TSIG works
This commit is contained in:
parent
8b832018a4
commit
bdde78ff2f
2
TODO
2
TODO
|
@ -11,6 +11,7 @@ Todo:
|
|||
* NSEC3 - need base32 for Nsec3
|
||||
* pkt log
|
||||
* error when you cannot connect (responder)
|
||||
* Tsig function need to be methods on *dns.Msg (much more natural)
|
||||
|
||||
Longer term:
|
||||
* Parsing from strings, going with goyacc and own lexer
|
||||
|
@ -40,4 +41,3 @@ Funkensturm:
|
|||
* use exp/eval - to inteprete the config file??
|
||||
* TCP how to handle stuff like AXFR
|
||||
* use package log
|
||||
* setup multiple resolver qr[0] qr[1] and use those
|
||||
|
|
4
msg.go
4
msg.go
|
@ -344,7 +344,7 @@ func packStructValue(val *reflect.StructValue, msg []byte, off int) (off1 int, o
|
|||
msg[off+3] = byte(i)
|
||||
off += 4
|
||||
case reflect.Uint64:
|
||||
// Only used in TSIG, where it stops as 48 bits, discard the upper 16
|
||||
// Only used in TSIG, where it stops at 48 bits, so we discard the upper 16
|
||||
if off+6 > len(msg) {
|
||||
fmt.Fprintf(os.Stderr, "dns: overflow packing uint64")
|
||||
return len(msg), false
|
||||
|
@ -563,7 +563,7 @@ func unpackStructValue(val *reflect.StructValue, msg []byte, off int) (off1 int,
|
|||
return len(msg), false
|
||||
}
|
||||
i := uint64(msg[off])<<40 | uint64(msg[off+1])<<32 | uint64(msg[off+2])<<24 | uint64(msg[off+3])<<16 |
|
||||
uint64(msg[off+4])<<8 | uint64(msg[off+4])
|
||||
uint64(msg[off+4])<<8 | uint64(msg[off+5])
|
||||
fv.Set(uint64(i))
|
||||
off += 6
|
||||
}
|
||||
|
|
54
tsig.go
54
tsig.go
|
@ -1,11 +1,10 @@
|
|||
package dns
|
||||
|
||||
// Implementation of TSIG: generation and validation
|
||||
|
||||
// RFC 2845 and RFC 4635
|
||||
import (
|
||||
"io"
|
||||
"fmt"
|
||||
"encoding/base64"
|
||||
"strconv"
|
||||
"strings"
|
||||
"crypto/hmac"
|
||||
|
@ -14,8 +13,9 @@ import (
|
|||
|
||||
// Need to lookup the actual codes
|
||||
const (
|
||||
HmacMD5 = iota
|
||||
HmacSHA1
|
||||
HmacMD5 = "HMAC-MD5.SIG-ALG.REG.INT"
|
||||
HmacSHA1 = "hmac-sha1"
|
||||
HmacSHA256 = "hmac-sha256"
|
||||
)
|
||||
|
||||
type RR_TSIG struct {
|
||||
|
@ -64,19 +64,13 @@ type tsigWireFmt struct {
|
|||
OtherData string "fixed-size"
|
||||
}
|
||||
|
||||
// Return the RR with the TSIG AND include it in the message
|
||||
// Generate the HMAC for msg. The TSIG RR is modified
|
||||
// to include the MAC and MACSize. Note the the msg Id must
|
||||
// be set, otherwise the MAC is not correct.
|
||||
// The string 'secret' must be encoded in base64
|
||||
func (rr *RR_TSIG) Generate(msg *Msg, secret string) bool {
|
||||
b64len := base64.StdEncoding.DecodedLen(len(secret))
|
||||
rawsecret := make([]byte, b64len)
|
||||
n, err := base64.StdEncoding.Decode(rawsecret, []byte(secret))
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
rawsecret = rawsecret[:n]
|
||||
|
||||
rawsecret := unpackBase64([]byte(secret))
|
||||
buf, ok := tsigToBuf(rr, msg)
|
||||
if !ok {
|
||||
return false
|
||||
|
@ -97,14 +91,10 @@ func (rr *RR_TSIG) Verify(msg *Msg, secret string) bool {
|
|||
// copy the mesg, strip (and check) the tsig rr
|
||||
// perform the opposite of Generate() and then
|
||||
// verify the mac
|
||||
|
||||
b64len := base64.StdEncoding.DecodedLen(len(secret))
|
||||
rawsecret := make([]byte, b64len)
|
||||
n, err := base64.StdEncoding.Decode(rawsecret, []byte(secret))
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
rawsecret = rawsecret[:n]
|
||||
rawsecret, err := packBase64([]byte(secret))
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
msg2 := msg // TODO deep copy TODO(mg)
|
||||
if len(msg2.Extra) < 1 {
|
||||
|
@ -117,24 +107,22 @@ func (rr *RR_TSIG) Verify(msg *Msg, secret string) bool {
|
|||
return false
|
||||
}
|
||||
msg2.MsgHdr.Id = rr.OrigId
|
||||
msg2.Extra = msg2.Extra[:len(msg2.Extra)-1]
|
||||
msg2.Extra = msg2.Extra[:len(msg2.Extra)-1] // Strip off the TSIG
|
||||
// TODO(mg)
|
||||
fmt.Printf("%v\n", msg2)
|
||||
// msg2
|
||||
buf1, _ := msg2.Pack()
|
||||
println()
|
||||
fmt.Printf("%v\n", rr)
|
||||
|
||||
buf, ok := tsigToBuf(rr, msg2)
|
||||
if !ok {
|
||||
return false
|
||||
}
|
||||
hmac1 := hmac.NewMD5([]byte(rawsecret))
|
||||
io.WriteString(hmac1, string(buf1))
|
||||
fmt.Printf("%X\n", hmac1.Sum())
|
||||
|
||||
hmac := hmac.NewMD5([]byte(rawsecret))
|
||||
io.WriteString(hmac, string(buf))
|
||||
fmt.Printf("%X\n", hmac.Sum())
|
||||
|
||||
fmt.Printf("Key bytes: %v\n", []byte(rawsecret))
|
||||
fmt.Printf("Key %s\n", rawsecret)
|
||||
h := hmac.NewMD5([]byte(rawsecret))
|
||||
io.WriteString(h, string(buf))
|
||||
fmt.Printf("SUM: %v\n", h.Sum())
|
||||
fmt.Printf("SUM: %X\n", h.Sum())
|
||||
return false
|
||||
}
|
||||
|
||||
|
@ -160,6 +148,8 @@ func tsigToBuf(rr *RR_TSIG, msg *Msg) ([]byte, bool) {
|
|||
if !ok {
|
||||
return nil, false
|
||||
}
|
||||
buf = append(buf, msgbuf...)
|
||||
// First the pkg, then the tsig wire fmt
|
||||
buf = append(msgbuf, buf...)
|
||||
fmt.Printf("buf %v\n", buf)
|
||||
return buf, true
|
||||
}
|
||||
|
|
15
types.go
15
types.go
|
@ -90,14 +90,13 @@ const (
|
|||
RcodeNXRrset = 8
|
||||
RcodeNotAuth = 9
|
||||
RcodeNotZone = 10
|
||||
// Tsig errors
|
||||
TsigBadSig = 16
|
||||
TsigBadKey = 17
|
||||
TsigBadTime = 18
|
||||
// Tkey errors
|
||||
TkeyBadMode = 19
|
||||
TkeyBadName = 20
|
||||
TKeyBadAlg = 21
|
||||
RcodeBadSig = 16 // TSIG
|
||||
RcodeBadKey = 17
|
||||
RcodeBadTime = 18
|
||||
RcodeBadMode = 19 // TKEY
|
||||
RcodeBadName = 20
|
||||
RcodeBadAlg = 21
|
||||
RcodeBadTrunc = 22 // TSIG
|
||||
|
||||
// Opcode
|
||||
OpcodeQuery = 0
|
||||
|
|
Loading…
Reference in New Issue