Add support for HMAC-SHA224 and HMAC-SHA384 TSIG algorithms (#1139)
This commit is contained in:
parent
f3da20bc00
commit
de1def76d8
10
tsig.go
10
tsig.go
|
@ -18,7 +18,9 @@ import (
|
|||
const (
|
||||
HmacMD5 = "hmac-md5.sig-alg.reg.int."
|
||||
HmacSHA1 = "hmac-sha1."
|
||||
HmacSHA224 = "hmac-sha224."
|
||||
HmacSHA256 = "hmac-sha256."
|
||||
HmacSHA384 = "hmac-sha384."
|
||||
HmacSHA512 = "hmac-sha512."
|
||||
)
|
||||
|
||||
|
@ -123,8 +125,12 @@ func TsigGenerate(m *Msg, secret, requestMAC string, timersOnly bool) ([]byte, s
|
|||
h = hmac.New(md5.New, rawsecret)
|
||||
case HmacSHA1:
|
||||
h = hmac.New(sha1.New, rawsecret)
|
||||
case HmacSHA224:
|
||||
h = hmac.New(sha256.New224, rawsecret)
|
||||
case HmacSHA256:
|
||||
h = hmac.New(sha256.New, rawsecret)
|
||||
case HmacSHA384:
|
||||
h = hmac.New(sha512.New384, rawsecret)
|
||||
case HmacSHA512:
|
||||
h = hmac.New(sha512.New, rawsecret)
|
||||
default:
|
||||
|
@ -183,8 +189,12 @@ func tsigVerify(msg []byte, secret, requestMAC string, timersOnly bool, now uint
|
|||
h = hmac.New(md5.New, rawsecret)
|
||||
case HmacSHA1:
|
||||
h = hmac.New(sha1.New, rawsecret)
|
||||
case HmacSHA224:
|
||||
h = hmac.New(sha256.New224, rawsecret)
|
||||
case HmacSHA256:
|
||||
h = hmac.New(sha256.New, rawsecret)
|
||||
case HmacSHA384:
|
||||
h = hmac.New(sha512.New384, rawsecret)
|
||||
case HmacSHA512:
|
||||
h = hmac.New(sha512.New, rawsecret)
|
||||
default:
|
||||
|
|
45
tsig_test.go
45
tsig_test.go
|
@ -192,3 +192,48 @@ func TestTsigGenerate(t *testing.T) {
|
|||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestTSIGHMAC224And384(t *testing.T) {
|
||||
tests := []struct {
|
||||
algorithm string // TSIG algorithm, also used as test description
|
||||
secret string // (arbitrarily chosen) secret suitable for the algorithm in base64 format
|
||||
expectedMAC string // pre-computed expected (correct) MAC in hex form
|
||||
}{
|
||||
{HmacSHA224, "hVEkQuAqnTmBuRrT9KF1Udr91gOMGWPw9LaTtw==",
|
||||
"d6daf9ea189e48bc38f9aed63d6cc4140cdfa38a7a333ee2eefdbd31",
|
||||
},
|
||||
{HmacSHA384, "Qjer2TL2lAdpq9w6Gjs98/ClCQx/L3vtgVHCmrZ8l/oKEPjqUUMFO18gMCRwd5H4",
|
||||
"89a48936d29187870c325cbdba5ad71609bd038d0459d6010c844d659c570e881d3650e4fe7310be53ebe5178d0d1001",
|
||||
},
|
||||
}
|
||||
for _, tc := range tests {
|
||||
tc := tc
|
||||
t.Run(tc.algorithm, func(t *testing.T) {
|
||||
// Build a DNS message with TSIG for the test scenario
|
||||
tsig := TSIG{
|
||||
Hdr: RR_Header{Name: "testkey.", Rrtype: TypeTSIG, Class: ClassANY, Ttl: 0},
|
||||
Algorithm: tc.algorithm,
|
||||
TimeSigned: timeSigned,
|
||||
Fudge: 300,
|
||||
OrigId: 42,
|
||||
}
|
||||
req := &Msg{
|
||||
MsgHdr: MsgHdr{Opcode: OpcodeUpdate},
|
||||
Question: []Question{Question{Name: "example.com.", Qtype: TypeSOA, Qclass: ClassINET}},
|
||||
Extra: []RR{&tsig},
|
||||
}
|
||||
|
||||
// Confirm both Generate and Verify recognize the algorithm and handle it correctly
|
||||
msgData, mac, err := TsigGenerate(req, tc.secret, "", false)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
if mac != tc.expectedMAC {
|
||||
t.Fatalf("MAC doesn't match: expected '%s' but got '%s'", tc.expectedMAC, mac)
|
||||
}
|
||||
if err = tsigVerify(msgData, tc.secret, "", false, timeSigned); err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue