More server side TSIG stuff - does not validate (yet)

2012-03-04 22:32:23 +01:00 · 2012-03-04 22:32:23 +01:00 · 4f61f8621b
parent c53cddf38c
commit 4f61f8621b
5 changed files with 26 additions and 14 deletions
--- a/defaults.go
+++ b/defaults.go
@ -84,12 +84,13 @@ func (dns *Msg) SetAxfr(z string) {
 // This is only a skeleton Tsig RR that is added as the last RR in the 
 // additional section. The Tsig is calculated when the message is being
 // send.
-func (dns *Msg) SetTsig(z, algo string, fudge uint16, timesigned int64) {
+func (dns *Msg) SetTsig(z, algo string, fudge, origid uint16, timesigned int64) {
 	t := new(RR_TSIG)
 	t.Hdr = RR_Header{z, TypeTSIG, ClassANY, 0, 0}
 	t.Algorithm = algo
 	t.Fudge = 300
 	t.TimeSigned = uint64(timesigned)
+	t.OrigId = origid
 	dns.Extra = append(dns.Extra, t)
 }

--- a/ex/axfr/axfr.go
+++ b/ex/axfr/axfr.go
@ -18,6 +18,7 @@ func main() {
 	client := dns.NewClient()
 	client.Net = "tcp"
 	m := new(dns.Msg)
+	m.MsgHdr.Id = dns.Id()
 	if *serial > 0 {
 		m.SetIxfr(zone, uint32(*serial))
 	} else {
@ -27,7 +28,7 @@ func main() {
 		a := strings.SplitN(*tsig, ":", 2)
 		name, secret := a[0], a[1]
 		client.TsigSecret = map[string]string{name: secret}
-		m.SetTsig(name, dns.HmacMD5, 300, time.Now().Unix())
+		m.SetTsig(name, dns.HmacMD5, 300, m.MsgHdr.Id, time.Now().Unix())
 	}

 	if err := client.XfrReceive(m, *nameserver); err == nil {
--- a/ex/q/q.go
+++ b/ex/q/q.go
@ -13,7 +13,6 @@ import (
 var dnskey *dns.RR_DNSKEY

 func q(w dns.RequestWriter, m *dns.Msg) {
-	// Access this here, w.TsigStatus (for message m?)
 	if err := w.Send(m); err != nil {
 		fmt.Printf("%s\n", err.Error())
 		w.Write(nil)
@ -25,6 +24,9 @@ func q(w dns.RequestWriter, m *dns.Msg) {
 		w.Write(nil)
 		return
 	}
+	if w.TsigStatus() != nil {
+		fmt.Printf(";; Couldn't verify TSIG signature: %s\n", w.TsigStatus().Error())
+	}
 	w.Write(r)
 }

@ -166,10 +168,10 @@ Flags:
 		// Add tsig
 		if *tsig != "" {
 			if algo, name, secret, ok := tsigKeyParse(*tsig); ok {
-				m.SetTsig(name, algo, 300, time.Now().Unix())
+				m.SetTsig(name, algo, 300, m.MsgHdr.Id, time.Now().Unix())
 				c.TsigSecret = map[string]string{name: secret}
 			} else {
-				fmt.Fprintf(os.Stderr, "TSIG key error\n")
+				fmt.Fprintf(os.Stderr, "tsig key data error\n")
 				return
 			}
 		}
--- a/ex/reflect/reflect.go
+++ b/ex/reflect/reflect.go
@ -90,15 +90,13 @@ func handleReflect(w dns.ResponseWriter, r *dns.Msg) {
 		println("Checking TSIG")
 		if w.TsigStatus() == nil {
 			println("TSIG OK")
-			m.SetTsig(r.Extra[len(r.Extra)-1].(*dns.RR_TSIG).Hdr.Name, dns.HmacMD5, 300, time.Now().Unix())
+			m.SetTsig(r.Extra[len(r.Extra)-1].(*dns.RR_TSIG).Hdr.Name, dns.HmacMD5, 300, r.MsgHdr.Id, time.Now().Unix())
 		}
 	}
-
-
 	if *printf {
 		fmt.Printf("%v\n", m.String())
 	}
-	w.Write(m)	// Discard the error?
+	w.Write(m)
 }

 func serve(net, name, secret string) {
--- a/server.go
+++ b/server.go
@ -337,11 +337,21 @@ func (c *conn) serve() {
 	}
 }

-func (w *response) Write(m *Msg) error {
-	//data []byte) (n int, err error) {
-	data, ok := m.Pack()
-	if !ok {
-		return ErrPack
+func (w *response) Write(m *Msg) (err error) {
+	var (
+		data []byte
+		ok bool
+	)
+	if m.IsTsig() {
+		data, w.tsigRequestMAC, err = TsigGenerate(m, w.conn.tsigSecret[m.Extra[len(m.Extra)-1].(*RR_TSIG).Hdr.Name], w.tsigRequestMAC, w.tsigTimersOnly)
+		if err != nil {
+			return err
+		}
+	} else {
+		data, ok = m.Pack()
+		if !ok {
+			return ErrPack
+		}
 	}
 	switch {
 	case w.conn._UDP != nil: