Fix TSIG bug releated to ID substitution (#504)

* Fix TSIG bug releated to ID substitution TSIG accounts for ID substitution. This means if the ID in the DNS message is changed by for example a forwarder, TSIG calculation should use the original message ID (from the TSIG RR). I have a test for this as well, but it seems tsig_test.go has been removed, so not sure where to put it now. * Add tests for TSIG bugfix
2017-08-12 21:21:44 +02:00 · 2017-08-12 21:21:44 +02:00 · 0598bd43cf
parent bbca4873b3
commit 0598bd43cf
2 changed files with 18 additions and 0 deletions
--- a/tsig.go
+++ b/tsig.go
@ -208,6 +208,9 @@ func tsigBuffer(msgbuf []byte, rr *TSIG, requestMAC string, timersOnly bool) []b
 		rr.Fudge = 300 // Standard (RFC) default.
 	}

+	// Replace message ID in header with original ID from TSIG
+	binary.BigEndian.PutUint16(msgbuf[0:2], rr.OrigId)
+
 	if requestMAC != "" {
 		m := new(macWireFmt)
 		m.MACSize = uint16(len(requestMAC) / 2)
--- a/tsig_test.go
+++ b/tsig_test.go
@ -1,6 +1,7 @@
 package dns

 import (
+	"encoding/binary"
 	"testing"
 	"time"
 )
@ -22,6 +23,20 @@ func TestTsig(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+
+	// TSIG accounts for ID substitution. This means if the message ID is
+	// changed by a forwarder, we should still be able to verify the TSIG.
+	m = newTsig(HmacMD5)
+	buf, _, err = TsigGenerate(m, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	binary.BigEndian.PutUint16(buf[0:2], uint16(42))
+	err = TsigVerify(buf, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false)
+	if err != nil {
+		t.Fatal(err)
+	}
 }

 func TestTsigCase(t *testing.T) {