more tsig work - still does not validate but getting close
This commit is contained in:
parent
36b77b3b8b
commit
82bb573f56
|
@ -38,6 +38,7 @@ Miek Gieben - 2010, 2011 - miek@miek.nl
|
||||||
* 403{3,4,5} - DNSSEC + validation functions
|
* 403{3,4,5} - DNSSEC + validation functions
|
||||||
* 4255 - SSHFP
|
* 4255 - SSHFP
|
||||||
* 4408 - SPF
|
* 4408 - SPF
|
||||||
|
* 4635 - HMAC SHA TSIG
|
||||||
* 5001 - NSID
|
* 5001 - NSID
|
||||||
* 5155 - NSEC
|
* 5155 - NSEC
|
||||||
* 5936 - AXFR
|
* 5936 - AXFR
|
||||||
|
|
2
msg.go
2
msg.go
|
@ -677,7 +677,7 @@ func unpackStructValue(val *reflect.StructValue, msg []byte, off int) (off1 int,
|
||||||
s = unpackBase32(msg[off : off+size])
|
s = unpackBase32(msg[off : off+size])
|
||||||
off += size
|
off += size
|
||||||
case "size-hex":
|
case "size-hex":
|
||||||
// a "size" string, but a it must be encoded in hex in the string
|
// a "size" string, but it must be encoded in hex in the string
|
||||||
var size int
|
var size int
|
||||||
switch val.Type().Name() {
|
switch val.Type().Name() {
|
||||||
case "RR_NSEC3":
|
case "RR_NSEC3":
|
||||||
|
|
11
resolver.go
11
resolver.go
|
@ -275,11 +275,16 @@ Server:
|
||||||
|
|
||||||
if tsig && len(in.Extra) > 0 { // What if not included?
|
if tsig && len(in.Extra) > 0 { // What if not included?
|
||||||
t := in.Extra[len(in.Extra)-1]
|
t := in.Extra[len(in.Extra)-1]
|
||||||
println(t.String())
|
switch t.(type) {
|
||||||
|
case *RR_TSIG:
|
||||||
|
if t.(*RR_TSIG).Verify(in, secret) {
|
||||||
|
println("Validates")
|
||||||
|
} else {
|
||||||
|
println("DOES NOT validates")
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
println(in.String())
|
|
||||||
|
|
||||||
if first {
|
if first {
|
||||||
if !checkAxfrSOA(in, true) {
|
if !checkAxfrSOA(in, true) {
|
||||||
c.Close()
|
c.Close()
|
||||||
|
|
38
tsig.go
38
tsig.go
|
@ -12,9 +12,9 @@ import (
|
||||||
|
|
||||||
// HMAC hashing codes. These are transmitted as domain names.
|
// HMAC hashing codes. These are transmitted as domain names.
|
||||||
const (
|
const (
|
||||||
HmacMD5 = "hmac-md5.sig-alg.reg.int"
|
HmacMD5 = "hmac-md5.sig-alg.reg.int."
|
||||||
HmacSHA1 = "hmac-sha1"
|
HmacSHA1 = "hmac-sha1."
|
||||||
HmacSHA256 = "hmac-sha256"
|
HmacSHA256 = "hmac-sha256."
|
||||||
)
|
)
|
||||||
|
|
||||||
type RR_TSIG struct {
|
type RR_TSIG struct {
|
||||||
|
@ -72,6 +72,11 @@ type tsigWireFmt struct {
|
||||||
OtherData string "size-hex"
|
OtherData string "size-hex"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If we have the MAC use this type to convert it to wiredata
|
||||||
|
type macWireFmt struct {
|
||||||
|
MAC string "size-hex"
|
||||||
|
}
|
||||||
|
|
||||||
// Generate the HMAC for message. The TSIG RR is modified
|
// Generate the HMAC for message. The TSIG RR is modified
|
||||||
// to include the MAC and MACSize. Note the the msg Id must
|
// to include the MAC and MACSize. Note the the msg Id must
|
||||||
// already be set, otherwise the MAC will not be correct when
|
// already be set, otherwise the MAC will not be correct when
|
||||||
|
@ -109,7 +114,7 @@ func (t *RR_TSIG) Verify(m *Msg, secret string) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
msg2 := m // TODO deep copy TODO(mg)
|
msg2 := m // Deep copy TODO(mg)
|
||||||
if len(msg2.Extra) < 1 {
|
if len(msg2.Extra) < 1 {
|
||||||
// nothing in additional
|
// nothing in additional
|
||||||
return false
|
return false
|
||||||
|
@ -123,14 +128,19 @@ func (t *RR_TSIG) Verify(m *Msg, secret string) bool {
|
||||||
if !ok {
|
if !ok {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
h := hmac.NewMD5([]byte(rawsecret))
|
h := hmac.NewMD5([]byte(rawsecret))
|
||||||
io.WriteString(h, string(buf))
|
io.WriteString(h, string(buf))
|
||||||
return strings.ToUpper(hex.EncodeToString(h.Sum())) == t.MAC
|
println(strings.ToUpper(t.MAC))
|
||||||
|
println(strings.ToUpper(hex.EncodeToString(h.Sum())))
|
||||||
|
return strings.ToUpper(hex.EncodeToString(h.Sum())) == strings.ToUpper(t.MAC)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// INclude the MAC when verifying
|
||||||
func tsigToBuf(rr *RR_TSIG, msg *Msg) ([]byte, bool) {
|
func tsigToBuf(rr *RR_TSIG, msg *Msg) ([]byte, bool) {
|
||||||
// Fill the struct and generate the wiredata
|
// Fill the struct and generate the wiredata
|
||||||
buf := make([]byte, DefaultMsgSize) // TODO(mg) bufsize!
|
var mb []byte
|
||||||
|
buf := make([]byte, DefaultMsgSize)
|
||||||
tsig := new(tsigWireFmt)
|
tsig := new(tsigWireFmt)
|
||||||
tsig.Name = rr.Header().Name
|
tsig.Name = rr.Header().Name
|
||||||
tsig.Class = rr.Header().Class
|
tsig.Class = rr.Header().Class
|
||||||
|
@ -150,7 +160,21 @@ func tsigToBuf(rr *RR_TSIG, msg *Msg) ([]byte, bool) {
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, false
|
return nil, false
|
||||||
}
|
}
|
||||||
// First the pkg, then the tsig wire fmt
|
if rr.MAC != "" {
|
||||||
|
m := new(macWireFmt)
|
||||||
|
m.MAC = rr.MAC
|
||||||
|
mb = make([]byte, len(rr.MAC)) // t.MAC should be twice as long
|
||||||
|
n, ok := packStruct(m, mb, 0)
|
||||||
|
if !ok {
|
||||||
|
return nil, false
|
||||||
|
}
|
||||||
|
mb = mb[:n]
|
||||||
|
}
|
||||||
|
// If there is a MAC included in the TSIG it should be added first
|
||||||
|
// otherwise just the pkg and then the TSIG wire fmt
|
||||||
buf = append(msgbuf, buf...)
|
buf = append(msgbuf, buf...)
|
||||||
|
if mb != nil {
|
||||||
|
buf = append(mb, buf...)
|
||||||
|
}
|
||||||
return buf, true
|
return buf, true
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue