Remove HMAC-MD5 support from TSIG (#1187)
This commit is contained in:
parent
db53c847ca
commit
93945c2844
|
@ -1004,7 +1004,7 @@ func TestServerRoundtripTsig(t *testing.T) {
|
||||||
status := w.TsigStatus()
|
status := w.TsigStatus()
|
||||||
if status == nil {
|
if status == nil {
|
||||||
// *Msg r has an TSIG record and it was validated
|
// *Msg r has an TSIG record and it was validated
|
||||||
m.SetTsig("test.", HmacMD5, 300, time.Now().Unix())
|
m.SetTsig("test.", HmacSHA256, 300, time.Now().Unix())
|
||||||
} else {
|
} else {
|
||||||
// *Msg r has an TSIG records and it was not valided
|
// *Msg r has an TSIG records and it was not valided
|
||||||
t.Errorf("invalid TSIG: %v", status)
|
t.Errorf("invalid TSIG: %v", status)
|
||||||
|
@ -1031,7 +1031,7 @@ func TestServerRoundtripTsig(t *testing.T) {
|
||||||
Target: "bar.example.com.",
|
Target: "bar.example.com.",
|
||||||
}}
|
}}
|
||||||
c.TsigSecret = secret
|
c.TsigSecret = secret
|
||||||
m.SetTsig("test.", HmacMD5, 300, time.Now().Unix())
|
m.SetTsig("test.", HmacSHA256, 300, time.Now().Unix())
|
||||||
_, _, err = c.Exchange(m, addrstr)
|
_, _, err = c.Exchange(m, addrstr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal("failed to exchange", err)
|
t.Fatal("failed to exchange", err)
|
||||||
|
|
8
tsig.go
8
tsig.go
|
@ -2,7 +2,6 @@ package dns
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/hmac"
|
"crypto/hmac"
|
||||||
"crypto/md5"
|
|
||||||
"crypto/sha1"
|
"crypto/sha1"
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
"crypto/sha512"
|
"crypto/sha512"
|
||||||
|
@ -16,12 +15,13 @@ import (
|
||||||
|
|
||||||
// HMAC hashing codes. These are transmitted as domain names.
|
// HMAC hashing codes. These are transmitted as domain names.
|
||||||
const (
|
const (
|
||||||
HmacMD5 = "hmac-md5.sig-alg.reg.int."
|
|
||||||
HmacSHA1 = "hmac-sha1."
|
HmacSHA1 = "hmac-sha1."
|
||||||
HmacSHA224 = "hmac-sha224."
|
HmacSHA224 = "hmac-sha224."
|
||||||
HmacSHA256 = "hmac-sha256."
|
HmacSHA256 = "hmac-sha256."
|
||||||
HmacSHA384 = "hmac-sha384."
|
HmacSHA384 = "hmac-sha384."
|
||||||
HmacSHA512 = "hmac-sha512."
|
HmacSHA512 = "hmac-sha512."
|
||||||
|
|
||||||
|
HmacMD5 = "hmac-md5.sig-alg.reg.int." // Deprecated: HmacMD5 is no longer supported.
|
||||||
)
|
)
|
||||||
|
|
||||||
// TSIG is the RR the holds the transaction signature of a message.
|
// TSIG is the RR the holds the transaction signature of a message.
|
||||||
|
@ -121,8 +121,6 @@ func TsigGenerate(m *Msg, secret, requestMAC string, timersOnly bool) ([]byte, s
|
||||||
t := new(TSIG)
|
t := new(TSIG)
|
||||||
var h hash.Hash
|
var h hash.Hash
|
||||||
switch CanonicalName(rr.Algorithm) {
|
switch CanonicalName(rr.Algorithm) {
|
||||||
case HmacMD5:
|
|
||||||
h = hmac.New(md5.New, rawsecret)
|
|
||||||
case HmacSHA1:
|
case HmacSHA1:
|
||||||
h = hmac.New(sha1.New, rawsecret)
|
h = hmac.New(sha1.New, rawsecret)
|
||||||
case HmacSHA224:
|
case HmacSHA224:
|
||||||
|
@ -185,8 +183,6 @@ func tsigVerify(msg []byte, secret, requestMAC string, timersOnly bool, now uint
|
||||||
|
|
||||||
var h hash.Hash
|
var h hash.Hash
|
||||||
switch CanonicalName(tsig.Algorithm) {
|
switch CanonicalName(tsig.Algorithm) {
|
||||||
case HmacMD5:
|
|
||||||
h = hmac.New(md5.New, rawsecret)
|
|
||||||
case HmacSHA1:
|
case HmacSHA1:
|
||||||
h = hmac.New(sha1.New, rawsecret)
|
h = hmac.New(sha1.New, rawsecret)
|
||||||
case HmacSHA224:
|
case HmacSHA224:
|
||||||
|
|
|
@ -17,7 +17,7 @@ func newTsig(algo string) *Msg {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestTsig(t *testing.T) {
|
func TestTsig(t *testing.T) {
|
||||||
m := newTsig(HmacMD5)
|
m := newTsig(HmacSHA256)
|
||||||
buf, _, err := TsigGenerate(m, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false)
|
buf, _, err := TsigGenerate(m, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
|
@ -29,7 +29,7 @@ func TestTsig(t *testing.T) {
|
||||||
|
|
||||||
// TSIG accounts for ID substitution. This means if the message ID is
|
// TSIG accounts for ID substitution. This means if the message ID is
|
||||||
// changed by a forwarder, we should still be able to verify the TSIG.
|
// changed by a forwarder, we should still be able to verify the TSIG.
|
||||||
m = newTsig(HmacMD5)
|
m = newTsig(HmacSHA256)
|
||||||
buf, _, err = TsigGenerate(m, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false)
|
buf, _, err = TsigGenerate(m, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
|
@ -43,7 +43,7 @@ func TestTsig(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestTsigCase(t *testing.T) {
|
func TestTsigCase(t *testing.T) {
|
||||||
m := newTsig("HmAc-mD5.sig-ALg.rEg.int.") // HmacMD5
|
m := newTsig(strings.ToUpper(HmacSHA256))
|
||||||
buf, _, err := TsigGenerate(m, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false)
|
buf, _, err := TsigGenerate(m, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
|
@ -62,7 +62,7 @@ const (
|
||||||
"%012x" + // placeholder for the "time signed" field
|
"%012x" + // placeholder for the "time signed" field
|
||||||
"012c00208cf23e0081d915478a182edcea7ff48ad102948e6c7ef8e887536957d1fa5616c60000000000"
|
"012c00208cf23e0081d915478a182edcea7ff48ad102948e6c7ef8e887536957d1fa5616c60000000000"
|
||||||
// A secret (in base64 format) with which the TSIG in wireMsg will be validated
|
// A secret (in base64 format) with which the TSIG in wireMsg will be validated
|
||||||
testSecret = "NoTCJU+DMqFWywaPyxSijrDEA/eC3nK0xi3AMEZuPVk="
|
testSecret = "NoTCJU+DMqFWywaPyxSijrDEA/eC3nK0xi3AMEZuPVk="
|
||||||
// the 'time signed' field value that would make the TSIG RR valid with testSecret
|
// the 'time signed' field value that would make the TSIG RR valid with testSecret
|
||||||
timeSigned uint64 = 1594855491
|
timeSigned uint64 = 1594855491
|
||||||
)
|
)
|
||||||
|
|
Loading…
Reference in New Issue