2011-01-27 14:52:58 +00:00
package dns
2011-03-07 20:56:36 +00:00
import (
2011-12-09 20:45:57 +00:00
"crypto/sha1"
2011-03-07 21:47:20 +00:00
"hash"
2011-12-16 14:08:44 +00:00
"io"
2011-03-07 21:47:20 +00:00
"strings"
2011-03-07 20:56:36 +00:00
)
2012-01-22 10:33:51 +00:00
const (
_ = iota
NSEC3_NXDOMAIN
NSEC3_NODATA
)
2011-03-07 21:47:20 +00:00
type saltWireFmt struct {
Salt string "size-hex"
}
2011-01-27 14:52:58 +00:00
2012-01-16 21:08:02 +00:00
// HashName hashes a string (label) according to RFC5155. It returns the hashed string.
2012-01-22 09:52:06 +00:00
func HashName ( label string , ha uint8 , iter uint16 , salt string ) string {
2011-03-07 21:47:20 +00:00
saltwire := new ( saltWireFmt )
saltwire . Salt = salt
wire := make ( [ ] byte , DefaultMsgSize )
2012-01-11 19:33:38 +00:00
n , ok := packStruct ( saltwire , wire , 0 )
2011-03-07 21:47:20 +00:00
if ! ok {
return ""
}
wire = wire [ : n ]
2011-03-09 13:27:41 +00:00
name := make ( [ ] byte , 255 )
2012-01-11 15:16:09 +00:00
off , ok1 := PackDomainName ( strings . ToLower ( label ) , name , 0 , nil , false )
2011-03-07 21:47:20 +00:00
if ! ok1 {
return ""
}
2011-03-09 13:27:41 +00:00
name = name [ : off ]
2011-03-07 21:47:20 +00:00
var s hash . Hash
switch ha {
2011-07-08 15:27:44 +00:00
case SHA1 :
2011-03-07 21:47:20 +00:00
s = sha1 . New ( )
2011-03-24 08:24:49 +00:00
default :
return ""
2011-03-07 21:47:20 +00:00
}
// k = 0
2011-03-09 13:27:41 +00:00
name = append ( name , wire ... )
2011-12-16 18:42:30 +00:00
io . WriteString ( s , string ( name ) )
2011-12-16 14:08:44 +00:00
nsec3 := s . Sum ( nil )
2011-03-24 08:24:49 +00:00
// k > 0
2012-01-22 09:52:06 +00:00
for k := uint16 ( 0 ) ; k < iter ; k ++ {
2011-03-24 08:24:49 +00:00
s . Reset ( )
nsec3 = append ( nsec3 , wire ... )
2011-12-16 18:42:30 +00:00
io . WriteString ( s , string ( nsec3 ) )
2011-12-16 14:12:01 +00:00
nsec3 = s . Sum ( nil )
2011-03-24 08:24:49 +00:00
}
2011-03-07 21:47:20 +00:00
return unpackBase32 ( nsec3 )
2011-03-07 20:56:36 +00:00
}
2011-03-09 17:54:55 +00:00
2012-01-14 09:52:37 +00:00
// HashNames hashes the ownername and the next owner name in an NSEC3 record according to RFC 5155.
// It uses the paramaters as set in the NSEC3 record. The string zone is appended to the hashed
// ownername.
func ( nsec3 * RR_NSEC3 ) HashNames ( zone string ) {
2012-01-22 09:52:06 +00:00
nsec3 . Header ( ) . Name = strings . ToLower ( HashName ( nsec3 . Header ( ) . Name , nsec3 . Hash , nsec3 . Iterations , nsec3 . Salt ) ) + "." + zone
nsec3 . NextDomain = HashName ( nsec3 . NextDomain , nsec3 . Hash , nsec3 . Iterations , nsec3 . Salt )
}
2012-01-22 10:33:51 +00:00
// Match checks if domain matches the first (hashed) owner name of the NSEC3 record, domain must be given
// in plain text.
2012-01-22 09:52:06 +00:00
func ( nsec3 * RR_NSEC3 ) Match ( domain string ) bool {
2012-01-22 10:33:51 +00:00
return strings . ToUpper ( SplitLabels ( nsec3 . Header ( ) . Name ) [ 0 ] ) == strings . ToUpper ( HashName ( domain , nsec3 . Hash , nsec3 . Iterations , nsec3 . Salt ) )
}
// Cover checks if domain is covered by the NSEC3 record, domain must be given in plain text.
func ( nsec3 * RR_NSEC3 ) Cover ( domain string ) bool {
hashdom := strings . ToUpper ( HashName ( domain , nsec3 . Hash , nsec3 . Iterations , nsec3 . Salt ) )
nextdom := strings . ToUpper ( nsec3 . NextDomain )
2012-01-22 15:12:10 +00:00
owner := strings . ToUpper ( SplitLabels ( nsec3 . Header ( ) . Name ) [ 0 ] ) // The hashed part
apex := strings . ToUpper ( HashName ( strings . Join ( SplitLabels ( nsec3 . Header ( ) . Name ) [ 1 : ] , "." ) , nsec3 . Hash , nsec3 . Iterations , nsec3 . Salt ) ) + "." // The name of the zone
// if nextdomain equals the apex, it is considered The End. So in that case hashdom is always less then nextdomain
if hashdom > owner && nextdom == apex {
return true
}
2012-01-22 14:40:59 +00:00
if hashdom > owner && hashdom <= nextdom {
2012-01-22 15:12:10 +00:00
return true
}
2012-01-22 14:40:59 +00:00
2012-01-22 15:12:10 +00:00
return false
2011-03-09 17:54:55 +00:00
}
2011-09-15 18:13:21 +00:00
2012-01-17 18:16:58 +00:00
// NsecVerify verifies an denial of existence response with NSECs
2011-09-15 18:13:21 +00:00
// NsecVerify returns nil when the NSECs in the message contain
2012-01-17 17:48:40 +00:00
// the correct proof. This function does not validates the NSECs.
2011-11-02 22:06:54 +00:00
func ( m * Msg ) NsecVerify ( q Question ) error {
2011-09-15 18:13:21 +00:00
2011-11-02 22:06:54 +00:00
return nil
2011-09-15 18:13:21 +00:00
}
2012-01-17 18:16:58 +00:00
// Nsec3Verify verifies an denial of existence response with NSEC3s.
// This function does not validate the NSEC3s.
2012-01-22 10:33:51 +00:00
func ( m * Msg ) Nsec3Verify ( q Question ) ( int , error ) {
2012-01-19 18:48:09 +00:00
var (
nsec3 [ ] * RR_NSEC3
ncdenied = false // next closer denied
sodenied = false // source of synthesis denied
2012-01-22 10:33:51 +00:00
ce = "" // closest encloser
nc = "" // next closer
so = "" // source of synthesis
2012-01-19 18:48:09 +00:00
)
2012-01-17 18:16:58 +00:00
if len ( m . Answer ) > 0 && len ( m . Ns ) > 0 {
// Wildcard expansion
// Closest encloser inferred from SIG in authority and qname
2012-01-19 18:48:09 +00:00
// println("EXPANDED WILDCARD PROOF or DNAME CNAME")
// println("NODATA")
2012-01-17 18:16:58 +00:00
// I need to check the type bitmap
// wildcard bit not set?
// MM: No need to check the wildcard bit here:
// This response has only 1 NSEC4 and it does not match
// the closest encloser (it covers next closer).
}
if len ( m . Answer ) == 0 && len ( m . Ns ) > 0 {
2012-01-22 10:33:51 +00:00
// Maybe an NXDOMAIN or NODATA, we only know when we check
2012-01-19 18:48:09 +00:00
for _ , n := range m . Ns {
if n . Header ( ) . Rrtype == TypeNSEC3 {
nsec3 = append ( nsec3 , n . ( * RR_NSEC3 ) )
2012-01-17 18:16:58 +00:00
}
}
2012-01-19 18:48:09 +00:00
if len ( nsec3 ) == 0 {
2012-01-22 10:33:51 +00:00
return 0 , ErrDenialNsec3
2012-01-19 18:48:09 +00:00
}
2012-01-17 18:16:58 +00:00
2012-01-19 18:48:09 +00:00
lastchopped := ""
labels := SplitLabels ( q . Name )
2012-01-17 18:16:58 +00:00
2012-01-19 18:48:09 +00:00
// Find the closest encloser and create the next closer
for _ , nsec := range nsec3 {
candidate := ""
for i := len ( labels ) - 1 ; i >= 0 ; i -- {
candidate = labels [ i ] + "." + candidate
2012-01-22 09:52:06 +00:00
if nsec . Match ( candidate ) {
2012-01-19 18:48:09 +00:00
ce = candidate
2012-01-17 18:16:58 +00:00
}
2012-01-19 18:48:09 +00:00
lastchopped = labels [ i ]
2012-01-17 18:16:58 +00:00
}
}
2012-01-19 18:48:09 +00:00
if ce == "" { // what about root label?
2012-01-22 10:33:51 +00:00
return 0 , ErrDenialCe
2012-01-19 18:48:09 +00:00
}
nc = lastchopped + "." + ce
so = "*." + ce
// Check if the next closer is covered and thus denied
for _ , nsec := range nsec3 {
2012-01-22 10:33:51 +00:00
if nsec . Cover ( nc ) {
2012-01-19 18:48:09 +00:00
ncdenied = true
2012-01-20 11:24:20 +00:00
break
2012-01-17 18:16:58 +00:00
}
2012-01-19 18:48:09 +00:00
}
if ! ncdenied {
2012-01-22 15:12:10 +00:00
if m . MsgHdr . Rcode == RcodeNameError {
// For NXDOMAIN this is a problem
return 0 , ErrDenialNc // add next closer name here
}
2012-01-22 10:33:51 +00:00
goto NoData
2012-01-17 18:16:58 +00:00
}
2011-09-15 18:13:21 +00:00
2012-02-24 20:26:01 +00:00
// Check if the source of synthesis is covered and thus also denied
2012-01-19 18:48:09 +00:00
for _ , nsec := range nsec3 {
2012-01-22 10:33:51 +00:00
if nsec . Cover ( so ) {
2012-01-19 18:48:09 +00:00
sodenied = true
2012-01-20 11:24:20 +00:00
break
2012-01-17 18:16:58 +00:00
}
}
2012-01-19 18:48:09 +00:00
if ! sodenied {
2012-01-22 10:33:51 +00:00
return 0 , ErrDenialSo
2012-01-19 18:48:09 +00:00
}
2012-02-25 18:12:02 +00:00
// The message headers claims something different!
if m . MsgHdr . Rcode != RcodeNameError {
return 0 , ErrDenialHdr
}
2012-01-22 10:33:51 +00:00
return NSEC3_NXDOMAIN , nil
2012-01-17 18:16:58 +00:00
}
2012-01-22 10:33:51 +00:00
return 0 , nil
NoData :
2012-02-24 22:43:34 +00:00
// For NODATA we need to to check if the matching nsec3 has to correct type bit map
// And we need to check that the wildcard does NOT exist
for _ , nsec := range nsec3 {
if nsec . Cover ( so ) {
sodenied = true
break
}
}
if sodenied {
// Whoa, the closest encloser is denied, but there does exist
// a wildcard a that level. That's not good
return 0 , ErrDenialWc
}
2012-01-22 10:33:51 +00:00
// The closest encloser MUST be the query name
for _ , nsec := range nsec3 {
if nsec . Match ( nc ) {
// This nsec3 must NOT have the type bitmap set of the qtype. If it does have it, return an error
for _ , t := range nsec . TypeBitMap {
if t == q . Qtype {
return 0 , ErrDenialBit
}
}
}
}
2012-02-25 18:12:02 +00:00
if m . MsgHdr . Rcode == RcodeNameError {
return 0 , ErrDenialHdr
}
2012-01-22 10:33:51 +00:00
return NSEC3_NODATA , nil
2011-09-15 18:13:21 +00:00
}