dns/tsig.go

package dns

// Implementation of TSIG: generation and validation
// RFC 2845 and RFC 4635
import (
	"io"
	"strconv"
	"strings"
	"crypto/hmac"
	"encoding/hex"
)

// HMAC hashing codes. These are transmitted as domain names.
const (
	HmacMD5    = "hmac-md5.sig-alg.reg.int."
	HmacSHA1   = "hmac-sha1."
	HmacSHA256 = "hmac-sha256."
)

type RR_TSIG struct {
	Hdr        RR_Header
	Algorithm  string "domain-name"
	TimeSigned uint64
	Fudge      uint16
	MACSize    uint16
	MAC        string "size-hex"
	OrigId     uint16
	Error      uint16
	OtherLen   uint16
	OtherData  string "size-hex"
}

func (rr *RR_TSIG) Header() *RR_Header {
	return &rr.Hdr
}

func (rr *RR_TSIG) SetDefaults() {
        rr.Header().Ttl = 0
        rr.Header().Class = ClassANY
        rr.Header().Rrtype = TypeTSIG
        rr.Fudge = 300
        rr.Algorithm = HmacMD5
}

// TSIG has no official presentation format, but this will suffice.
func (rr *RR_TSIG) String() string {
	return rr.Hdr.String() +
		" " + rr.Algorithm +
		" " + tsigTimeToDate(rr.TimeSigned) +
		" " + strconv.Itoa(int(rr.Fudge)) +
		" " + strconv.Itoa(int(rr.MACSize)) +
		" " + rr.MAC +
		" " + strconv.Itoa(int(rr.OrigId)) +
		" " + strconv.Itoa(int(rr.Error)) +
		" " + strconv.Itoa(int(rr.OtherLen)) +
		" " + rr.OtherData
}

// The following values must be put in wireformat, so that the MAC can be calculated.
// RFC 2845, section 3.4.2. TSIG Variables.
type tsigWireFmt struct {
	// From RR_HEADER
	Name  string "domain-name"
	Class uint16
	Ttl   uint32
	// Rdata of the TSIG
	Algorithm  string "domain-name"
	TimeSigned uint64
	Fudge      uint16
	// MACSize, MAC and OrigId excluded
	Error     uint16
	OtherLen  uint16
	OtherData string "size-hex"
}

// If we have the MAC use this type to convert it to wiredata
type macWireFmt struct {
        MAC string "size-hex"
}

// Generate the HMAC for message. The TSIG RR is modified
// to include the MAC and MACSize. Note the the msg Id must
// already be set, otherwise the MAC will not be correct when
// the message is send.
// The string 'secret' must be encoded in base64.
func (t *RR_TSIG) Generate(m *Msg, secret string) bool {
	rawsecret, err := packBase64([]byte(secret))
        if err != nil {
                return false
        }
	t.OrigId = m.MsgHdr.Id

	buf, ok := tsigToBuf(t, m, "")
	h := hmac.NewMD5([]byte(rawsecret))
	io.WriteString(h, string(buf))

	t.MAC = strings.ToUpper(hex.EncodeToString(h.Sum()))
	t.MACSize = uint16(len(h.Sum()))        // Needs to be "on-the-wire" size.
	if !ok {
		return false
	}
	return true
}

// Verify a TSIG. The message should be the complete with
// the TSIG record still attached (as the last rr in the Additional
// section). Return true on success.
// The secret is a base64 encoded string with the secret.
func (t *RR_TSIG) Verify(m *Msg, secret, reqmac string) bool {
	// copy the mesg, strip (and check) the tsig rr
	// perform the opposite of Generate() and then 
	// verify the mac
	rawsecret, err := packBase64([]byte(secret))
        if err != nil {
                return false
        }

	msg2 := m // Deep copy TODO(mg)
	if len(msg2.Extra) < 1 {
		// nothing in additional
		return false
	}
        if t.Header().Rrtype != TypeTSIG {
                return false
        }
        msg2.MsgHdr.Id = t.OrigId
        msg2.Extra = msg2.Extra[:len(msg2.Extra)-1]     // Strip off the TSIG
        buf, ok := tsigToBuf(t, msg2, reqmac)
        if !ok {
                return false
        }

        h := hmac.NewMD5([]byte(rawsecret))
        io.WriteString(h, string(buf))
        println(strings.ToUpper(t.MAC))
        println(strings.ToUpper(hex.EncodeToString(h.Sum())))
        return strings.ToUpper(hex.EncodeToString(h.Sum())) == strings.ToUpper(t.MAC)
}

// INclude the MAC when verifying
func tsigToBuf(rr *RR_TSIG, msg *Msg, reqmac string) ([]byte, bool) {
	// Fill the struct and generate the wiredata
        var mb []byte
	buf := make([]byte, DefaultMsgSize)
	tsig := new(tsigWireFmt)
	tsig.Name = rr.Header().Name
	tsig.Class = rr.Header().Class
	tsig.Ttl = rr.Header().Ttl
	tsig.Algorithm = rr.Algorithm
	tsig.TimeSigned = rr.TimeSigned
	tsig.Fudge = rr.Fudge
	tsig.Error = rr.Error
	tsig.OtherLen = rr.OtherLen
	tsig.OtherData = rr.OtherData
	n, ok1 := packStruct(tsig, buf, 0)
	if !ok1 {
		return nil, false
	}
	buf = buf[:n]
	msgbuf, ok := msg.Pack()
	if !ok {
		return nil, false
	}
        if reqmac != "" {
        println("REQ", reqmac)
                m := new(macWireFmt)
                m.MAC = reqmac
                mb = make([]byte, len(reqmac))  // reqmac should be twice as long
                n, ok := packStruct(m, mb, 0)
                if !ok {
                        return nil, false
                }
                mb = mb[:n]
        }
	buf = append(msgbuf, buf...)
        if mb != nil {
                buf = append(mb, buf...)
        }
	return buf, true
}
Added TSIG By defining a new struct I can re-use all the nice stuff in msg.go 2011-01-09 07:51:20 +11:00			`package dns`

Fix documentation 2011-01-18 07:10:48 +11:00			`// Implementation of TSIG: generation and validation`
TSIG works 2011-01-27 01:13:06 +11:00			`// RFC 2845 and RFC 4635`
tsig generation; first stab 2011-01-09 08:39:15 +11:00			`import (`
Fix documentation 2011-01-18 07:10:48 +11:00			`"io"`
Fold dnssec back into dns It is more natural. Otherwise tsig and tkey needed to be put in their own packages 2011-01-09 20:31:23 +11:00			`"strconv"`
Fix tsig -- needs testing 2011-01-10 01:54:23 +11:00			`"strings"`
Fix documentation 2011-01-18 07:10:48 +11:00			`"crypto/hmac"`
Fix tsig -- needs testing 2011-01-10 01:54:23 +11:00			`"encoding/hex"`
tsig generation; first stab 2011-01-09 08:39:15 +11:00			`)`

documentation updates 2011-01-27 19:29:11 +11:00			`// HMAC hashing codes. These are transmitted as domain names.`
tsig generation; first stab 2011-01-09 08:39:15 +11:00			`const (`
more tsig work - still does not validate but getting close 2011-03-14 22:28:04 +11:00			`HmacMD5 = "hmac-md5.sig-alg.reg.int."`
			`HmacSHA1 = "hmac-sha1."`
			`HmacSHA256 = "hmac-sha256."`
tsig generation; first stab 2011-01-09 08:39:15 +11:00			`)`

Fold dnssec back into dns It is more natural. Otherwise tsig and tkey needed to be put in their own packages 2011-01-09 20:31:23 +11:00			`type RR_TSIG struct {`
			`Hdr RR_Header`
Fix tsig -- needs testing 2011-01-10 01:54:23 +11:00			`Algorithm string "domain-name"`
Fix tsig by making timeSigned a 64 bit int only use the lower 48 bits to make it all work 2011-01-10 01:30:45 +11:00			`TimeSigned uint64`
Fold dnssec back into dns It is more natural. Otherwise tsig and tkey needed to be put in their own packages 2011-01-09 20:31:23 +11:00			`Fudge uint16`
			`MACSize uint16`
support nsec3 and nsec3param 2011-02-04 06:39:43 +11:00			`MAC string "size-hex"`
Fix documentation 2011-01-18 07:10:48 +11:00			`OrigId uint16`
Fold dnssec back into dns It is more natural. Otherwise tsig and tkey needed to be put in their own packages 2011-01-09 20:31:23 +11:00			`Error uint16`
			`OtherLen uint16`
support nsec3 and nsec3param 2011-02-04 06:39:43 +11:00			`OtherData string "size-hex"`
Fold dnssec back into dns It is more natural. Otherwise tsig and tkey needed to be put in their own packages 2011-01-09 20:31:23 +11:00			`}`

			`func (rr RR_TSIG) Header() RR_Header {`
			`return &rr.Hdr`
			`}`

rename it 2011-03-14 04:18:00 +11:00			`func (rr *RR_TSIG) SetDefaults() {`
Use Defaults() function for TSIG 2011-03-14 04:16:35 +11:00			`rr.Header().Ttl = 0`
			`rr.Header().Class = ClassANY`
			`rr.Header().Rrtype = TypeTSIG`
			`rr.Fudge = 300`
More TSIG stuff 2011-03-14 23:08:54 +11:00			`rr.Algorithm = HmacMD5`
Use Defaults() function for TSIG 2011-03-14 04:16:35 +11:00			`}`

documentation updates 2011-01-27 19:29:11 +11:00			`// TSIG has no official presentation format, but this will suffice.`
Fold dnssec back into dns It is more natural. Otherwise tsig and tkey needed to be put in their own packages 2011-01-09 20:31:23 +11:00			`func (rr *RR_TSIG) String() string {`
			`return rr.Hdr.String() +`
Fix tsig by making timeSigned a 64 bit int only use the lower 48 bits to make it all work 2011-01-10 01:30:45 +11:00			`" " + rr.Algorithm +`
Fix tsig -- needs testing 2011-01-10 01:54:23 +11:00			`" " + tsigTimeToDate(rr.TimeSigned) +`
Fold dnssec back into dns It is more natural. Otherwise tsig and tkey needed to be put in their own packages 2011-01-09 20:31:23 +11:00			`" " + strconv.Itoa(int(rr.Fudge)) +`
Fix TSIG and make check if is works with axfr (yes) 2011-03-12 00:24:33 +11:00			`" " + strconv.Itoa(int(rr.MACSize)) +`
			`" " + rr.MAC +`
Fold dnssec back into dns It is more natural. Otherwise tsig and tkey needed to be put in their own packages 2011-01-09 20:31:23 +11:00			`" " + strconv.Itoa(int(rr.OrigId)) +`
			`" " + strconv.Itoa(int(rr.Error)) +`
Fix TSIG and make check if is works with axfr (yes) 2011-03-12 00:24:33 +11:00			`" " + strconv.Itoa(int(rr.OtherLen)) +`
Fold dnssec back into dns It is more natural. Otherwise tsig and tkey needed to be put in their own packages 2011-01-09 20:31:23 +11:00			`" " + rr.OtherData`
			`}`

Fix documentation 2011-01-18 07:10:48 +11:00			`// The following values must be put in wireformat, so that the MAC can be calculated.`
			`// RFC 2845, section 3.4.2. TSIG Variables.`
Remove unwanted wire conversion functions 2011-01-14 21:57:28 +11:00			`type tsigWireFmt struct {`
Added TSIG By defining a new struct I can re-use all the nice stuff in msg.go 2011-01-09 07:51:20 +11:00			`// From RR_HEADER`
			`Name string "domain-name"`
			`Class uint16`
			`Ttl uint32`
			`// Rdata of the TSIG`
Fix tsig -- needs testing 2011-01-10 01:54:23 +11:00			`Algorithm string "domain-name"`
Fix tsig by making timeSigned a 64 bit int only use the lower 48 bits to make it all work 2011-01-10 01:30:45 +11:00			`TimeSigned uint64`
Added TSIG By defining a new struct I can re-use all the nice stuff in msg.go 2011-01-09 07:51:20 +11:00			`Fudge uint16`
			`// MACSize, MAC and OrigId excluded`
			`Error uint16`
			`OtherLen uint16`
support nsec3 and nsec3param 2011-02-04 06:39:43 +11:00			`OtherData string "size-hex"`
Added TSIG By defining a new struct I can re-use all the nice stuff in msg.go 2011-01-09 07:51:20 +11:00			`}`

more tsig work - still does not validate but getting close 2011-03-14 22:28:04 +11:00			`// If we have the MAC use this type to convert it to wiredata`
			`type macWireFmt struct {`
			`MAC string "size-hex"`
			`}`

documentation updates 2011-01-27 19:29:11 +11:00			`// Generate the HMAC for message. The TSIG RR is modified`
Tsig * add some testcases for tsig * add unpack/pack stuff -- doesn't work correctly yet 2011-01-09 10:11:22 +11:00			`// to include the MAC and MACSize. Note the the msg Id must`
documentation updates 2011-01-27 19:29:11 +11:00			`// already be set, otherwise the MAC will not be correct when`
			`// the message is send.`
			`// The string 'secret' must be encoded in base64.`
Fixes for the testcases 2011-01-27 02:04:51 +11:00			`func (t RR_TSIG) Generate(m Msg, secret string) bool {`
make tsig method of message (more natural) Fix all tsig use. Only generate must be tested 2011-01-27 01:54:31 +11:00			`rawsecret, err := packBase64([]byte(secret))`
			`if err != nil {`
Fixes for the testcases 2011-01-27 02:04:51 +11:00			`return false`
make tsig method of message (more natural) Fix all tsig use. Only generate must be tested 2011-01-27 01:54:31 +11:00			`}`
			`t.OrigId = m.MsgHdr.Id`

More TSIG stuff 2011-03-14 23:08:54 +11:00			`buf, ok := tsigToBuf(t, m, "")`
make tsig method of message (more natural) Fix all tsig use. Only generate must be tested 2011-01-27 01:54:31 +11:00			`h := hmac.NewMD5([]byte(rawsecret))`
			`io.WriteString(h, string(buf))`

Fix TSIG and make check if is works with axfr (yes) 2011-03-12 00:24:33 +11:00			`t.MAC = strings.ToUpper(hex.EncodeToString(h.Sum()))`
			`t.MACSize = uint16(len(h.Sum())) // Needs to be "on-the-wire" size.`
Fold dnssec back into dns It is more natural. Otherwise tsig and tkey needed to be put in their own packages 2011-01-09 20:31:23 +11:00			`if !ok {`
Fixes for the testcases 2011-01-27 02:04:51 +11:00			`return false`
Fold dnssec back into dns It is more natural. Otherwise tsig and tkey needed to be put in their own packages 2011-01-09 20:31:23 +11:00			`}`
Fixes for the testcases 2011-01-27 02:04:51 +11:00			`return true`
Added TSIG By defining a new struct I can re-use all the nice stuff in msg.go 2011-01-09 07:51:20 +11:00			`}`
Fold dnssec back into dns It is more natural. Otherwise tsig and tkey needed to be put in their own packages 2011-01-09 20:31:23 +11:00
documentation updates 2011-01-27 19:29:11 +11:00			`// Verify a TSIG. The message should be the complete with`
Fold dnssec back into dns It is more natural. Otherwise tsig and tkey needed to be put in their own packages 2011-01-09 20:31:23 +11:00			`// the TSIG record still attached (as the last rr in the Additional`
documentation updates 2011-01-27 19:29:11 +11:00			`// section). Return true on success.`
			`// The secret is a base64 encoded string with the secret.`
More TSIG stuff 2011-03-14 23:08:54 +11:00			`func (t RR_TSIG) Verify(m Msg, secret, reqmac string) bool {`
Fix tsig by making timeSigned a 64 bit int only use the lower 48 bits to make it all work 2011-01-10 01:30:45 +11:00			`// copy the mesg, strip (and check) the tsig rr`
			`// perform the opposite of Generate() and then`
			`// verify the mac`
TSIG works 2011-01-27 01:13:06 +11:00			`rawsecret, err := packBase64([]byte(secret))`
			`if err != nil {`
TSIG back to method on *RR_TSIG More inline with the rest and generation of tsig is more natural 2011-01-27 02:02:54 +11:00			`return false`
TSIG works 2011-01-27 01:13:06 +11:00			`}`
numerous tsig fixes - validation and generation almost working 2011-01-26 09:40:45 +11:00
more tsig work - still does not validate but getting close 2011-03-14 22:28:04 +11:00			`msg2 := m // Deep copy TODO(mg)`
numerous tsig fixes - validation and generation almost working 2011-01-26 09:40:45 +11:00			`if len(msg2.Extra) < 1 {`
			`// nothing in additional`
TSIG back to method on *RR_TSIG More inline with the rest and generation of tsig is more natural 2011-01-27 02:02:54 +11:00			`return false`
verification and generation of TSIG 2011-01-26 08:29:48 +11:00			`}`
TSIG back to method on *RR_TSIG More inline with the rest and generation of tsig is more natural 2011-01-27 02:02:54 +11:00			`if t.Header().Rrtype != TypeTSIG {`
			`return false`
			`}`
			`msg2.MsgHdr.Id = t.OrigId`
			`msg2.Extra = msg2.Extra[:len(msg2.Extra)-1] // Strip off the TSIG`
More TSIG stuff 2011-03-14 23:08:54 +11:00			`buf, ok := tsigToBuf(t, msg2, reqmac)`
TSIG back to method on *RR_TSIG More inline with the rest and generation of tsig is more natural 2011-01-27 02:02:54 +11:00			`if !ok {`
			`return false`
make tsig method of message (more natural) Fix all tsig use. Only generate must be tested 2011-01-27 01:54:31 +11:00			`}`
more tsig work - still does not validate but getting close 2011-03-14 22:28:04 +11:00
TSIG back to method on *RR_TSIG More inline with the rest and generation of tsig is more natural 2011-01-27 02:02:54 +11:00			`h := hmac.NewMD5([]byte(rawsecret))`
			`io.WriteString(h, string(buf))`
more tsig work - still does not validate but getting close 2011-03-14 22:28:04 +11:00			`println(strings.ToUpper(t.MAC))`
			`println(strings.ToUpper(hex.EncodeToString(h.Sum())))`
			`return strings.ToUpper(hex.EncodeToString(h.Sum())) == strings.ToUpper(t.MAC)`
verification and generation of TSIG 2011-01-26 08:29:48 +11:00			`}`

more tsig work - still does not validate but getting close 2011-03-14 22:28:04 +11:00			`// INclude the MAC when verifying`
More TSIG stuff 2011-03-14 23:08:54 +11:00			`func tsigToBuf(rr RR_TSIG, msg Msg, reqmac string) ([]byte, bool) {`
verification and generation of TSIG 2011-01-26 08:29:48 +11:00			`// Fill the struct and generate the wiredata`
more tsig work - still does not validate but getting close 2011-03-14 22:28:04 +11:00			`var mb []byte`
			`buf := make([]byte, DefaultMsgSize)`
verification and generation of TSIG 2011-01-26 08:29:48 +11:00			`tsig := new(tsigWireFmt)`
			`tsig.Name = rr.Header().Name`
			`tsig.Class = rr.Header().Class`
			`tsig.Ttl = rr.Header().Ttl`
			`tsig.Algorithm = rr.Algorithm`
			`tsig.TimeSigned = rr.TimeSigned`
			`tsig.Fudge = rr.Fudge`
			`tsig.Error = rr.Error`
			`tsig.OtherLen = rr.OtherLen`
			`tsig.OtherData = rr.OtherData`
			`n, ok1 := packStruct(tsig, buf, 0)`
			`if !ok1 {`
			`return nil, false`
			`}`
			`buf = buf[:n]`
			`msgbuf, ok := msg.Pack()`
			`if !ok {`
			`return nil, false`
			`}`
More TSIG stuff 2011-03-14 23:08:54 +11:00			`if reqmac != "" {`
			`println("REQ", reqmac)`
more tsig work - still does not validate but getting close 2011-03-14 22:28:04 +11:00			`m := new(macWireFmt)`
More TSIG stuff 2011-03-14 23:08:54 +11:00			`m.MAC = reqmac`
			`mb = make([]byte, len(reqmac)) // reqmac should be twice as long`
more tsig work - still does not validate but getting close 2011-03-14 22:28:04 +11:00			`n, ok := packStruct(m, mb, 0)`
			`if !ok {`
			`return nil, false`
			`}`
			`mb = mb[:n]`
			`}`
TSIG works 2011-01-27 01:13:06 +11:00			`buf = append(msgbuf, buf...)`
more tsig work - still does not validate but getting close 2011-03-14 22:28:04 +11:00			`if mb != nil {`
			`buf = append(mb, buf...)`
			`}`
verification and generation of TSIG 2011-01-26 08:29:48 +11:00			`return buf, true`
Fold dnssec back into dns It is more natural. Otherwise tsig and tkey needed to be put in their own packages 2011-01-09 20:31:23 +11:00			`}`