Fix TSIG bug releated to ID substitution (#504)
* Fix TSIG bug releated to ID substitution TSIG accounts for ID substitution. This means if the ID in the DNS message is changed by for example a forwarder, TSIG calculation should use the original message ID (from the TSIG RR). I have a test for this as well, but it seems tsig_test.go has been removed, so not sure where to put it now. * Add tests for TSIG bugfix
This commit is contained in:
parent
bbca4873b3
commit
0598bd43cf
3
tsig.go
3
tsig.go
|
@ -208,6 +208,9 @@ func tsigBuffer(msgbuf []byte, rr *TSIG, requestMAC string, timersOnly bool) []b
|
||||||
rr.Fudge = 300 // Standard (RFC) default.
|
rr.Fudge = 300 // Standard (RFC) default.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Replace message ID in header with original ID from TSIG
|
||||||
|
binary.BigEndian.PutUint16(msgbuf[0:2], rr.OrigId)
|
||||||
|
|
||||||
if requestMAC != "" {
|
if requestMAC != "" {
|
||||||
m := new(macWireFmt)
|
m := new(macWireFmt)
|
||||||
m.MACSize = uint16(len(requestMAC) / 2)
|
m.MACSize = uint16(len(requestMAC) / 2)
|
||||||
|
|
15
tsig_test.go
15
tsig_test.go
|
@ -1,6 +1,7 @@
|
||||||
package dns
|
package dns
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"encoding/binary"
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
)
|
)
|
||||||
|
@ -22,6 +23,20 @@ func TestTsig(t *testing.T) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TSIG accounts for ID substitution. This means if the message ID is
|
||||||
|
// changed by a forwarder, we should still be able to verify the TSIG.
|
||||||
|
m = newTsig(HmacMD5)
|
||||||
|
buf, _, err = TsigGenerate(m, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
binary.BigEndian.PutUint16(buf[0:2], uint16(42))
|
||||||
|
err = TsigVerify(buf, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestTsigCase(t *testing.T) {
|
func TestTsigCase(t *testing.T) {
|
||||||
|
|
Loading…
Reference in New Issue