community
/
dns
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dns/tsig.go

397 lines
9.8 KiB
Go
Raw Normal View History

Added TSIG By defining a new struct I can re-use all the nice stuff in msg.go
2011-01-09 07:51:20 +11:00
package dns
tsig generation; first stab
2011-01-09 08:39:15 +11:00
import (
Fix documentation
2011-01-18 07:10:48 +11:00
"crypto/hmac"
gofmt
2012-01-20 22:24:20 +11:00
"crypto/md5"
gofmt
2012-01-28 10:35:37 +11:00
"crypto/sha1"
"crypto/sha256"
Add support for HmacSHA512 algorithm in TSIG
2015-01-23 20:51:56 +11:00
"crypto/sha512"
Use encoding/binary's conversion functions when possible. (#364) * Remove {un,}packUint{16,32}Msg functions. unpackUint16Msg unpackUint32Msg packUint16Msg packUint32Msg implemented functionality that is part of the encoding/binary package. * Use encoding/binary's encoding in more places.
2016-06-09 01:38:42 +10:00
"encoding/binary"
Fix tsig -- needs testing
2011-01-10 01:54:23 +11:00
"encoding/hex"
gofmt
2012-01-28 10:35:37 +11:00
"hash"
move tsig to tsig.go just as RR_OPT
2012-03-03 09:07:25 +11:00
"strconv"
Update to the latest weekly: weekly/weekly.2011-12-06 The new time API must still be used. But for now it compiles. All DNSSEC/TSIG timing is probably broken
2011-12-09 21:16:49 +11:00
"strings"
"time"
tsig generation; first stab
2011-01-09 08:39:15 +11:00
)
documentation updates
2011-01-27 19:29:11 +11:00
// HMAC hashing codes. These are transmitted as domain names.
tsig generation; first stab
2011-01-09 08:39:15 +11:00
const (
more tsig work - still does not validate but getting close
2011-03-14 22:28:04 +11:00
HmacMD5 = "hmac-md5.sig-alg.reg.int."
HmacSHA1 = "hmac-sha1."
HmacSHA256 = "hmac-sha256."
Add support for HmacSHA512 algorithm in TSIG
2015-01-23 20:51:56 +11:00
HmacSHA512 = "hmac-sha512."
tsig generation; first stab
2011-01-09 08:39:15 +11:00
)
A bunch of golint fixes The proposed vars names are a nono, because they break the API. Things left: document each RR and zscan_rr.go has some funcky if-then-elses.
2015-02-19 20:58:33 +11:00
// TSIG is the RR the holds the transaction signature of a message.
// See RFC 2845 and RFC 4635.
Rename the RR types drop the RR_ prefix This is also done in the official Go library. It also make the code shorter.
2012-12-10 05:23:25 +11:00
type TSIG struct {
move tsig to tsig.go just as RR_OPT
2012-03-03 09:07:25 +11:00
Hdr RR_Header
Use go vetted struct tags They had the form: "domain-name", now they are key value pairs (key is always dns: `dns:"domain-name"`
2012-04-30 05:55:29 +10:00
Algorithm string `dns:"domain-name"`
Actually parse the whole uint64
2012-11-19 22:26:13 +11:00
TimeSigned uint64 `dns:"uint48"`
move tsig to tsig.go just as RR_OPT
2012-03-03 09:07:25 +11:00
Fudge uint16
MACSize uint16
Kill all reflection when packing/unpacking RR (#372) Update the size-xxx-member tags to point to another field in the struct that should be used for the length in that field. Fix NSEC3/HIP and TSIG to use to this and generate the correct pack/unpack functions for them. Remove IPSECKEY from the lib and handle it as an unknown record - it is such a horrible RR, needed kludges before - now just handle it as an unknown RR. All types now use generated pack and unpack functions. The blacklist is removed.
2016-06-13 03:31:50 +10:00
MAC string `dns:"size-hex:MACSize"`
move tsig to tsig.go just as RR_OPT
2012-03-03 09:07:25 +11:00
OrigId uint16
Error uint16
OtherLen uint16
Kill all reflection when packing/unpacking RR (#372) Update the size-xxx-member tags to point to another field in the struct that should be used for the length in that field. Fix NSEC3/HIP and TSIG to use to this and generate the correct pack/unpack functions for them. Remove IPSECKEY from the lib and handle it as an unknown record - it is such a horrible RR, needed kludges before - now just handle it as an unknown RR. All types now use generated pack and unpack functions. The blacklist is removed.
2016-06-13 03:31:50 +10:00
OtherData string `dns:"size-hex:OtherLen"`
move tsig to tsig.go just as RR_OPT
2012-03-03 09:07:25 +11:00
}
// TSIG has no official presentation format, but this will suffice.
documentation
2012-05-08 22:17:17 +10:00
Rename the RR types drop the RR_ prefix This is also done in the official Go library. It also make the code shorter.
2012-12-10 05:23:25 +11:00
func (rr *TSIG) String() string {
Add ; before printing TSIG (#1051) Automatically submitted.
2019-12-18 02:18:05 +11:00
s := "\n;; TSIG PSEUDOSECTION:\n; " // add another semi-colon to signify TSIG does not have a presentation format
move tsig to tsig.go just as RR_OPT
2012-03-03 09:07:25 +11:00
s += rr.Hdr.String() +
" " + rr.Algorithm +
Better naming
2012-09-12 05:45:21 +10:00
" " + tsigTimeToString(rr.TimeSigned) +
move tsig to tsig.go just as RR_OPT
2012-03-03 09:07:25 +11:00
" " + strconv.Itoa(int(rr.Fudge)) +
" " + strconv.Itoa(int(rr.MACSize)) +
" " + strings.ToUpper(rr.MAC) +
" " + strconv.Itoa(int(rr.OrigId)) +
" " + strconv.Itoa(int(rr.Error)) + // BIND prints NOERROR
" " + strconv.Itoa(int(rr.OtherLen)) +
" " + rr.OtherData
return s
}
Prohibit newlines before record data in the ZoneParser (#979) * Merge setRR into ZoneParser.Next * Remove file argument from RR.parse This was only used to fill in the ParseError file field. Instead we now fill in that field in ZoneParser.Next. * Move dynamic update check out of RR.parse This consolidates all the dynamic update checks into one place. * Check for unexpected newline before parsing RR data * Move rr.parse call into if-statement * Allow dynamic updates for TKEY and RFC3597 records * Document that ParseError file field is unset from parse * Inline allowDynamicUpdate into ZoneParser.Next * Improve and simplify TestUnexpectedNewline
2019-06-10 16:38:54 +10:00
func (rr *TSIG) parse(c *zlexer, origin string) *ParseError {
Use an interface method for parsing zone file records (#886) * Eliminate Variable bool from parserFunc Instead we now check whether the last token read from the zlexer was a zNewline or zEOF. The error check above should be tripped for any record that ends prematurely. * Use an interface method for parsing zone file records * Prevent panic in TestOmittedTTL if no regexp match * Move slurpRemainder into fixed length parse functions This is consistent with the original logic in setRR and avoids potential edge cases. * Parse synthetic records according to RFC 3597 These records lack a presentation format and cannot be parsed otherwise. This behaviour is consistent with how this previously operated.
2019-01-06 15:06:16 +11:00
panic("dns: internal error: parse should never be called on TSIG")
}
Fix documentation
2011-01-18 07:10:48 +11:00
// The following values must be put in wireformat, so that the MAC can be calculated.
// RFC 2845, section 3.4.2. TSIG Variables.
Remove unwanted wire conversion functions
2011-01-14 21:57:28 +11:00
type tsigWireFmt struct {
prepare for tsig
2012-03-01 08:00:39 +11:00
// From RR_Header
Use go vetted struct tags They had the form: "domain-name", now they are key value pairs (key is always dns: `dns:"domain-name"`
2012-04-30 05:55:29 +10:00
Name string `dns:"domain-name"`
Added TSIG By defining a new struct I can re-use all the nice stuff in msg.go
2011-01-09 07:51:20 +11:00
Class uint16
Ttl uint32
// Rdata of the TSIG
Use go vetted struct tags They had the form: "domain-name", now they are key value pairs (key is always dns: `dns:"domain-name"`
2012-04-30 05:55:29 +10:00
Algorithm string `dns:"domain-name"`
Fix TSIG If you even add a tag to a struct member, be sure to add that tag to the other important structs too.
2012-12-13 23:44:27 +11:00
TimeSigned uint64 `dns:"uint48"`
Added TSIG By defining a new struct I can re-use all the nice stuff in msg.go
2011-01-09 07:51:20 +11:00
Fudge uint16
// MACSize, MAC and OrigId excluded
Error uint16
OtherLen uint16
Kill all reflection when packing/unpacking RR (#372) Update the size-xxx-member tags to point to another field in the struct that should be used for the length in that field. Fix NSEC3/HIP and TSIG to use to this and generate the correct pack/unpack functions for them. Remove IPSECKEY from the lib and handle it as an unknown record - it is such a horrible RR, needed kludges before - now just handle it as an unknown RR. All types now use generated pack and unpack functions. The blacklist is removed.
2016-06-13 03:31:50 +10:00
OtherData string `dns:"size-hex:OtherLen"`
Added TSIG By defining a new struct I can re-use all the nice stuff in msg.go
2011-01-09 07:51:20 +11:00
}
Remove reflection (#376) Everything is generated. Remove all uses of packStruct/unpackStruct and make the library reflectionless.
2016-06-13 06:06:46 +10:00
// If we have the MAC use this type to convert it to wiredata. Section 3.4.3. Request MAC
more tsig work - still does not validate but getting close
2011-03-14 22:28:04 +11:00
type macWireFmt struct {
more tsig stuff
2011-03-15 07:16:45 +11:00
MACSize uint16
Kill all reflection when packing/unpacking RR (#372) Update the size-xxx-member tags to point to another field in the struct that should be used for the length in that field. Fix NSEC3/HIP and TSIG to use to this and generate the correct pack/unpack functions for them. Remove IPSECKEY from the lib and handle it as an unknown record - it is such a horrible RR, needed kludges before - now just handle it as an unknown RR. All types now use generated pack and unpack functions. The blacklist is removed.
2016-06-13 03:31:50 +10:00
MAC string `dns:"size-hex:MACSize"`
more tsig work - still does not validate but getting close
2011-03-14 22:28:04 +11:00
}
TSIG works for AXFR (also with multiple message envelopes)
2011-03-16 05:36:03 +11:00
// 3.3. Time values used in TSIG calculations
type timerWireFmt struct {
Fix TSIG If you even add a tag to a struct member, be sure to add that tag to the other important structs too.
2012-12-13 23:44:27 +11:00
TimeSigned uint64 `dns:"uint48"`
TSIG works for AXFR (also with multiple message envelopes)
2011-03-16 05:36:03 +11:00
Fudge uint16
}
Fix client side TSIG Redesign of TSIG. Validation is on the TOOD - this can be done in the same way as in the server.
2012-03-02 08:40:34 +11:00
// TsigGenerate fills out the TSIG record attached to the message.
// The message should contain
gofmt
2013-05-06 04:30:44 +10:00
// a "stub" TSIG RR with the algorithm, key name (owner name of the RR),
whitespace in comments
2013-03-19 04:37:49 +11:00
// time fudge (defaults to 300 seconds) and the current time
// The TSIG MAC is saved in that Tsig RR.
Fix client side TSIG Redesign of TSIG. Validation is on the TOOD - this can be done in the same way as in the server.
2012-03-02 08:40:34 +11:00
// When TsigGenerate is called for the first time requestMAC is set to the empty string and
whitespace in comments
2013-03-19 04:37:49 +11:00
// timersOnly is false.
gofmt
2013-05-06 04:30:44 +10:00
// If something goes wrong an error is returned, otherwise it is nil.
Fix client side TSIG Redesign of TSIG. Validation is on the TOOD - this can be done in the same way as in the server.
2012-03-02 08:40:34 +11:00
func TsigGenerate(m *Msg, secret, requestMAC string, timersOnly bool) ([]byte, string, error) {
Make the IsTsig and IsEdn0 more usefull by returning the record
2012-08-25 19:24:01 +10:00
if m.IsTsig() == nil {
Fix handling of non fully qualified domain names When PackDomain sees such a name it calls panic. All panic now use the prefix 'dns:'
2012-08-29 02:21:23 +10:00
panic("dns: TSIG not last RR in additional")
TSIG works again 100%
2011-04-23 00:37:26 +10:00
}
Fixes the latest weekly
2011-11-03 09:06:54 +11:00
// If we barf here, the caller is to blame
Rename and simplify packing helper functions
2014-12-06 06:15:17 +11:00
rawsecret, err := fromBase64([]byte(secret))
Fixes the latest weekly
2011-11-03 09:06:54 +11:00
if err != nil {
Fix client side TSIG Redesign of TSIG. Validation is on the TOOD - this can be done in the same way as in the server.
2012-03-02 08:40:34 +11:00
return nil, "", err
Fixes the latest weekly
2011-11-03 09:06:54 +11:00
}
Add tsig stuff
2011-03-21 06:55:27 +11:00
Rename the RR types drop the RR_ prefix This is also done in the official Go library. It also make the code shorter.
2012-12-10 05:23:25 +11:00
rr := m.Extra[len(m.Extra)-1].(*TSIG)
TSIG works again 100%
2011-04-23 00:37:26 +10:00
m.Extra = m.Extra[0 : len(m.Extra)-1] // kill the TSIG from the msg
Use proper error in packing and unpacking All the relevant functions now return an error instead of a simple boolean. This greatly approves the feedback to coders. Spotted some fishy error handling along the way and fix that too.
2012-10-10 06:17:54 +11:00
mbuf, err := m.Pack()
if err != nil {
return nil, "", err
Fix client side TSIG Redesign of TSIG. Validation is on the TOOD - this can be done in the same way as in the server.
2012-03-02 08:40:34 +11:00
}
Tsig fixes make tsig easier to use and even transparant when using the API
2011-09-11 09:10:47 +10:00
buf := tsigBuffer(mbuf, rr, requestMAC, timersOnly)
remove config.go
2011-04-19 06:08:12 +10:00
Rename the RR types drop the RR_ prefix This is also done in the official Go library. It also make the code shorter.
2012-12-10 05:23:25 +11:00
t := new(TSIG)
gofmt
2012-01-28 10:35:37 +11:00
var h hash.Hash
CanonicalName function to return domain name in canonical form (#1073) * add Canonical function to get name in canonical form * replace strings.ToLower with Canonical * rename Canonical to CanonicalName * replace Fqdn with CanonicalName in ServeMux
2020-03-18 21:21:59 +11:00
switch CanonicalName(rr.Algorithm) {
gofmt
2012-01-28 10:35:37 +11:00
case HmacMD5:
Remove pointless casts (#895) * Remove pointless casts These are all casts where the value was already of the same type. * Use var style for zero-value not cast style
2019-01-04 21:30:55 +11:00
h = hmac.New(md5.New, rawsecret)
gofmt
2012-01-28 10:35:37 +11:00
case HmacSHA1:
Remove pointless casts (#895) * Remove pointless casts These are all casts where the value was already of the same type. * Use var style for zero-value not cast style
2019-01-04 21:30:55 +11:00
h = hmac.New(sha1.New, rawsecret)
gofmt
2012-01-28 10:35:37 +11:00
case HmacSHA256:
Remove pointless casts (#895) * Remove pointless casts These are all casts where the value was already of the same type. * Use var style for zero-value not cast style
2019-01-04 21:30:55 +11:00
h = hmac.New(sha256.New, rawsecret)
Add support for HmacSHA512 algorithm in TSIG
2015-01-23 20:51:56 +11:00
case HmacSHA512:
Remove pointless casts (#895) * Remove pointless casts These are all casts where the value was already of the same type. * Use var style for zero-value not cast style
2019-01-04 21:30:55 +11:00
h = hmac.New(sha512.New, rawsecret)
gofmt
2012-01-28 10:35:37 +11:00
default:
Fix client side TSIG Redesign of TSIG. Validation is on the TOOD - this can be done in the same way as in the server.
2012-03-02 08:40:34 +11:00
return nil, "", ErrKeyAlg
gofmt
2012-01-28 10:35:37 +11:00
}
Improve performance by addressing some low hanging fruit. (#444) * Remove unused bytes.Buffer from dns/idn.encode. This buffer is truncated and written to but never read from. It serves no purpose and all tests pass with it removed. It appears to have been introduced when puncycode.go was first added in miekg/dns@e3c2c07. * Produce less pointless garbage. This change: - removes several needless []byte -> string conversions, - removes two needless append calls in HashName, and - writes the hash to the same nsec3 []byte in HashName rather than creating a new []byte on each of the k iterations. These are all minor performance improvements that will likely go entirely unnoticed. The changes will reduce the ammount of garbage produced when calling CertificateToDANE, HashName, (*SIG).Sign and TsigGenerate.
2017-02-02 18:33:49 +11:00
h.Write(buf)
Fix client side TSIG Redesign of TSIG. Validation is on the TOOD - this can be done in the same way as in the server.
2012-03-02 08:40:34 +11:00
t.MAC = hex.EncodeToString(h.Sum(nil))
Simplify tsig Add a couple of errors, and make the function signature of the tis function more inline with the dnssec ones.
2011-09-11 00:50:27 +10:00
t.MACSize = uint16(len(t.MAC) / 2) // Size is half!
Tsig updates
2011-03-21 07:40:10 +11:00
remove config.go
2011-04-19 06:08:12 +10:00
t.Hdr = RR_Header{Name: rr.Hdr.Name, Rrtype: TypeTSIG, Class: ClassANY, Ttl: 0}
Tsig generation works again *and* is elegant
2011-04-19 06:18:00 +10:00
t.Fudge = rr.Fudge
t.TimeSigned = rr.TimeSigned
t.Algorithm = rr.Algorithm
struct embedding
2012-09-06 00:31:48 +10:00
t.OrigId = m.Id
Newly allocated names
2012-03-03 01:28:22 +11:00
Properly calculate compressed message lengths (#833) * Remove fullSize return from compressionLenSearch This wasn't used anywhere but TestCompressionLenSearch, and was very wrong. * Add generated compressedLen functions and use them This replaces the confusing and complicated compressionLenSlice function. * Use compressedLenWithCompressionMap even for uncompressed This leaves the len() functions unused and they'll soon be removed. This also fixes the off-by-one error of compressedLen when a (Q)NAME is ".". * Use Len helper instead of RR.len private method * Merge len and compressedLen functions * Merge compressedLen helper into Msg.Len * Remove compress bool from compressedLenWithCompressionMap * Merge map insertion into compressionLenSearch This eliminates the need to loop over the domain name twice when we're compressing the name. * Use compressedNameLen for NSEC.NextDomain This was a mistake. * Remove compress from RR.len * Add test case for multiple questions length * Add test case for MINFO and SOA compression These are the only RRs with multiple compressible names within the same RR, and they were previously broken. * Rename compressedNameLen to domainNameLen It also handles the length of uncompressed domain names. * Use off directly instead of len(s[:off]) * Move initial maxCompressionOffset check out of compressionLenMapInsert This should allow us to avoid the call overhead of compressionLenMapInsert in certain limited cases and may result in a slight performance increase. compressionLenMapInsert still has a maxCompressionOffset check inside the for loop. * Rename compressedLenWithCompressionMap to msgLenWithCompressionMap This better reflects that it also calculates the uncompressed length. * Merge TestMsgCompressMINFO with TestMsgCompressSOA They're both testing the same thing. * Remove compressionLenMapInsert compressionLenSearch does everything compressionLenMapInsert did anyway. * Only call compressionLenSearch in one place in domainNameLen * Split if statement in domainNameLen The last two commits worsened the performance of domainNameLen noticably, this change restores it's original performance. name old time/op new time/op delta MsgLength-12 550ns ±13% 510ns ±21% ~ (p=0.050 n=10+10) MsgLengthNoCompression-12 26.9ns ± 2% 27.0ns ± 1% ~ (p=0.198 n=9+10) MsgLengthPack-12 2.30µs ±12% 2.26µs ±16% ~ (p=0.739 n=10+10) MsgLengthMassive-12 32.9µs ± 7% 32.0µs ±10% ~ (p=0.243 n=9+10) MsgLengthOnlyQuestion-12 9.60ns ± 1% 9.20ns ± 1% -4.16% (p=0.000 n=9+9) * Remove stray newline from TestMsgCompressionMultipleQuestions * Remove stray newline in length_test.go This was introduced when resolving merge conflicts.
2018-11-30 10:33:41 +11:00
tbuf := make([]byte, Len(t))
Simplify and unify various returns (#893)
2019-01-04 21:19:42 +11:00
off, err := PackRR(t, tbuf, 0, nil, false)
if err != nil {
Use proper error in packing and unpacking All the relevant functions now return an error instead of a simple boolean. This greatly approves the feedback to coders. Spotted some fishy error handling along the way and fix that too.
2012-10-10 06:17:54 +11:00
return nil, "", err
Fix client side TSIG Redesign of TSIG. Validation is on the TOOD - this can be done in the same way as in the server.
2012-03-02 08:40:34 +11:00
}
Simplify and unify various returns (#893)
2019-01-04 21:19:42 +11:00
mbuf = append(mbuf, tbuf[:off]...)
Cleanup and removals (#377) * Cleanup and removals Gut rawmsg.go as most functions are not used. Reword some documentation. Add more types to be checked for name compression. * Yeah, we do use these * Remove this function as well - only used one
2016-06-14 04:44:38 +10:00
// Update the ArCount directly in the buffer.
binary.BigEndian.PutUint16(mbuf[10:], uint16(len(m.Extra)+1))
Fix client side TSIG Redesign of TSIG. Validation is on the TOOD - this can be done in the same way as in the server.
2012-03-02 08:40:34 +11:00
return mbuf, t.MAC, nil
Add tsig stuff
2011-03-21 06:55:27 +11:00
}
gofmt
2013-05-06 04:30:44 +10:00
// TsigVerify verifies the TSIG on a message.
Update documentation in tsig
2011-03-24 05:07:06 +11:00
// If the signature does not validate err contains the
Simplify tsig Add a couple of errors, and make the function signature of the tis function more inline with the dnssec ones.
2011-09-11 00:50:27 +10:00
// error, otherwise it is nil.
Fixes the latest weekly
2011-11-03 09:06:54 +11:00
func TsigVerify(msg []byte, secret, requestMAC string, timersOnly bool) error {
make TsigVerify check time after signature per rfc2845bis (#1135) Automatically submitted.
2020-07-18 16:06:18 +10:00
return tsigVerify(msg, secret, requestMAC, timersOnly, uint64(time.Now().Unix()))
}
// actual implementation of TsigVerify, taking the current time ('now') as a parameter for the convenience of tests.
func tsigVerify(msg []byte, secret, requestMAC string, timersOnly bool, now uint64) error {
Rename and simplify packing helper functions
2014-12-06 06:15:17 +11:00
rawsecret, err := fromBase64([]byte(secret))
Add tsig stuff
2011-03-21 06:55:27 +11:00
if err != nil {
Simplify tsig Add a couple of errors, and make the function signature of the tis function more inline with the dnssec ones.
2011-09-11 00:50:27 +10:00
return err
Add tsig stuff
2011-03-21 06:55:27 +11:00
}
Make TsigVerify's MAC comparison take constant time
2014-01-24 14:28:08 +11:00
// Strip the TSIG from the incoming msg
fix tsig for the new api
2011-04-19 19:31:47 +10:00
stripped, tsig, err := stripTsig(msg)
Implement all other TSIG checks
2011-03-26 00:46:30 +11:00
if err != nil {
Simplify tsig Add a couple of errors, and make the function signature of the tis function more inline with the dnssec ones.
2011-09-11 00:50:27 +10:00
return err
Add tsig stuff
2011-03-21 06:55:27 +11:00
}
Make TsigVerify's MAC comparison take constant time
2014-01-24 14:28:08 +11:00
msgMAC, err := hex.DecodeString(tsig.MAC)
if err != nil {
return err
}
Tsig fixes make tsig easier to use and even transparant when using the API
2011-09-11 09:10:47 +10:00
buf := tsigBuffer(stripped, tsig, requestMAC, timersOnly)
Fix tsig fudge factor Excellent bug report from freb, about how this fails when a message arrives in the past (because of clock skew). Closes #153
2014-11-12 04:58:12 +11:00
gofmt
2012-01-28 10:35:37 +11:00
var h hash.Hash
CanonicalName function to return domain name in canonical form (#1073) * add Canonical function to get name in canonical form * replace strings.ToLower with Canonical * rename Canonical to CanonicalName * replace Fqdn with CanonicalName in ServeMux
2020-03-18 21:21:59 +11:00
switch CanonicalName(tsig.Algorithm) {
gofmt
2012-01-28 10:35:37 +11:00
case HmacMD5:
Make TsigVerify's MAC comparison take constant time
2014-01-24 14:28:08 +11:00
h = hmac.New(md5.New, rawsecret)
gofmt
2012-01-28 10:35:37 +11:00
case HmacSHA1:
Make TsigVerify's MAC comparison take constant time
2014-01-24 14:28:08 +11:00
h = hmac.New(sha1.New, rawsecret)
gofmt
2012-01-28 10:35:37 +11:00
case HmacSHA256:
Make TsigVerify's MAC comparison take constant time
2014-01-24 14:28:08 +11:00
h = hmac.New(sha256.New, rawsecret)
Add support for HmacSHA512 algorithm in TSIG
2015-01-23 20:51:56 +11:00
case HmacSHA512:
h = hmac.New(sha512.New, rawsecret)
gofmt
2012-01-28 10:35:37 +11:00
default:
return ErrKeyAlg
}
Make TsigVerify's MAC comparison take constant time
2014-01-24 14:28:08 +11:00
h.Write(buf)
if !hmac.Equal(h.Sum(nil), msgMAC) {
Fixes the latest weekly
2011-11-03 09:06:54 +11:00
return ErrSig
}
make TsigVerify check time after signature per rfc2845bis (#1135) Automatically submitted.
2020-07-18 16:06:18 +10:00
// Fudge factor works both ways. A message can arrive before it was signed because
// of clock skew.
// We check this after verifying the signature, following draft-ietf-dnsop-rfc2845bis
// instead of RFC2845, in order to prevent a security vulnerability as reported in CVE-2017-3142/3143.
ti := now - tsig.TimeSigned
if now < tsig.TimeSigned {
ti = tsig.TimeSigned - now
}
if uint64(tsig.Fudge) < ti {
return ErrTime
}
Fixes the latest weekly
2011-11-03 09:06:54 +11:00
return nil
verification and generation of TSIG
2011-01-26 08:29:48 +11:00
}
Update documentation in tsig
2011-03-24 05:07:06 +11:00
// Create a wiredata buffer for the MAC calculation.
Rename the RR types drop the RR_ prefix This is also done in the official Go library. It also make the code shorter.
2012-12-10 05:23:25 +11:00
func tsigBuffer(msgbuf []byte, rr *TSIG, requestMAC string, timersOnly bool) []byte {
TSIG with request MAC is working
2012-03-06 08:03:18 +11:00
var buf []byte
TSIG works again 100%
2011-04-23 00:37:26 +10:00
if rr.TimeSigned == 0 {
Update to the latest weekly: weekly/weekly.2011-12-06 The new time API must still be used. But for now it compiles. All DNSSEC/TSIG timing is probably broken
2011-12-09 21:16:49 +11:00
rr.TimeSigned = uint64(time.Now().Unix())
TSIG works again 100%
2011-04-23 00:37:26 +10:00
}
if rr.Fudge == 0 {
Fixes the latest weekly
2011-11-03 09:06:54 +11:00
rr.Fudge = 300 // Standard (RFC) default.
TSIG works again 100%
2011-04-23 00:37:26 +10:00
}
Add tsig stuff
2011-03-21 06:55:27 +11:00
Fix TSIG bug releated to ID substitution (#504) * Fix TSIG bug releated to ID substitution TSIG accounts for ID substitution. This means if the ID in the DNS message is changed by for example a forwarder, TSIG calculation should use the original message ID (from the TSIG RR). I have a test for this as well, but it seems tsig_test.go has been removed, so not sure where to put it now. * Add tests for TSIG bugfix
2017-08-13 05:21:44 +10:00
// Replace message ID in header with original ID from TSIG
binary.BigEndian.PutUint16(msgbuf[0:2], rr.OrigId)
TSIG works again 100%
2011-04-23 00:37:26 +10:00
if requestMAC != "" {
Add tsig stuff
2011-03-21 06:55:27 +11:00
m := new(macWireFmt)
TSIG works again 100%
2011-04-23 00:37:26 +10:00
m.MACSize = uint16(len(requestMAC) / 2)
m.MAC = requestMAC
fmt
2012-05-06 01:37:48 +10:00
buf = make([]byte, len(requestMAC)) // long enough
Remove reflection (#376) Everything is generated. Remove all uses of packStruct/unpackStruct and make the library reflectionless.
2016-06-13 06:06:46 +10:00
n, _ := packMacWire(m, buf)
TSIG with request MAC is working
2012-03-06 08:03:18 +11:00
buf = buf[:n]
Add tsig stuff
2011-03-21 06:55:27 +11:00
}
tsigvar := make([]byte, DefaultMsgSize)
remove config.go
2011-04-19 06:08:12 +10:00
if timersOnly {
tsig nicely abstracted. Still bugs present though
2011-03-21 21:39:04 +11:00
tsig := new(timerWireFmt)
remove config.go
2011-04-19 06:08:12 +10:00
tsig.TimeSigned = rr.TimeSigned
tsig.Fudge = rr.Fudge
Remove reflection (#376) Everything is generated. Remove all uses of packStruct/unpackStruct and make the library reflectionless.
2016-06-13 06:06:46 +10:00
n, _ := packTimerWire(tsig, tsigvar)
Add tsig stuff
2011-03-21 06:55:27 +11:00
tsigvar = tsigvar[:n]
} else {
tsig nicely abstracted. Still bugs present though
2011-03-21 21:39:04 +11:00
tsig := new(tsigWireFmt)
CanonicalName function to return domain name in canonical form (#1073) * add Canonical function to get name in canonical form * replace strings.ToLower with Canonical * rename Canonical to CanonicalName * replace Fqdn with CanonicalName in ServeMux
2020-03-18 21:21:59 +11:00
tsig.Name = CanonicalName(rr.Hdr.Name)
tsig nicely abstracted. Still bugs present though
2011-03-21 21:39:04 +11:00
tsig.Class = ClassANY
TSIG works again 100%
2011-04-23 00:37:26 +10:00
tsig.Ttl = rr.Hdr.Ttl
CanonicalName function to return domain name in canonical form (#1073) * add Canonical function to get name in canonical form * replace strings.ToLower with Canonical * rename Canonical to CanonicalName * replace Fqdn with CanonicalName in ServeMux
2020-03-18 21:21:59 +11:00
tsig.Algorithm = CanonicalName(rr.Algorithm)
remove config.go
2011-04-19 06:08:12 +10:00
tsig.TimeSigned = rr.TimeSigned
tsig.Fudge = rr.Fudge
TSIG works again 100%
2011-04-23 00:37:26 +10:00
tsig.Error = rr.Error
tsig.OtherLen = rr.OtherLen
tsig.OtherData = rr.OtherData
Remove reflection (#376) Everything is generated. Remove all uses of packStruct/unpackStruct and make the library reflectionless.
2016-06-13 06:06:46 +10:00
n, _ := packTsigWire(tsig, tsigvar)
Add tsig stuff
2011-03-21 06:55:27 +11:00
tsigvar = tsigvar[:n]
}
TSIG with request MAC is working
2012-03-06 08:03:18 +11:00
if requestMAC != "" {
x := append(buf, msgbuf...)
Add tsig stuff
2011-03-21 06:55:27 +11:00
buf = append(x, tsigvar...)
} else {
remove config.go
2011-04-19 06:08:12 +10:00
buf = append(msgbuf, tsigvar...)
Add tsig stuff
2011-03-21 06:55:27 +11:00
}
Tsig fixes make tsig easier to use and even transparant when using the API
2011-09-11 09:10:47 +10:00
return buf
Add tsig stuff
2011-03-21 06:55:27 +11:00
}
fix tsig for the new api
2011-04-19 19:31:47 +10:00
documentation tweaks
2014-07-30 16:35:06 +10:00
// Strip the TSIG from the raw message.
Rename the RR types drop the RR_ prefix This is also done in the official Go library. It also make the code shorter.
2012-12-10 05:23:25 +11:00
func stripTsig(msg []byte) ([]byte, *TSIG, error) {
Remove reflection (#376) Everything is generated. Remove all uses of packStruct/unpackStruct and make the library reflectionless.
2016-06-13 06:06:46 +10:00
// Copied from msg.go's Unpack() Header, but modified.
var (
dh Header
err error
)
off, tsigoff := 0, 0
if dh, off, err = unpackMsgHdr(msg, off); err != nil {
Use proper error in packing and unpacking All the relevant functions now return an error instead of a simple boolean. This greatly approves the feedback to coders. Spotted some fishy error handling along the way and fix that too.
2012-10-10 06:17:54 +11:00
return nil, nil, err
compiles again
2011-03-16 04:43:05 +11:00
}
if dh.Arcount == 0 {
fix tsig for the new api
2011-04-19 19:31:47 +10:00
return nil, nil, ErrNoSig
compiles again
2011-03-16 04:43:05 +11:00
}
Remove reflection (#376) Everything is generated. Remove all uses of packStruct/unpackStruct and make the library reflectionless.
2016-06-13 06:06:46 +10:00
TSIG works again 100%
2011-04-23 00:37:26 +10:00
// Rcode, see msg.go Unpack()
if int(dh.Bits&0xF) == RcodeNotAuth {
return nil, nil, ErrAuth
}
compiles again
2011-03-16 04:43:05 +11:00
Remove reflection (#376) Everything is generated. Remove all uses of packStruct/unpackStruct and make the library reflectionless.
2016-06-13 06:06:46 +10:00
for i := 0; i < int(dh.Qdcount); i++ {
_, off, err = unpackQuestion(msg, off)
Use proper error in packing and unpacking All the relevant functions now return an error instead of a simple boolean. This greatly approves the feedback to coders. Spotted some fishy error handling along the way and fix that too.
2012-10-10 06:17:54 +11:00
if err != nil {
return nil, nil, err
}
compiles again
2011-03-16 04:43:05 +11:00
}
Remove reflection (#376) Everything is generated. Remove all uses of packStruct/unpackStruct and make the library reflectionless.
2016-06-13 06:06:46 +10:00
_, off, err = unpackRRslice(int(dh.Ancount), msg, off)
if err != nil {
return nil, nil, err
compiles again
2011-03-16 04:43:05 +11:00
}
Remove reflection (#376) Everything is generated. Remove all uses of packStruct/unpackStruct and make the library reflectionless.
2016-06-13 06:06:46 +10:00
_, off, err = unpackRRslice(int(dh.Nscount), msg, off)
if err != nil {
return nil, nil, err
compiles again
2011-03-16 04:43:05 +11:00
}
Remove reflection (#376) Everything is generated. Remove all uses of packStruct/unpackStruct and make the library reflectionless.
2016-06-13 06:06:46 +10:00
rr := new(TSIG)
var extra RR
for i := 0; i < int(dh.Arcount); i++ {
compiles again
2011-03-16 04:43:05 +11:00
tsigoff = off
Remove reflection (#376) Everything is generated. Remove all uses of packStruct/unpackStruct and make the library reflectionless.
2016-06-13 06:06:46 +10:00
extra, off, err = UnpackRR(msg, off)
Use proper error in packing and unpacking All the relevant functions now return an error instead of a simple boolean. This greatly approves the feedback to coders. Spotted some fishy error handling along the way and fix that too.
2012-10-10 06:17:54 +11:00
if err != nil {
return nil, nil, err
}
Remove reflection (#376) Everything is generated. Remove all uses of packStruct/unpackStruct and make the library reflectionless.
2016-06-13 06:06:46 +10:00
if extra.Header().Rrtype == TypeTSIG {
rr = extra.(*TSIG)
compiles again
2011-03-16 04:43:05 +11:00
// Adjust Arcount.
Use encoding/binary's conversion functions when possible. (#364) * Remove {un,}packUint{16,32}Msg functions. unpackUint16Msg unpackUint32Msg packUint16Msg packUint32Msg implemented functionality that is part of the encoding/binary package. * Use encoding/binary's encoding in more places.
2016-06-09 01:38:42 +10:00
arcount := binary.BigEndian.Uint16(msg[10:])
binary.BigEndian.PutUint16(msg[10:], arcount-1)
compiles again
2011-03-16 04:43:05 +11:00
break
}
}
TSIG works again 100%
2011-04-23 00:37:26 +10:00
if rr == nil {
fix tsig for the new api
2011-04-19 19:31:47 +10:00
return nil, nil, ErrNoSig
TSIG works again 100%
2011-04-23 00:37:26 +10:00
}
fix tsig for the new api
2011-04-19 19:31:47 +10:00
return msg[:tsigoff], rr, nil
More TSIG changes. Curious if they amount to something
2011-03-16 02:18:13 +11:00
}
Fix tsig 48 bits timer
2012-03-03 09:12:23 +11:00
// Translate the TSIG time signed into a date. There is no
// need for RFC1982 calculations as this date is 48 bits.
Better naming
2012-09-12 05:45:21 +10:00
func tsigTimeToString(t uint64) string {
TSIG with request MAC is working
2012-03-06 08:03:18 +11:00
ti := time.Unix(int64(t), 0).UTC()
return ti.Format("20060102150405")
Fix tsig 48 bits timer
2012-03-03 09:12:23 +11:00
}
Remove reflection (#376) Everything is generated. Remove all uses of packStruct/unpackStruct and make the library reflectionless.
2016-06-13 06:06:46 +10:00
func packTsigWire(tw *tsigWireFmt, msg []byte) (int, error) {
// copied from zmsg.go TSIG packing
// RR_Header
off, err := PackDomainName(tw.Name, msg, 0, nil, false)
if err != nil {
return off, err
}
off, err = packUint16(tw.Class, msg, off)
if err != nil {
return off, err
}
off, err = packUint32(tw.Ttl, msg, off)
if err != nil {
return off, err
}
off, err = PackDomainName(tw.Algorithm, msg, off, nil, false)
if err != nil {
return off, err
}
off, err = packUint48(tw.TimeSigned, msg, off)
if err != nil {
return off, err
}
off, err = packUint16(tw.Fudge, msg, off)
if err != nil {
return off, err
}
off, err = packUint16(tw.Error, msg, off)
if err != nil {
return off, err
}
off, err = packUint16(tw.OtherLen, msg, off)
if err != nil {
return off, err
}
off, err = packStringHex(tw.OtherData, msg, off)
if err != nil {
return off, err
}
return off, nil
}
func packMacWire(mw *macWireFmt, msg []byte) (int, error) {
off, err := packUint16(mw.MACSize, msg, 0)
if err != nil {
return off, err
}
off, err = packStringHex(mw.MAC, msg, off)
if err != nil {
return off, err
}
return off, nil
}
func packTimerWire(tw *timerWireFmt, msg []byte) (int, error) {
off, err := packUint48(tw.TimeSigned, msg, 0)
if err != nil {
return off, err
}
off, err = packUint16(tw.Fudge, msg, off)
if err != nil {
return off, err
}
return off, nil
}