mirrors/dns
1
0
Fork 0
mirror of https://github.com/miekg/dns.git synced 2025-10-07 07:51:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Implement all other TSIG checks

Browse Source
This commit is contained in:
Miek Gieben 2011-03-25 14:46:30 +01:00
parent 4c55428a6e
commit f2a93a155b
2 changed files with 29 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
msg.go
View File

@ -39,8 +39,10 @@ var (
ErrKeySize os.Error = &Error{Error: "bad key size"} ErrKeySize os.Error = &Error{Error: "bad key size"}
ErrAlg os.Error = &Error{Error: "bad algorithm"} ErrAlg os.Error = &Error{Error: "bad algorithm"}
ErrTime os.Error = &Error{Error: "bad time"} ErrTime os.Error = &Error{Error: "bad time"}
ErrNoSig os.Error = &Error{Error: "no signature found"}
ErrSig os.Error = &Error{Error: "bad signature"} ErrSig os.Error = &Error{Error: "bad signature"}
ErrSigGen os.Error = &Error{Error: "bad signature generation"} ErrSigGen os.Error = &Error{Error: "bad signature generation"}
ErrAuth os.Error = &Error{Error: "bad authentication"}
ErrXfrSoa os.Error = &Error{Error: "no SOA seen"} ErrXfrSoa os.Error = &Error{Error: "no SOA seen"}
) )

38
tsig.go
View File

@ -130,9 +130,9 @@ func (t *Tsig) Verify(msg []byte) (bool, os.Error) {
return false, err return false, err
} }
// Stipped the TSIG from the incoming msg // Stipped the TSIG from the incoming msg
stripped, ok := stripTsig(msg) stripped, err := t.stripTsig(msg)
if !ok { if err != nil {
return false, ErrSigGen return false, err
} }
buf, err := t.Buffer(stripped) buf, err := t.Buffer(stripped)
@ -141,7 +141,6 @@ func (t *Tsig) Verify(msg []byte) (bool, os.Error) {
} }
// Time needs to be checked */ // Time needs to be checked */
// Generic time error
h := hmac.NewMD5([]byte(rawsecret)) h := hmac.NewMD5([]byte(rawsecret))
io.WriteString(h, string(buf)) io.WriteString(h, string(buf))
@ -204,23 +203,26 @@ func (t *Tsig) Buffer(msg []byte) ([]byte, os.Error) {
} }
// Strip the TSIG from the pkt. // Strip the TSIG from the pkt.
func stripTsig(orig []byte) ([]byte, bool) { func (t *Tsig) stripTsig(orig []byte) ([]byte, os.Error) {
// Copied from msg.go's Unpack() // Copied from msg.go's Unpack()
// Header. // Header.
var dh Header var dh Header
dns := new(Msg) dns := new(Msg)
msg := make([]byte, len(orig)) msg := make([]byte, len(orig))
copy(msg, orig) // fhhh.. another copy copy(msg, orig) // fhhh.. another copy TODO(mg)?
off := 0 off := 0
tsigoff := 0 tsigoff := 0
var ok bool var ok bool
if off, ok = unpackStruct(&dh, msg, off); !ok { if off, ok = unpackStruct(&dh, msg, off); !ok {
return nil, false return nil, ErrUnpack
} }
if dh.Arcount == 0 { if dh.Arcount == 0 {
// No records at all in the additional. return nil, ErrNoSig
return nil, false
} }
// Rcode, see msg.go Unpack()
if int(dh.Bits & 0xF) == RcodeNotAuth {
return nil, ErrAuth
}
// Arrays. // Arrays.
dns.Question = make([]Question, dh.Qdcount) dns.Question = make([]Question, dh.Qdcount)
@ -241,6 +243,20 @@ func stripTsig(orig []byte) ([]byte, bool) {
tsigoff = off tsigoff = off
dns.Extra[i], off, ok = unpackRR(msg, off) dns.Extra[i], off, ok = unpackRR(msg, off)
if dns.Extra[i].Header().Rrtype == TypeTSIG { if dns.Extra[i].Header().Rrtype == TypeTSIG {
if t.Name != "" {
if t.Name != dns.Extra[i].Header().Name {
return nil, ErrKey
}
}
if t.Algorithm != "" {
if t.Algorithm != dns.Extra[i].(*RR_TSIG).Algorithm {
return nil, ErrAlg
}
}
ti := uint64(time.Seconds()) - dns.Extra[i].(*RR_TSIG).TimeSigned
if uint64(dns.Extra[i].(*RR_TSIG).Fudge) < ti {
return nil, ErrTime
}
// Adjust Arcount. // Adjust Arcount.
arcount, _ := unpackUint16(msg, 10) arcount, _ := unpackUint16(msg, 10)
msg[10], msg[11] = packUint16(arcount - 1) msg[10], msg[11] = packUint16(arcount - 1)
@ -248,7 +264,7 @@ func stripTsig(orig []byte) ([]byte, bool) {
} }
} }
if !ok { if !ok {
return nil, false return nil, ErrUnpack
} }
return msg[:tsigoff], true return msg[:tsigoff], nil
} }