From 4f61f8621b8546f520bc7f9cc30d325bb53c5116 Mon Sep 17 00:00:00 2001 From: Miek Gieben Date: Sun, 4 Mar 2012 22:32:23 +0100 Subject: [PATCH] More server side TSIG stuff - does not validate (yet) --- defaults.go | 3 ++- ex/axfr/axfr.go | 3 ++- ex/q/q.go | 8 +++++--- ex/reflect/reflect.go | 6 ++---- server.go | 20 +++++++++++++++----- 5 files changed, 26 insertions(+), 14 deletions(-) diff --git a/defaults.go b/defaults.go index 74a2e6c4..bed1f8d3 100644 --- a/defaults.go +++ b/defaults.go @@ -84,12 +84,13 @@ func (dns *Msg) SetAxfr(z string) { // This is only a skeleton Tsig RR that is added as the last RR in the // additional section. The Tsig is calculated when the message is being // send. -func (dns *Msg) SetTsig(z, algo string, fudge uint16, timesigned int64) { +func (dns *Msg) SetTsig(z, algo string, fudge, origid uint16, timesigned int64) { t := new(RR_TSIG) t.Hdr = RR_Header{z, TypeTSIG, ClassANY, 0, 0} t.Algorithm = algo t.Fudge = 300 t.TimeSigned = uint64(timesigned) + t.OrigId = origid dns.Extra = append(dns.Extra, t) } diff --git a/ex/axfr/axfr.go b/ex/axfr/axfr.go index 1d57db36..603d43ca 100644 --- a/ex/axfr/axfr.go +++ b/ex/axfr/axfr.go @@ -18,6 +18,7 @@ func main() { client := dns.NewClient() client.Net = "tcp" m := new(dns.Msg) + m.MsgHdr.Id = dns.Id() if *serial > 0 { m.SetIxfr(zone, uint32(*serial)) } else { @@ -27,7 +28,7 @@ func main() { a := strings.SplitN(*tsig, ":", 2) name, secret := a[0], a[1] client.TsigSecret = map[string]string{name: secret} - m.SetTsig(name, dns.HmacMD5, 300, time.Now().Unix()) + m.SetTsig(name, dns.HmacMD5, 300, m.MsgHdr.Id, time.Now().Unix()) } if err := client.XfrReceive(m, *nameserver); err == nil { diff --git a/ex/q/q.go b/ex/q/q.go index 60bdcf12..20f87732 100644 --- a/ex/q/q.go +++ b/ex/q/q.go @@ -13,7 +13,6 @@ import ( var dnskey *dns.RR_DNSKEY func q(w dns.RequestWriter, m *dns.Msg) { - // Access this here, w.TsigStatus (for message m?) if err := w.Send(m); err != nil { fmt.Printf("%s\n", err.Error()) w.Write(nil) @@ -25,6 +24,9 @@ func q(w dns.RequestWriter, m *dns.Msg) { w.Write(nil) return } + if w.TsigStatus() != nil { + fmt.Printf(";; Couldn't verify TSIG signature: %s\n", w.TsigStatus().Error()) + } w.Write(r) } @@ -166,10 +168,10 @@ Flags: // Add tsig if *tsig != "" { if algo, name, secret, ok := tsigKeyParse(*tsig); ok { - m.SetTsig(name, algo, 300, time.Now().Unix()) + m.SetTsig(name, algo, 300, m.MsgHdr.Id, time.Now().Unix()) c.TsigSecret = map[string]string{name: secret} } else { - fmt.Fprintf(os.Stderr, "TSIG key error\n") + fmt.Fprintf(os.Stderr, "tsig key data error\n") return } } diff --git a/ex/reflect/reflect.go b/ex/reflect/reflect.go index e46c8fb2..fcba6290 100644 --- a/ex/reflect/reflect.go +++ b/ex/reflect/reflect.go @@ -90,15 +90,13 @@ func handleReflect(w dns.ResponseWriter, r *dns.Msg) { println("Checking TSIG") if w.TsigStatus() == nil { println("TSIG OK") - m.SetTsig(r.Extra[len(r.Extra)-1].(*dns.RR_TSIG).Hdr.Name, dns.HmacMD5, 300, time.Now().Unix()) + m.SetTsig(r.Extra[len(r.Extra)-1].(*dns.RR_TSIG).Hdr.Name, dns.HmacMD5, 300, r.MsgHdr.Id, time.Now().Unix()) } } - - if *printf { fmt.Printf("%v\n", m.String()) } - w.Write(m) // Discard the error? + w.Write(m) } func serve(net, name, secret string) { diff --git a/server.go b/server.go index b065b464..d7f8f894 100644 --- a/server.go +++ b/server.go @@ -337,11 +337,21 @@ func (c *conn) serve() { } } -func (w *response) Write(m *Msg) error { - //data []byte) (n int, err error) { - data, ok := m.Pack() - if !ok { - return ErrPack +func (w *response) Write(m *Msg) (err error) { + var ( + data []byte + ok bool + ) + if m.IsTsig() { + data, w.tsigRequestMAC, err = TsigGenerate(m, w.conn.tsigSecret[m.Extra[len(m.Extra)-1].(*RR_TSIG).Hdr.Name], w.tsigRequestMAC, w.tsigTimersOnly) + if err != nil { + return err + } + } else { + data, ok = m.Pack() + if !ok { + return ErrPack + } } switch { case w.conn._UDP != nil: