From 0598bd43cf51d0375c5bcd3a42e807cc19b3b7d9 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Sat, 12 Aug 2017 21:21:44 +0200 Subject: [PATCH] Fix TSIG bug releated to ID substitution (#504) * Fix TSIG bug releated to ID substitution TSIG accounts for ID substitution. This means if the ID in the DNS message is changed by for example a forwarder, TSIG calculation should use the original message ID (from the TSIG RR). I have a test for this as well, but it seems tsig_test.go has been removed, so not sure where to put it now. * Add tests for TSIG bugfix --- tsig.go | 3 +++ tsig_test.go | 15 +++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/tsig.go b/tsig.go index 24013096..4837b4ab 100644 --- a/tsig.go +++ b/tsig.go @@ -208,6 +208,9 @@ func tsigBuffer(msgbuf []byte, rr *TSIG, requestMAC string, timersOnly bool) []b rr.Fudge = 300 // Standard (RFC) default. } + // Replace message ID in header with original ID from TSIG + binary.BigEndian.PutUint16(msgbuf[0:2], rr.OrigId) + if requestMAC != "" { m := new(macWireFmt) m.MACSize = uint16(len(requestMAC) / 2) diff --git a/tsig_test.go b/tsig_test.go index 48b9988b..4bc52733 100644 --- a/tsig_test.go +++ b/tsig_test.go @@ -1,6 +1,7 @@ package dns import ( + "encoding/binary" "testing" "time" ) @@ -22,6 +23,20 @@ func TestTsig(t *testing.T) { if err != nil { t.Fatal(err) } + + // TSIG accounts for ID substitution. This means if the message ID is + // changed by a forwarder, we should still be able to verify the TSIG. + m = newTsig(HmacMD5) + buf, _, err = TsigGenerate(m, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false) + if err != nil { + t.Fatal(err) + } + + binary.BigEndian.PutUint16(buf[0:2], uint16(42)) + err = TsigVerify(buf, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false) + if err != nil { + t.Fatal(err) + } } func TestTsigCase(t *testing.T) {