diff --git a/dnssec.go b/dnssec.go index 3a60d46e..d1c2ae62 100644 --- a/dnssec.go +++ b/dnssec.go @@ -97,6 +97,10 @@ type dnskeyWireFmt struct { /* Nothing is left out */ } +func divRoundUp(a, b int) int { + return (a + b - 1) / b +} + // KeyTag calculates the keytag (or key-id) of the DNSKEY. func (k *DNSKEY) KeyTag() uint16 { if k == nil { @@ -108,7 +112,7 @@ func (k *DNSKEY) KeyTag() uint16 { // Look at the bottom two bytes of the modules, which the last // item in the pubkey. We could do this faster by looking directly // at the base64 values. But I'm lazy. - modulus, _ := packBase64([]byte(k.PublicKey)) + modulus, _ := fromBase64([]byte(k.PublicKey)) if len(modulus) > 1 { x, _ := unpackUint16(modulus, len(modulus)-2) keytag = int(x) @@ -255,6 +259,7 @@ func (rr *RRSIG) Sign(k PrivateKey, rrset []RR) error { var sighash []byte var h hash.Hash var ch crypto.Hash // Only need for RSA + var intlen int switch rr.Algorithm { case DSA, DSANSEC3SHA1: // Implicit in the ParameterSizes @@ -264,8 +269,10 @@ func (rr *RRSIG) Sign(k PrivateKey, rrset []RR) error { case RSASHA256, ECDSAP256SHA256: h = sha256.New() ch = crypto.SHA256 + intlen = 32 case ECDSAP384SHA384: h = sha512.New384() + intlen = 48 case RSASHA512: h = sha512.New() ch = crypto.SHA512 @@ -284,24 +291,24 @@ func (rr *RRSIG) Sign(k PrivateKey, rrset []RR) error { return err } signature := []byte{0x4D} // T value, here the ASCII M for Miek (not used in DNSSEC) - signature = append(signature, r1.Bytes()...) - signature = append(signature, s1.Bytes()...) - rr.Signature = unpackBase64(signature) + signature = append(signature, intToBytes(r1, 20)...) + signature = append(signature, intToBytes(s1, 20)...) + rr.Signature = toBase64(signature) case *rsa.PrivateKey: // We can use nil as rand.Reader here (says AGL) signature, err := rsa.SignPKCS1v15(nil, p, ch, sighash) if err != nil { return err } - rr.Signature = unpackBase64(signature) + rr.Signature = toBase64(signature) case *ecdsa.PrivateKey: r1, s1, err := ecdsa.Sign(rand.Reader, p, sighash) if err != nil { return err } - signature := r1.Bytes() - signature = append(signature, s1.Bytes()...) - rr.Signature = unpackBase64(signature) + signature := intToBytes(r1, intlen) + signature = append(signature, intToBytes(s1, intlen)...) + rr.Signature = toBase64(signature) default: // Not given the correct key return ErrKeyAlg @@ -444,7 +451,7 @@ func (rr *RRSIG) ValidityPeriod(t time.Time) bool { // Return the signatures base64 encodedig sigdata as a byte slice. func (s *RRSIG) sigBuf() []byte { - sigbuf, err := packBase64([]byte(s.Signature)) + sigbuf, err := fromBase64([]byte(s.Signature)) if err != nil { return nil } @@ -478,7 +485,7 @@ func (k *DNSKEY) setPublicKeyInPrivate(p PrivateKey) bool { // publicKeyRSA returns the RSA public key from a DNSKEY record. func (k *DNSKEY) publicKeyRSA() *rsa.PublicKey { - keybuf, err := packBase64([]byte(k.PublicKey)) + keybuf, err := fromBase64([]byte(k.PublicKey)) if err != nil { return nil } @@ -516,7 +523,7 @@ func (k *DNSKEY) publicKeyRSA() *rsa.PublicKey { // publicKeyCurve returns the Curve public key from the DNSKEY record. func (k *DNSKEY) publicKeyCurve() *ecdsa.PublicKey { - keybuf, err := packBase64([]byte(k.PublicKey)) + keybuf, err := fromBase64([]byte(k.PublicKey)) if err != nil { return nil } @@ -543,7 +550,7 @@ func (k *DNSKEY) publicKeyCurve() *ecdsa.PublicKey { } func (k *DNSKEY) publicKeyDSA() *dsa.PublicKey { - keybuf, err := packBase64([]byte(k.PublicKey)) + keybuf, err := fromBase64([]byte(k.PublicKey)) if err != nil { return nil } @@ -573,7 +580,7 @@ func (k *DNSKEY) setPublicKeyRSA(_E int, _N *big.Int) bool { } buf := exponentToBuf(_E) buf = append(buf, _N.Bytes()...) - k.PublicKey = unpackBase64(buf) + k.PublicKey = toBase64(buf) return true } @@ -582,9 +589,14 @@ func (k *DNSKEY) setPublicKeyCurve(_X, _Y *big.Int) bool { if _X == nil || _Y == nil { return false } - buf := curveToBuf(_X, _Y) - // Check the length of the buffer, either 64 or 92 bytes - k.PublicKey = unpackBase64(buf) + var intlen int + switch k.Algorithm { + case ECDSAP256SHA256: + intlen = 32 + case ECDSAP384SHA384: + intlen = 48 + } + k.PublicKey = toBase64(curveToBuf(_X, _Y, intlen)) return true } @@ -594,7 +606,7 @@ func (k *DNSKEY) setPublicKeyDSA(_Q, _P, _G, _Y *big.Int) bool { return false } buf := dsaToBuf(_Q, _P, _G, _Y) - k.PublicKey = unpackBase64(buf) + k.PublicKey = toBase64(buf) return true } @@ -618,21 +630,21 @@ func exponentToBuf(_E int) []byte { // Set the public key for X and Y for Curve. The two // values are just concatenated. -func curveToBuf(_X, _Y *big.Int) []byte { - buf := _X.Bytes() - buf = append(buf, _Y.Bytes()...) +func curveToBuf(_X, _Y *big.Int, intlen int) []byte { + buf := intToBytes(_X, intlen) + buf = append(buf, intToBytes(_Y, intlen)...) return buf } // Set the public key for X and Y for Curve. The two // values are just concatenated. func dsaToBuf(_Q, _P, _G, _Y *big.Int) []byte { - t := byte((len(_G.Bytes()) - 64) / 8) - buf := []byte{t} - buf = append(buf, _Q.Bytes()...) - buf = append(buf, _P.Bytes()...) - buf = append(buf, _G.Bytes()...) - buf = append(buf, _Y.Bytes()...) + t := divRoundUp(divRoundUp(_G.BitLen(), 8)-64, 8) + buf := []byte{byte(t)} + buf = append(buf, intToBytes(_Q, 20)...) + buf = append(buf, intToBytes(_P, 64+t*8)...) + buf = append(buf, intToBytes(_G, 64+t*8)...) + buf = append(buf, intToBytes(_Y, 64+t*8)...) return buf } diff --git a/dnssec_test.go b/dnssec_test.go index 04c64391..f6263d50 100644 --- a/dnssec_test.go +++ b/dnssec_test.go @@ -455,12 +455,19 @@ PrivateKey: WURgWHCcYIYUPWgeLmiPY2DJJk02vgrmTfitxgqcL4vwW7BOrbawVmVe0d9V94SR` sig.SignerName = eckey.(*DNSKEY).Hdr.Name sig.Algorithm = eckey.(*DNSKEY).Algorithm - sig.Sign(privkey, []RR{a}) + if sig.Sign(privkey, []RR{a}) != nil { + t.Fatal("failure to sign the record") + } - t.Logf("%s", sig.String()) if e := sig.Verify(eckey.(*DNSKEY), []RR{a}); e != nil { - t.Logf("failure to validate: %s", e.Error()) - t.Fail() + t.Logf("\n%s\n%s\n%s\n\n%s\n\n", + eckey.(*DNSKEY).String(), + a.String(), + sig.String(), + eckey.(*DNSKEY).PrivateKeyString(privkey), + ) + + t.Fatalf("failure to validate: %s", e.Error()) } } @@ -503,6 +510,13 @@ func TestSignVerifyECDSA2(t *testing.T) { err = sig.Verify(key, []RR{srv}) if err != nil { + t.Logf("\n%s\n%s\n%s\n\n%s\n\n", + key.String(), + srv.String(), + sig.String(), + key.PrivateKeyString(privkey), + ) + t.Fatal("Failure to validate:", err) } } diff --git a/keygen.go b/keygen.go index bc1a0797..dfe328ec 100644 --- a/keygen.go +++ b/keygen.go @@ -94,12 +94,12 @@ func (r *DNSKEY) PrivateKeyString(p PrivateKey) (s string) { switch t := p.(type) { case *rsa.PrivateKey: algorithm := strconv.Itoa(int(r.Algorithm)) + " (" + AlgorithmToString[r.Algorithm] + ")" - modulus := unpackBase64(t.PublicKey.N.Bytes()) + modulus := toBase64(t.PublicKey.N.Bytes()) e := big.NewInt(int64(t.PublicKey.E)) - publicExponent := unpackBase64(e.Bytes()) - privateExponent := unpackBase64(t.D.Bytes()) - prime1 := unpackBase64(t.Primes[0].Bytes()) - prime2 := unpackBase64(t.Primes[1].Bytes()) + publicExponent := toBase64(e.Bytes()) + privateExponent := toBase64(t.D.Bytes()) + prime1 := toBase64(t.Primes[0].Bytes()) + prime2 := toBase64(t.Primes[1].Bytes()) // Calculate Exponent1/2 and Coefficient as per: http://en.wikipedia.org/wiki/RSA#Using_the_Chinese_remainder_algorithm // and from: http://code.google.com/p/go/issues/detail?id=987 one := big.NewInt(1) @@ -110,9 +110,9 @@ func (r *DNSKEY) PrivateKeyString(p PrivateKey) (s string) { exp2 := big.NewInt(0).Mod(t.D, q_1) coeff := big.NewInt(0).Exp(t.Primes[1], minusone, t.Primes[0]) - exponent1 := unpackBase64(exp1.Bytes()) - exponent2 := unpackBase64(exp2.Bytes()) - coefficient := unpackBase64(coeff.Bytes()) + exponent1 := toBase64(exp1.Bytes()) + exponent2 := toBase64(exp2.Bytes()) + coefficient := toBase64(coeff.Bytes()) s = _FORMAT + "Algorithm: " + algorithm + "\n" + @@ -126,17 +126,25 @@ func (r *DNSKEY) PrivateKeyString(p PrivateKey) (s string) { "Coefficient: " + coefficient + "\n" case *ecdsa.PrivateKey: algorithm := strconv.Itoa(int(r.Algorithm)) + " (" + AlgorithmToString[r.Algorithm] + ")" - private := unpackBase64(t.D.Bytes()) + var intlen int + switch r.Algorithm { + case ECDSAP256SHA256: + intlen = 32 + case ECDSAP384SHA384: + intlen = 48 + } + private := toBase64(intToBytes(t.D, intlen)) s = _FORMAT + "Algorithm: " + algorithm + "\n" + "PrivateKey: " + private + "\n" case *dsa.PrivateKey: algorithm := strconv.Itoa(int(r.Algorithm)) + " (" + AlgorithmToString[r.Algorithm] + ")" - prime := unpackBase64(t.PublicKey.Parameters.P.Bytes()) - subprime := unpackBase64(t.PublicKey.Parameters.Q.Bytes()) - base := unpackBase64(t.PublicKey.Parameters.G.Bytes()) - priv := unpackBase64(t.X.Bytes()) - pub := unpackBase64(t.PublicKey.Y.Bytes()) + T := divRoundUp(divRoundUp(t.PublicKey.Parameters.G.BitLen(), 8)-64, 8) + prime := toBase64(intToBytes(t.PublicKey.Parameters.P, 64+T*8)) + subprime := toBase64(intToBytes(t.PublicKey.Parameters.Q, 20)) + base := toBase64(intToBytes(t.PublicKey.Parameters.G, 64+T*8)) + priv := toBase64(intToBytes(t.X, 20)) + pub := toBase64(intToBytes(t.PublicKey.Y, 64+T*8)) s = _FORMAT + "Algorithm: " + algorithm + "\n" + "Prime(p): " + prime + "\n" + diff --git a/kscan.go b/kscan.go index 8cc729ab..c48ca2d2 100644 --- a/kscan.go +++ b/kscan.go @@ -39,7 +39,7 @@ func (k *DNSKEY) ReadPrivateKey(q io.Reader, file string) (PrivateKey, error) { return nil, e } if !k.setPublicKeyInPrivate(p) { - return nil, ErrPrivKey + return nil, ErrKey } return p, e case "1 (RSAMD5)": @@ -56,7 +56,7 @@ func (k *DNSKEY) ReadPrivateKey(q io.Reader, file string) (PrivateKey, error) { return nil, e } if !k.setPublicKeyInPrivate(p) { - return nil, ErrPrivKey + return nil, ErrKey } return p, e case "12 (ECC-GOST)": @@ -74,7 +74,7 @@ func (k *DNSKEY) ReadPrivateKey(q io.Reader, file string) (PrivateKey, error) { return nil, e } if !k.setPublicKeyInPrivate(p) { - return nil, ErrPrivKey + return nil, ErrKey } return p, e } @@ -88,7 +88,7 @@ func readPrivateKeyRSA(m map[string]string) (PrivateKey, error) { for k, v := range m { switch k { case "modulus", "publicexponent", "privateexponent", "prime1", "prime2": - v1, err := packBase64([]byte(v)) + v1, err := fromBase64([]byte(v)) if err != nil { return nil, err } @@ -125,7 +125,7 @@ func readPrivateKeyDSA(m map[string]string) (PrivateKey, error) { for k, v := range m { switch k { case "private_value(x)": - v1, err := packBase64([]byte(v)) + v1, err := fromBase64([]byte(v)) if err != nil { return nil, err } @@ -144,7 +144,7 @@ func readPrivateKeyECDSA(m map[string]string) (PrivateKey, error) { for k, v := range m { switch k { case "privatekey": - v1, err := packBase64([]byte(v)) + v1, err := fromBase64([]byte(v)) if err != nil { return nil, err } diff --git a/msg.go b/msg.go index ff5e711b..ecba463d 100644 --- a/msg.go +++ b/msg.go @@ -12,6 +12,7 @@ import ( "encoding/base32" "encoding/base64" "encoding/hex" + "math/big" "math/rand" "net" "reflect" @@ -813,7 +814,7 @@ func packStructValue(val reflect.Value, msg []byte, off int, compression map[str default: return lenmsg, &Error{"bad tag packing string: " + typefield.Tag.Get("dns")} case `dns:"base64"`: - b64, e := packBase64([]byte(s)) + b64, e := fromBase64([]byte(s)) if e != nil { return lenmsg, e } @@ -834,7 +835,7 @@ func packStructValue(val reflect.Value, msg []byte, off int, compression map[str msg[off-1] = 20 fallthrough case `dns:"base32"`: - b32, e := packBase32([]byte(s)) + b32, e := fromBase32([]byte(s)) if e != nil { return lenmsg, e } @@ -1224,7 +1225,7 @@ func unpackStructValue(val reflect.Value, msg []byte, off int) (off1 int, err er if b64end > lenrd || b64end > lenmsg { return lenmsg, &Error{err: "overflow unpacking base64"} } - s = unpackBase64(msg[off:b64end]) + s = toBase64(msg[off:b64end]) off = b64end case `dns:"cdomain-name"`: fallthrough @@ -1250,7 +1251,7 @@ func unpackStructValue(val reflect.Value, msg []byte, off int) (off1 int, err er if off+size > lenmsg { return lenmsg, &Error{err: "overflow unpacking base32"} } - s = unpackBase32(msg[off : off+size]) + s = toBase32(msg[off : off+size]) off += size case `dns:"size-hex"`: // a "size" string, but it must be encoded in hex in the string @@ -1298,58 +1299,53 @@ func dddToByte(s []byte) byte { return byte((s[0]-'0')*100 + (s[1]-'0')*10 + (s[2] - '0')) } -// Helper function for unpacking -func unpackUint16(msg []byte, off int) (v uint16, off1 int) { - v = uint16(msg[off])<<8 | uint16(msg[off+1]) - off1 = off + 2 - return -} - // UnpackStruct unpacks a binary message from offset off to the interface // value given. -func UnpackStruct(any interface{}, msg []byte, off int) (off1 int, err error) { - off, err = unpackStructValue(structValue(any), msg, off) - return off, err +func UnpackStruct(any interface{}, msg []byte, off int) (int, error) { + return unpackStructValue(structValue(any), msg, off) } -func unpackBase32(b []byte) string { - b32 := make([]byte, base32.HexEncoding.EncodedLen(len(b))) - base32.HexEncoding.Encode(b32, b) - return string(b32) +// Helper function for packing and unpacking +func intToBytes(i *big.Int, length int) []byte { + buf := i.Bytes() + if len(buf) < length { + b := make([]byte, length) + copy(b[length-len(buf):], buf) + return b + } + return buf } -func unpackBase64(b []byte) string { - b64 := make([]byte, base64.StdEncoding.EncodedLen(len(b))) - base64.StdEncoding.Encode(b64, b) - return string(b64) +func unpackUint16(msg []byte, off int) (uint16, int) { + return uint16(msg[off])<<8 | uint16(msg[off+1]), off + 2 } -// Helper function for packing func packUint16(i uint16) (byte, byte) { return byte(i >> 8), byte(i) } -func packBase64(s []byte) ([]byte, error) { - b64len := base64.StdEncoding.DecodedLen(len(s)) - buf := make([]byte, b64len) - n, err := base64.StdEncoding.Decode(buf, []byte(s)) - if err != nil { - return nil, err - } - buf = buf[:n] - return buf, nil +func toBase32(b []byte) string { + return base32.HexEncoding.EncodeToString(b) } -// Helper function for packing, mostly used in dnssec.go -func packBase32(s []byte) ([]byte, error) { - b32len := base32.HexEncoding.DecodedLen(len(s)) - buf := make([]byte, b32len) - n, err := base32.HexEncoding.Decode(buf, []byte(s)) - if err != nil { - return nil, err - } +func fromBase32(s []byte) (buf []byte, err error) { + buflen := base32.HexEncoding.DecodedLen(len(s)) + buf = make([]byte, buflen) + n, err := base32.HexEncoding.Decode(buf, s) buf = buf[:n] - return buf, nil + return +} + +func toBase64(b []byte) string { + return base64.StdEncoding.EncodeToString(b) +} + +func fromBase64(s []byte) (buf []byte, err error) { + buflen := base64.StdEncoding.DecodedLen(len(s)) + buf = make([]byte, buflen) + n, err := base64.StdEncoding.Decode(buf, s) + buf = buf[:n] + return } // PackRR packs a resource record rr into msg[off:]. diff --git a/nsecx.go b/nsecx.go index 28bf08d9..ac48da0f 100644 --- a/nsecx.go +++ b/nsecx.go @@ -47,7 +47,7 @@ func HashName(label string, ha uint8, iter uint16, salt string) string { io.WriteString(s, string(nsec3)) nsec3 = s.Sum(nil) } - return unpackBase32(nsec3) + return toBase32(nsec3) } type Denialer interface { diff --git a/parse_test.go b/parse_test.go index 89f21906..3ff3a93e 100644 --- a/parse_test.go +++ b/parse_test.go @@ -1230,7 +1230,7 @@ type algorithm struct { bits int } -func TestNewPrivateKeyECDSA(t *testing.T) { +func TestNewPrivateKey(t *testing.T) { if testing.Short() { t.Skip("skipping test in short mode.") } @@ -1239,7 +1239,7 @@ func TestNewPrivateKeyECDSA(t *testing.T) { algorithm{ECDSAP384SHA384, 384}, algorithm{RSASHA1, 1024}, algorithm{RSASHA256, 2048}, - // algorithm{DSA, 1024}, // TODO: STILL BROKEN! + algorithm{DSA, 1024}, } for _, algo := range algorithms { @@ -1258,6 +1258,9 @@ func TestNewPrivateKeyECDSA(t *testing.T) { newPrivKey, err := key.NewPrivateKey(key.PrivateKeyString(privkey)) if err != nil { + t.Log(key.String()) + t.Log(key.PrivateKeyString(privkey)) + t.Fatal(err.Error()) } diff --git a/server_test.go b/server_test.go index d8e63785..044121cf 100644 --- a/server_test.go +++ b/server_test.go @@ -6,6 +6,7 @@ import ( "runtime" "sync" "testing" + "time" ) func HelloServer(w ResponseWriter, req *Msg) { @@ -36,6 +37,25 @@ func RunLocalUDPServer(laddr string) (*Server, string, error) { server.ActivateAndServe() pc.Close() }() + + time.Sleep(50 * time.Millisecond) + + return server, pc.LocalAddr().String(), nil +} + +func RunLocalUDPServerUnsafe(laddr string) (*Server, string, error) { + pc, err := net.ListenPacket("udp", laddr) + if err != nil { + return nil, "", err + } + server := &Server{PacketConn: pc, Unsafe: true} + go func() { + server.ActivateAndServe() + pc.Close() + }() + + time.Sleep(50 * time.Millisecond) + return server, pc.LocalAddr().String(), nil } @@ -49,6 +69,19 @@ func RunLocalTCPServer(laddr string) (*Server, string, error) { server.ActivateAndServe() l.Close() }() + + for i := 0; ; i++ { + conn, err := net.Dial("tcp", l.Addr().String()) + if err == nil { + conn.Close() + break + } + time.Sleep(50 * time.Millisecond) + if i > 50 { + return nil, "", fmt.Errorf("failed to start server: ", err) + } + } + return server, l.Addr().String(), nil } @@ -311,7 +344,6 @@ func TestServingResponse(t *testing.T) { if err != nil { t.Fatalf("Unable to run test server: %s", err) } - defer s.Shutdown() c := new(Client) m := new(Msg) @@ -328,7 +360,14 @@ func TestServingResponse(t *testing.T) { t.Log("exchanged response message") t.Fatal() } - s.Unsafe = true + + s.Shutdown() + s, addrstr, err = RunLocalUDPServerUnsafe("127.0.0.1:0") + if err != nil { + t.Fatalf("Unable to run test server: %s", err) + } + defer s.Shutdown() + m.Response = true _, _, err = c.Exchange(m, addrstr) if err != nil { @@ -342,9 +381,6 @@ func TestShutdownTCP(t *testing.T) { if err != nil { t.Fatalf("Unable to run test server: %s", err) } - // it normally is too early to shutting down because server - // activates in goroutine. - runtime.Gosched() err = s.Shutdown() if err != nil { t.Errorf("Could not shutdown test TCP server, %s", err) @@ -356,9 +392,6 @@ func TestShutdownUDP(t *testing.T) { if err != nil { t.Fatalf("Unable to run test server: %s", err) } - // it normally is too early to shutting down because server - // activates in goroutine. - runtime.Gosched() err = s.Shutdown() if err != nil { t.Errorf("Could not shutdown test UDP server, %s", err) diff --git a/sig0.go b/sig0.go index 46cf7a2e..d96b31be 100644 --- a/sig0.go +++ b/sig0.go @@ -44,18 +44,7 @@ func (rr *SIG) Sign(k PrivateKey, m *Msg) ([]byte, error) { rr.TypeCovered = 0 rr.Labels = 0 - buflen := m.Len() + rr.len() - switch k := k.(type) { - case *rsa.PrivateKey: - buflen += len(k.N.Bytes()) - case *dsa.PrivateKey: - buflen += 40 - case *ecdsa.PrivateKey: - buflen += 96 - default: - return nil, ErrPrivKey - } - buf := make([]byte, m.Len()+rr.len()+buflen) + buf := make([]byte, m.Len()+rr.len()) mbuf, err := m.PackBuffer(buf) if err != nil { return nil, err @@ -69,13 +58,16 @@ func (rr *SIG) Sign(k PrivateKey, m *Msg) ([]byte, error) { } buf = buf[:off:cap(buf)] var hash crypto.Hash + var intlen int switch rr.Algorithm { case DSA, RSASHA1: hash = crypto.SHA1 case RSASHA256, ECDSAP256SHA256: hash = crypto.SHA256 + intlen = 32 case ECDSAP384SHA384: hash = crypto.SHA384 + intlen = 48 case RSASHA512: hash = crypto.SHA512 default: @@ -91,15 +83,14 @@ func (rr *SIG) Sign(k PrivateKey, m *Msg) ([]byte, error) { var sig []byte switch p := k.(type) { case *dsa.PrivateKey: - t := byte((len(p.PublicKey.Y.Bytes()) - 64) / 8) + t := divRoundUp(divRoundUp(p.PublicKey.Y.BitLen(), 8)-64, 8) r1, s1, err := dsa.Sign(rand.Reader, p, hashed) if err != nil { return nil, err } - sig = make([]byte, 0, 1+len(r1.Bytes())+len(s1.Bytes())) - sig = append(sig, t) - sig = append(sig, r1.Bytes()...) - sig = append(sig, s1.Bytes()...) + sig = append(sig, byte(t)) + sig = append(sig, intToBytes(r1, 20)...) + sig = append(sig, intToBytes(s1, 20)...) case *rsa.PrivateKey: sig, err = rsa.SignPKCS1v15(rand.Reader, p, hash, hashed) if err != nil { @@ -110,12 +101,12 @@ func (rr *SIG) Sign(k PrivateKey, m *Msg) ([]byte, error) { if err != nil { return nil, err } - sig = r1.Bytes() - sig = append(sig, s1.Bytes()...) + sig = intToBytes(r1, intlen) + sig = append(sig, intToBytes(s1, intlen)...) default: return nil, ErrAlg } - rr.Signature = unpackBase64(sig) + rr.Signature = toBase64(sig) buf = append(buf, sig...) if len(buf) > int(^uint16(0)) { return nil, ErrBuf diff --git a/tsig.go b/tsig.go index 35f6cee4..2c64ee8d 100644 --- a/tsig.go +++ b/tsig.go @@ -159,7 +159,7 @@ func TsigGenerate(m *Msg, secret, requestMAC string, timersOnly bool) ([]byte, s panic("dns: TSIG not last RR in additional") } // If we barf here, the caller is to blame - rawsecret, err := packBase64([]byte(secret)) + rawsecret, err := fromBase64([]byte(secret)) if err != nil { return nil, "", err } @@ -209,7 +209,7 @@ func TsigGenerate(m *Msg, secret, requestMAC string, timersOnly bool) ([]byte, s // If the signature does not validate err contains the // error, otherwise it is nil. func TsigVerify(msg []byte, secret, requestMAC string, timersOnly bool) error { - rawsecret, err := packBase64([]byte(secret)) + rawsecret, err := fromBase64([]byte(secret)) if err != nil { return err }