From 48fa9985395d8d86e8ad71176e7f5297e414b976 Mon Sep 17 00:00:00 2001 From: Miek Gieben Date: Thu, 26 Jan 2012 20:23:43 +0100 Subject: [PATCH] Implement the other algorithms in tsig --- examples/q/q.go | 19 ++++++++++++++++++- tsig.go | 39 ++++++++++++++++++++++++++++++++++----- 2 files changed, 52 insertions(+), 6 deletions(-) diff --git a/examples/q/q.go b/examples/q/q.go index b606baf2..0976933c 100644 --- a/examples/q/q.go +++ b/examples/q/q.go @@ -25,7 +25,8 @@ func main() { query := flag.Bool("question", false, "show question") short := flag.Bool("short", false, "abbreviate long DNSSEC records") check := flag.Bool("check", false, "check internal DNSSEC consistency") - anchor := flag.String("anchor", "", "use the DNSKEY in this file for checking consistency") + anchor := flag.String("anchor", "", "use the DNSKEY in this file for interla DNSSEC consistency") + tsig := flag.String("tsig", "", "tsig key, [hmac:]name:key") port := flag.Int("port", 53, "port number to use") aa := flag.Bool("aa", false, "set AA flag in query") ad := flag.Bool("ad", false, "set AD flag in query") @@ -72,6 +73,14 @@ Flags: // And if it looks like type, it is a type if k, ok := dns.Str_rr[strings.ToUpper(flag.Arg(i))]; ok { qtype = k + switch qtype { + case dns.TypeAXFR: + fmt.Fprintf(os.Stderr, "AXFR not supported\n") + return + case dns.TypeIXFR: + fmt.Fprintf(os.Stderr, "AXFR not supported\n") + return + } continue Flags } // If it looks like a class, it is a class @@ -84,6 +93,14 @@ Flags: i, e := strconv.Atoi(string([]byte(flag.Arg(i))[4:])) if e == nil { qtype = uint16(i) + switch qtype { + case dns.TypeAXFR: + fmt.Fprintf(os.Stderr, "AXFR not supported\n") + return + case dns.TypeIXFR: + fmt.Fprintf(os.Stderr, "AXFR not supported\n") + return + } continue Flags } } diff --git a/tsig.go b/tsig.go index 4cd9e520..165bbcea 100644 --- a/tsig.go +++ b/tsig.go @@ -5,7 +5,7 @@ // // m := new(Msg) // m.SetAxfr("miek.nl.") -// // Add a skeleton TSIG record. +// // Add a stub TSIG record. // m.SetTsig("axfr.", HmacMD5, 300, uint64(time.Seconds())) // // Generate the contents of the complete TSIG record. // TsigGenerate(m, "so6ZGir4GPAqINNh9U5c3A==", "", false) @@ -35,6 +35,8 @@ package dns import ( "crypto/hmac" "crypto/md5" + "crypto/sha1" + "crypto/sha256" "encoding/hex" "io" "strings" @@ -78,8 +80,11 @@ type timerWireFmt struct { Fudge uint16 } -// TsigGenerate adds an TSIG RR to a message. The TSIG MAC is saved -// in the Tsig RR that is added. When TsigGenerate is called for the +// TsigGenerate adds an TSIG RR to a message. The message should contain +// a "stub" TsigRR with the algorithm, key name (owner name of the RR), +// time fudge (defaults to 300 seconds) and the current time +// The TSIG MAC is saved in that Tsig RR. +// When TsigGenerate is called for the // first time requestMAC is set to the empty string. // If something goes wrong an error is returned, otherwise it is nil. func TsigGenerate(m *Msg, secret, requestMAC string, timersOnly bool) error { @@ -100,7 +105,21 @@ func TsigGenerate(m *Msg, secret, requestMAC string, timersOnly bool) error { t := new(RR_TSIG) - h := hmac.New(md5.New, []byte(rawsecret)) + switch algo { + + } + + h := "" + switch hmac { + case rr.Algorithm: + h = hmac.New(md5.New, []byte(rawsecret)) + case HmacSHA1: + h = hmac.New(sha1.New, []byte(rawsecret)) + case HmacSHA256: + h = hmac.New(sha256.New, []byte(rawsecret)) + default: + return ErrKeyAlg + } t.MAC = hex.EncodeToString(h.Sum(buf)) t.MACSize = uint16(len(t.MAC) / 2) // Size is half! @@ -136,7 +155,17 @@ func TsigVerify(msg []byte, secret, requestMAC string, timersOnly bool) error { return ErrTime } - h := hmac.New(md5.New, []byte(rawsecret)) + h := "" + switch tsig.Algorithm { + case rr.Algorithm: + h = hmac.New(md5.New, []byte(rawsecret)) + case HmacSHA1: + h = hmac.New(sha1.New, []byte(rawsecret)) + case HmacSHA256: + h = hmac.New(sha256.New, []byte(rawsecret)) + default: + return ErrKeyAlg + } io.WriteString(h, string(buf)) if strings.ToUpper(hex.EncodeToString(h.Sum(nil))) != strings.ToUpper(tsig.MAC) { return ErrSig