dns/nsecx.go

// Copyright 2011 Miek Gieben. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package dns

import (
	"crypto/sha1"
	"hash"
	"io"
	"strings"
)

const (
	_ = iota
	_NSEC3_NXDOMAIN
	_NSEC3_NODATA
)

type saltWireFmt struct {
	Salt string `dns:"size-hex"`
}

// HashName hashes a string (label) according to RFC 5155. It returns the hashed string.
func HashName(label string, ha uint8, iter uint16, salt string) string {
	saltwire := new(saltWireFmt)
	saltwire.Salt = salt
	wire := make([]byte, DefaultMsgSize)
	n, err := PackStruct(saltwire, wire, 0)
	if err != nil {
		return ""
	}
	wire = wire[:n]
	name := make([]byte, 255)
	off, err := PackDomainName(strings.ToLower(label), name, 0, nil, false)
	if err != nil {
		return ""
	}
	name = name[:off]
	var s hash.Hash
	switch ha {
	case SHA1:
		s = sha1.New()
	default:
		return ""
	}

	// k = 0
	name = append(name, wire...)
	io.WriteString(s, string(name))
	nsec3 := s.Sum(nil)
	// k > 0
	for k := uint16(0); k < iter; k++ {
		s.Reset()
		nsec3 = append(nsec3, wire...)
		io.WriteString(s, string(nsec3))
		nsec3 = s.Sum(nil)
	}
	return unpackBase32(nsec3)
}

// Implement the HashNames method of Denialer
func (rr *NSEC3) HashNames(domain string) {
	rr.Header().Name = strings.ToLower(HashName(rr.Header().Name, rr.Hash, rr.Iterations, rr.Salt)) + "." + domain
	rr.NextDomain = HashName(rr.NextDomain, rr.Hash, rr.Iterations, rr.Salt)
}

// Implement the Match method of Denialer
func (rr *NSEC3) Match(domain string) bool {
	return strings.ToUpper(SplitLabels(rr.Header().Name)[0]) == strings.ToUpper(HashName(domain, rr.Hash, rr.Iterations, rr.Salt))
}

// Implement the Match method of Denialer
func (rr *NSEC) Match(domain string) bool {
	return strings.ToUpper(rr.Header().Name) == strings.ToUpper(domain)
}

func (rr *NSEC3) MatchType(rrtype uint16) bool {
	for _, t := range rr.TypeBitMap {
		if t == rrtype {
			return true
		}
		if t > rrtype {
			return false
		}
	}
	return false
}

func (rr *NSEC) MatchType(rrtype uint16) bool {
	for _, t := range rr.TypeBitMap {
		if t == rrtype {
			return true
		}
		if t > rrtype {
			return false
		}
	}
	return false
}

// Cover checks if domain is covered by the NSEC3 record. Domain must be given in plain text (i.e. not hashed)
// TODO(mg): this doesn't loop around
// TODO(mg): make a CoverHashed variant?
func (rr *NSEC3) Cover(domain string) bool {
	hashdom := strings.ToUpper(HashName(domain, rr.Hash, rr.Iterations, rr.Salt))
	nextdom := strings.ToUpper(rr.NextDomain)
	owner := strings.ToUpper(SplitLabels(rr.Header().Name)[0])                                                                     // The hashed part
	apex := strings.ToUpper(HashName(strings.Join(SplitLabels(rr.Header().Name)[1:], "."), rr.Hash, rr.Iterations, rr.Salt)) + "." // The name of the zone
	// if nextdomain equals the apex, it is considered The End. So in that case hashdom is always less then nextdomain
	if hashdom > owner && nextdom == apex {
		return true
	}

	if hashdom > owner && hashdom <= nextdom {
		return true
	}

	return false
}

// Cover checks if domain is covered by the NSEC record. Domain must be given in plain text.
func (rr *NSEC) Cover(domain string) bool {
	return false
}
Update all copyright notices 2013-05-13 00:15:52 +10:00			`// Copyright 2011 Miek Gieben. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

add start for nsec3 2011-01-28 01:52:58 +11:00			`package dns`

More NSEC3 stuff 2011-03-08 07:56:36 +11:00			`import (`
gofmt 2011-12-10 07:45:57 +11:00			`"crypto/sha1"`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`"hash"`
Fix the hashing I mis applied the Gofix that created the correct fix. 2011-12-17 01:08:44 +11:00			`"io"`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`"strings"`
More NSEC3 stuff 2011-03-08 07:56:36 +11:00			`)`

Implement NSEC3 NODATA proof 2012-01-22 21:33:51 +11:00			`const (`
			`_ = iota`
Further minimize the lib 2012-08-20 17:39:10 +10:00			`_NSEC3_NXDOMAIN`
			`_NSEC3_NODATA`
Implement NSEC3 NODATA proof 2012-01-22 21:33:51 +11:00			`)`

Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`type saltWireFmt struct {`
Use go vetted struct tags They had the form: "domain-name", now they are key value pairs (key is always dns: `dns:"domain-name"` 2012-04-30 05:55:29 +10:00			Salt string `dns:"size-hex"`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`}`
add start for nsec3 2011-01-28 01:52:58 +11:00
more documentation 2012-12-02 20:14:53 +11:00			`// HashName hashes a string (label) according to RFC 5155. It returns the hashed string.`
Add a nsec3 Match() function 2012-01-22 20:52:06 +11:00			`func HashName(label string, ha uint8, iter uint16, salt string) string {`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`saltwire := new(saltWireFmt)`
			`saltwire.Salt = salt`
			`wire := make([]byte, DefaultMsgSize)`
Use proper error in packing and unpacking All the relevant functions now return an error instead of a simple boolean. This greatly approves the feedback to coders. Spotted some fishy error handling along the way and fix that too. 2012-10-10 06:17:54 +11:00			`n, err := PackStruct(saltwire, wire, 0)`
			`if err != nil {`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`return ""`
			`}`
			`wire = wire[:n]`
implement nsec3 label hashing 2011-03-10 00:27:41 +11:00			`name := make([]byte, 255)`
Use proper error in packing and unpacking All the relevant functions now return an error instead of a simple boolean. This greatly approves the feedback to coders. Spotted some fishy error handling along the way and fix that too. 2012-10-10 06:17:54 +11:00			`off, err := PackDomainName(strings.ToLower(label), name, 0, nil, false)`
			`if err != nil {`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`return ""`
			`}`
implement nsec3 label hashing 2011-03-10 00:27:41 +11:00			`name = name[:off]`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`var s hash.Hash`
			`switch ha {`
Drop the Alg and Hash prefixes 2011-07-09 01:27:44 +10:00			`case SHA1:`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`s = sha1.New()`
Formatting 2011-03-24 19:24:49 +11:00			`default:`
			`return ""`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`}`

			`// k = 0`
implement nsec3 label hashing 2011-03-10 00:27:41 +11:00			`name = append(name, wire...)`
Gofmt 2011-12-17 05:42:30 +11:00			`io.WriteString(s, string(name))`
Fix the hashing I mis applied the Gofix that created the correct fix. 2011-12-17 01:08:44 +11:00			`nsec3 := s.Sum(nil)`
Formatting 2011-03-24 19:24:49 +11:00			`// k > 0`
Add a nsec3 Match() function 2012-01-22 20:52:06 +11:00			`for k := uint16(0); k < iter; k++ {`
Formatting 2011-03-24 19:24:49 +11:00			`s.Reset()`
			`nsec3 = append(nsec3, wire...)`
Gofmt 2011-12-17 05:42:30 +11:00			`io.WriteString(s, string(nsec3))`
Nsec3: fix hashing here also 2011-12-17 01:12:01 +11:00			`nsec3 = s.Sum(nil)`
Formatting 2011-03-24 19:24:49 +11:00			`}`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`return unpackBase32(nsec3)`
More NSEC3 stuff 2011-03-08 07:56:36 +11:00			`}`
add nsec3 hashnames method 2011-03-10 04:54:55 +11:00
Add denialer interface 2012-06-06 23:27:35 +10:00			`// Implement the HashNames method of Denialer`
Rename the RR types drop the RR_ prefix This is also done in the official Go library. It also make the code shorter. 2012-12-10 05:23:25 +11:00			`func (rr *NSEC3) HashNames(domain string) {`
use rr instead of nsec 2012-09-02 19:45:29 +10:00			`rr.Header().Name = strings.ToLower(HashName(rr.Header().Name, rr.Hash, rr.Iterations, rr.Salt)) + "." + domain`
			`rr.NextDomain = HashName(rr.NextDomain, rr.Hash, rr.Iterations, rr.Salt)`
Add a nsec3 Match() function 2012-01-22 20:52:06 +11:00			`}`

Add denialer interface 2012-06-06 23:27:35 +10:00			`// Implement the Match method of Denialer`
Rename the RR types drop the RR_ prefix This is also done in the official Go library. It also make the code shorter. 2012-12-10 05:23:25 +11:00			`func (rr *NSEC3) Match(domain string) bool {`
use rr instead of nsec 2012-09-02 19:45:29 +10:00			`return strings.ToUpper(SplitLabels(rr.Header().Name)[0]) == strings.ToUpper(HashName(domain, rr.Hash, rr.Iterations, rr.Salt))`
Implement NSEC3 NODATA proof 2012-01-22 21:33:51 +11:00			`}`

Add denialer interface 2012-06-06 23:27:35 +10:00			`// Implement the Match method of Denialer`
Rename the RR types drop the RR_ prefix This is also done in the official Go library. It also make the code shorter. 2012-12-10 05:23:25 +11:00			`func (rr *NSEC) Match(domain string) bool {`
use rr instead of nsec 2012-09-02 19:45:29 +10:00			`return strings.ToUpper(rr.Header().Name) == strings.ToUpper(domain)`
Add denialer interface 2012-06-06 23:27:35 +10:00			`}`

Rename the RR types drop the RR_ prefix This is also done in the official Go library. It also make the code shorter. 2012-12-10 05:23:25 +11:00			`func (rr *NSEC3) MatchType(rrtype uint16) bool {`
use rr instead of nsec 2012-09-02 19:45:29 +10:00			`for _, t := range rr.TypeBitMap {`
Add denialer interface 2012-06-06 23:27:35 +10:00			`if t == rrtype {`
			`return true`
			`}`
			`if t > rrtype {`
			`return false`
			`}`
			`}`
			`return false`
			`}`

Rename the RR types drop the RR_ prefix This is also done in the official Go library. It also make the code shorter. 2012-12-10 05:23:25 +11:00			`func (rr *NSEC) MatchType(rrtype uint16) bool {`
use rr instead of nsec 2012-09-02 19:45:29 +10:00			`for _, t := range rr.TypeBitMap {`
Add denialer interface 2012-06-06 23:27:35 +10:00			`if t == rrtype {`
			`return true`
			`}`
			`if t > rrtype {`
			`return false`
			`}`
			`}`
			`return false`
			`}`
small tweaks in the NSEC3 code 2012-06-06 15:36:45 +10:00
			`// Cover checks if domain is covered by the NSEC3 record. Domain must be given in plain text (i.e. not hashed)`
			`// TODO(mg): this doesn't loop around`
			`// TODO(mg): make a CoverHashed variant?`
Rename the RR types drop the RR_ prefix This is also done in the official Go library. It also make the code shorter. 2012-12-10 05:23:25 +11:00			`func (rr *NSEC3) Cover(domain string) bool {`
use rr instead of nsec 2012-09-02 19:45:29 +10:00			`hashdom := strings.ToUpper(HashName(domain, rr.Hash, rr.Iterations, rr.Salt))`
			`nextdom := strings.ToUpper(rr.NextDomain)`
fmt 2012-09-11 04:51:19 +10:00			`owner := strings.ToUpper(SplitLabels(rr.Header().Name)[0]) // The hashed part`
use rr instead of nsec 2012-09-02 19:45:29 +10:00			`apex := strings.ToUpper(HashName(strings.Join(SplitLabels(rr.Header().Name)[1:], "."), rr.Hash, rr.Iterations, rr.Salt)) + "." // The name of the zone`
Some more tweaks into verifying nsec3 messages 2012-01-23 02:12:10 +11:00			`// if nextdomain equals the apex, it is considered The End. So in that case hashdom is always less then nextdomain`
			`if hashdom > owner && nextdom == apex {`
			`return true`
			`}`
Handle NSEC3 records that point to the apex 2012-01-23 01:40:59 +11:00
			`if hashdom > owner && hashdom <= nextdom {`
Some more tweaks into verifying nsec3 messages 2012-01-23 02:12:10 +11:00			`return true`
			`}`
Handle NSEC3 records that point to the apex 2012-01-23 01:40:59 +11:00
Some more tweaks into verifying nsec3 messages 2012-01-23 02:12:10 +11:00			`return false`
add nsec3 hashnames method 2011-03-10 04:54:55 +11:00			`}`
start with nsec3 proving 2011-09-16 04:13:21 +10:00
prototype nsec cover method 2012-03-09 07:16:51 +11:00			`// Cover checks if domain is covered by the NSEC record. Domain must be given in plain text.`
Rename the RR types drop the RR_ prefix This is also done in the official Go library. It also make the code shorter. 2012-12-10 05:23:25 +11:00			`func (rr *NSEC) Cover(domain string) bool {`
prototype nsec cover method 2012-03-09 07:16:51 +11:00			`return false`
			`}`