copy(msg, orig) // fhhh.. another copy
|
|
|
|
|
off := 0
|
|
|
|
|
tsigoff := 0
|
|
|
|
|
var ok bool
|
|
|
|
|
if off, ok = unpackStruct(&dh, msg, off); !ok {
|
|
|
|
|
return nil, false
|
|
|
|
|
}
|
|
|
|
|
if dh.Arcount == 0 {
|
|
|
|
|
// No records at all in the additional.
|
|
|
|
|
return nil, false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Arrays.
|
|
|
|
|
dns.Question = make([]Question, dh.Qdcount)
|
|
|
|
|
dns.Answer = make([]RR, dh.Ancount)
|
|
|
|
|
dns.Ns = make([]RR, dh.Nscount)
|
|
|
|
|
dns.Extra = make([]RR, dh.Arcount)
|
|
|
|
|
|
|
|
|
|
for i := 0; i < len(dns.Question); i++ {
|
|
|
|
|
off, ok = unpackStruct(&dns.Question[i], msg, off)
|
|
|
|
|
}
|
|
|
|
|
for i := 0; i < len(dns.Answer); i++ {
|
|
|
|
|
dns.Answer[i], off, ok = unpackRR(msg, off)
|
|
|
|
|
}
|
|
|
|
|
for i := 0; i < len(dns.Ns); i++ {
|
|
|
|
|
dns.Ns[i], off, ok = unpackRR(msg, off)
|
|
|
|
|
}
|
|
|
|
|
for i := 0; i < len(dns.Extra); i++ {
|
|
|
|
|
tsigoff = off
|
|
|
|
|
dns.Extra[i], off, ok = unpackRR(msg, off)
|
|
|
|
|
if dns.Extra[i].Header().Rrtype == TypeTSIG {
|
|
|
|
|
// Adjust Arcount.
|
|
|
|
|
arcount, _ := unpackUint16(msg, 10)
|
|
|
|
|
msg[10], msg[11] = packUint16(arcount - 1)
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, false
|
|
|
|
|
}
|
|
|
|
|
return msg[:tsigoff], true
|
2011-03-16 02:18:13 +11:00
|
|
|
}
|
