From 82bb573f561c83502fc23e1a1b5ae73fe1ea0cc6 Mon Sep 17 00:00:00 2001 From: Miek Gieben Date: Mon, 14 Mar 2011 12:28:04 +0100 Subject: [PATCH] more tsig work - still does not validate but getting close --- README.markdown | 1 + msg.go | 2 +- resolver.go | 11 ++++++++--- tsig.go | 38 +++++++++++++++++++++++++++++++------- 4 files changed, 41 insertions(+), 11 deletions(-) diff --git a/README.markdown b/README.markdown index 842b3ed5..c59c9f09 100644 --- a/README.markdown +++ b/README.markdown @@ -38,6 +38,7 @@ Miek Gieben - 2010, 2011 - miek@miek.nl * 403{3,4,5} - DNSSEC + validation functions * 4255 - SSHFP * 4408 - SPF +* 4635 - HMAC SHA TSIG * 5001 - NSID * 5155 - NSEC * 5936 - AXFR diff --git a/msg.go b/msg.go index 936fe56b..73092d0f 100644 --- a/msg.go +++ b/msg.go @@ -677,7 +677,7 @@ func unpackStructValue(val *reflect.StructValue, msg []byte, off int) (off1 int, s = unpackBase32(msg[off : off+size]) off += size case "size-hex": - // a "size" string, but a it must be encoded in hex in the string + // a "size" string, but it must be encoded in hex in the string var size int switch val.Type().Name() { case "RR_NSEC3": diff --git a/resolver.go b/resolver.go index ffc92fdc..52ee71e2 100644 --- a/resolver.go +++ b/resolver.go @@ -275,11 +275,16 @@ Server: if tsig && len(in.Extra) > 0 { // What if not included? t := in.Extra[len(in.Extra)-1] - println(t.String()) + switch t.(type) { + case *RR_TSIG: + if t.(*RR_TSIG).Verify(in, secret) { + println("Validates") + } else { + println("DOES NOT validates") + } + } } - println(in.String()) - if first { if !checkAxfrSOA(in, true) { c.Close() diff --git a/tsig.go b/tsig.go index 331b50e7..624ea552 100644 --- a/tsig.go +++ b/tsig.go @@ -12,9 +12,9 @@ import ( // HMAC hashing codes. These are transmitted as domain names. const ( - HmacMD5 = "hmac-md5.sig-alg.reg.int" - HmacSHA1 = "hmac-sha1" - HmacSHA256 = "hmac-sha256" + HmacMD5 = "hmac-md5.sig-alg.reg.int." + HmacSHA1 = "hmac-sha1." + HmacSHA256 = "hmac-sha256." ) type RR_TSIG struct { @@ -72,6 +72,11 @@ type tsigWireFmt struct { OtherData string "size-hex" } +// If we have the MAC use this type to convert it to wiredata +type macWireFmt struct { + MAC string "size-hex" +} + // Generate the HMAC for message. The TSIG RR is modified // to include the MAC and MACSize. Note the the msg Id must // already be set, otherwise the MAC will not be correct when @@ -109,7 +114,7 @@ func (t *RR_TSIG) Verify(m *Msg, secret string) bool { return false } - msg2 := m // TODO deep copy TODO(mg) + msg2 := m // Deep copy TODO(mg) if len(msg2.Extra) < 1 { // nothing in additional return false @@ -123,14 +128,19 @@ func (t *RR_TSIG) Verify(m *Msg, secret string) bool { if !ok { return false } + h := hmac.NewMD5([]byte(rawsecret)) io.WriteString(h, string(buf)) - return strings.ToUpper(hex.EncodeToString(h.Sum())) == t.MAC + println(strings.ToUpper(t.MAC)) + println(strings.ToUpper(hex.EncodeToString(h.Sum()))) + return strings.ToUpper(hex.EncodeToString(h.Sum())) == strings.ToUpper(t.MAC) } +// INclude the MAC when verifying func tsigToBuf(rr *RR_TSIG, msg *Msg) ([]byte, bool) { // Fill the struct and generate the wiredata - buf := make([]byte, DefaultMsgSize) // TODO(mg) bufsize! + var mb []byte + buf := make([]byte, DefaultMsgSize) tsig := new(tsigWireFmt) tsig.Name = rr.Header().Name tsig.Class = rr.Header().Class @@ -150,7 +160,21 @@ func tsigToBuf(rr *RR_TSIG, msg *Msg) ([]byte, bool) { if !ok { return nil, false } - // First the pkg, then the tsig wire fmt + if rr.MAC != "" { + m := new(macWireFmt) + m.MAC = rr.MAC + mb = make([]byte, len(rr.MAC)) // t.MAC should be twice as long + n, ok := packStruct(m, mb, 0) + if !ok { + return nil, false + } + mb = mb[:n] + } + // If there is a MAC included in the TSIG it should be added first + // otherwise just the pkg and then the TSIG wire fmt buf = append(msgbuf, buf...) + if mb != nil { + buf = append(mb, buf...) + } return buf, true }