Fix TSIG bug releated to ID substitution (#504)
* Fix TSIG bug releated to ID substitution TSIG accounts for ID substitution. This means if the ID in the DNS message is changed by for example a forwarder, TSIG calculation should use the original message ID (from the TSIG RR). I have a test for this as well, but it seems tsig_test.go has been removed, so not sure where to put it now. * Add tests for TSIG bugfix
This commit is contained in:
parent
bbca4873b3
commit
0598bd43cf
3
tsig.go
3
tsig.go
|
@ -208,6 +208,9 @@ func tsigBuffer(msgbuf []byte, rr *TSIG, requestMAC string, timersOnly bool) []b
|
|||
rr.Fudge = 300 // Standard (RFC) default.
|
||||
}
|
||||
|
||||
// Replace message ID in header with original ID from TSIG
|
||||
binary.BigEndian.PutUint16(msgbuf[0:2], rr.OrigId)
|
||||
|
||||
if requestMAC != "" {
|
||||
m := new(macWireFmt)
|
||||
m.MACSize = uint16(len(requestMAC) / 2)
|
||||
|
|
15
tsig_test.go
15
tsig_test.go
|
@ -1,6 +1,7 @@
|
|||
package dns
|
||||
|
||||
import (
|
||||
"encoding/binary"
|
||||
"testing"
|
||||
"time"
|
||||
)
|
||||
|
@ -22,6 +23,20 @@ func TestTsig(t *testing.T) {
|
|||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// TSIG accounts for ID substitution. This means if the message ID is
|
||||
// changed by a forwarder, we should still be able to verify the TSIG.
|
||||
m = newTsig(HmacMD5)
|
||||
buf, _, err = TsigGenerate(m, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
binary.BigEndian.PutUint16(buf[0:2], uint16(42))
|
||||
err = TsigVerify(buf, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestTsigCase(t *testing.T) {
|
||||
|
|
Loading…
Reference in New Issue