Merge branch 'master' of github.com:miekg/dns

abh · Nov 3, 2014 · a34d1f6 · a34d1f6
2 parents a50b50c + 241f9e6
commit a34d1f6
Show file tree

Hide file tree

Showing 8 changed files with 472 additions and 192 deletions.
diff --git a/README.md b/README.md
@@ -49,7 +49,7 @@ Send pull request if you want to be listed here.
 * DNSSEC: signing, validating and key generation for DSA, RSA and ECDSA;
 * EDNS0, NSID;
 * AXFR/IXFR;
-* TSIG;
+* TSIG, SIG(0);
 * DNS name compression;
 * Depends only on the standard library.
 
@@ -137,5 +137,4 @@ Example programs can be found in the `github.com/miekg/exdns` repository.
 * CAA parsing is broken;
 * NSEC(3) cover/match/closest enclose;
 * Replies with TC bit are not parsed to the end;
-* SIG(0);
 * Create IsMsg to validate a message before fully parsing it.
diff --git a/dns_test.go b/dns_test.go
@@ -430,7 +430,7 @@ func TestToRFC3597(t *testing.T) {
 	a, _ := NewRR("miek.nl. IN A 10.0.1.1")
 	x := new(RFC3597)
 	x.ToRFC3597(a)
-	if x.String() != `miek.nl.	3600	IN	A	\# 4 0a000101` {
+	if x.String() != `miek.nl.	3600	CLASS1	TYPE1	\# 4 0a000101` {
 		t.Fail()
 	}
 }

diff --git a/dnssec.go b/dnssec.go
@@ -547,20 +547,22 @@ func (k *DNSKEY) publicKeyDSA() *dsa.PublicKey {
 	if err != nil {
 		return nil
 	}
-	if len(keybuf) < 22 { // TODO: check
+	if len(keybuf) < 22 {
 		return nil
 	}
-	t := int(keybuf[0])
+	t, keybuf := int(keybuf[0]), keybuf[1:]
 	size := 64 + t*8
+	q, keybuf := keybuf[:20], keybuf[20:]
+	if len(keybuf) != 3*size {
+		return nil
+	}
+	p, keybuf := keybuf[:size], keybuf[size:]
+	g, y := keybuf[:size], keybuf[size:]
 	pubkey := new(dsa.PublicKey)
-	pubkey.Parameters.Q = big.NewInt(0)
-	pubkey.Parameters.Q.SetBytes(keybuf[1:21]) // +/- 1 ?
-	pubkey.Parameters.P = big.NewInt(0)
-	pubkey.Parameters.P.SetBytes(keybuf[22 : 22+size])
-	pubkey.Parameters.G = big.NewInt(0)
-	pubkey.Parameters.G.SetBytes(keybuf[22+size+1 : 22+size*2])
-	pubkey.Y = big.NewInt(0)
-	pubkey.Y.SetBytes(keybuf[22+size*2+1 : 22+size*3])
+	pubkey.Parameters.Q = big.NewInt(0).SetBytes(q)
+	pubkey.Parameters.P = big.NewInt(0).SetBytes(p)
+	pubkey.Parameters.G = big.NewInt(0).SetBytes(g)
+	pubkey.Y = big.NewInt(0).SetBytes(y)
 	return pubkey
 }
 

diff --git a/msg.go b/msg.go
@@ -110,6 +110,7 @@ var TypeToString = map[uint16]string{
 	TypeIPSECKEY:   "IPSECKEY",
 	TypeISDN:       "ISDN",
 	TypeIXFR:       "IXFR", // Meta RR
+	TypeKEY:        "KEY",
 	TypeKX:         "KX",
 	TypeL32:        "L32",
 	TypeL64:        "L64",
@@ -140,6 +141,7 @@ var TypeToString = map[uint16]string{
 	TypeRP:         "RP",
 	TypeRRSIG:      "RRSIG",
 	TypeRT:         "RT",
+	TypeSIG:        "SIG",
 	TypeSOA:        "SOA",
 	TypeSPF:        "SPF",
 	TypeSRV:        "SRV",

diff --git a/sig0.go b/sig0.go
@@ -0,0 +1,261 @@
+// SIG(0)
+//
+// From RFC 2931:
+//
+//     SIG(0) provides protection for DNS transactions and requests ....
+//     ... protection for glue records, DNS requests, protection for message headers
+//     on requests and responses, and protection of the overall integrity of a response.
+//
+// It works like TSIG, except that SIG(0) uses public key cryptography, instead of the shared
+// secret approach in TSIG.
+package dns
+
+import (
+	"crypto"
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/rand"
+	"crypto/rsa"
+	"fmt"
+	"math/big"
+	"strings"
+	"time"
+)
+
+// Sign signs a dns.Msg. It fills the signature with the appropriate data.
+// The SIG record should have the SignerName, KeyTag, Algorithm, Inception
+// and Expiration set.
+func (rr *SIG) Sign(k PrivateKey, m *Msg) ([]byte, error) {
+	if k == nil {
+		return nil, ErrPrivKey
+	}
+	if rr.KeyTag == 0 || len(rr.SignerName) == 0 || rr.Algorithm == 0 {
+		return nil, ErrKey
+	}
+	rr.Header().Rrtype = TypeSIG
+	rr.Header().Class = ClassANY
+	rr.Header().Ttl = 0
+	rr.Header().Name = "."
+	rr.OrigTtl = 0
+	rr.TypeCovered = 0
+	rr.Labels = 0
+
+	buflen := m.Len() + rr.len()
+	switch k := k.(type) {
+	case *rsa.PrivateKey:
+		buflen += len(k.N.Bytes())
+	case *dsa.PrivateKey:
+		buflen += 40
+	case *ecdsa.PrivateKey:
+		buflen += 96
+	default:
+		return nil, ErrPrivKey
+	}
+	buf := make([]byte, m.Len()+rr.len()+buflen)
+	mbuf, err := m.PackBuffer(buf)
+	if err != nil {
+		return nil, err
+	}
+	if &buf[0] != &mbuf[0] {
+		return nil, ErrBuf
+	}
+	off, err := PackRR(rr, buf, len(mbuf), nil, false)
+	if err != nil {
+		return nil, err
+	}
+	buf = buf[:off:cap(buf)]
+	var hash crypto.Hash
+	switch rr.Algorithm {
+	case DSA, RSASHA1:
+		hash = crypto.SHA1
+	case RSASHA256, ECDSAP256SHA256:
+		hash = crypto.SHA256
+	case ECDSAP384SHA384:
+		hash = crypto.SHA384
+	case RSASHA512:
+		hash = crypto.SHA512
+	default:
+		return nil, ErrAlg
+	}
+	hasher := hash.New()
+	// Write SIG rdata
+	hasher.Write(buf[len(mbuf)+1+2+2+4+2:])
+	// Write message
+	hasher.Write(buf[:len(mbuf)])
+	hashed := hasher.Sum(nil)
+
+	var sig []byte
+	switch p := k.(type) {
+	case *dsa.PrivateKey:
+		t := byte((len(p.PublicKey.Y.Bytes()) - 64) / 8)
+		r1, s1, err := dsa.Sign(rand.Reader, p, hashed)
+		if err != nil {
+			return nil, err
+		}
+		sig = make([]byte, 0, 1+len(r1.Bytes())+len(s1.Bytes()))
+		sig = append(sig, t)
+		sig = append(sig, r1.Bytes()...)
+		sig = append(sig, s1.Bytes()...)
+	case *rsa.PrivateKey:
+		sig, err = rsa.SignPKCS1v15(rand.Reader, p, hash, hashed)
+		if err != nil {
+			return nil, err
+		}
+	case *ecdsa.PrivateKey:
+		r1, s1, err := ecdsa.Sign(rand.Reader, p, hashed)
+		if err != nil {
+			return nil, err
+		}
+		sig = r1.Bytes()
+		sig = append(sig, s1.Bytes()...)
+	default:
+		return nil, ErrAlg
+	}
+	rr.Signature = unpackBase64(sig)
+	buf = append(buf, sig...)
+	if len(buf) > int(^uint16(0)) {
+		return nil, ErrBuf
+	}
+	// Adjust sig data length
+	rdoff := len(mbuf) + 1 + 2 + 2 + 4
+	rdlen, _ := unpackUint16(buf, rdoff)
+	rdlen += uint16(len(sig))
+	buf[rdoff], buf[rdoff+1] = packUint16(rdlen)
+	// Adjust additional count
+	adc, _ := unpackUint16(buf, 10)
+	adc += 1
+	buf[10], buf[11] = packUint16(adc)
+	return buf, nil
+}
+
+// Verify validates the message buf using the key k.
+// It's assumed that buf is a valid message from which rr was unpacked.
+func (rr *SIG) Verify(k *KEY, buf []byte) error {
+	if k == nil {
+		return ErrKey
+	}
+	if rr.KeyTag == 0 || len(rr.SignerName) == 0 || rr.Algorithm == 0 {
+		return ErrKey
+	}
+
+	var hash crypto.Hash
+	switch rr.Algorithm {
+	case DSA, RSASHA1:
+		hash = crypto.SHA1
+	case RSASHA256, ECDSAP256SHA256:
+		hash = crypto.SHA256
+	case ECDSAP384SHA384:
+		hash = crypto.SHA384
+	case RSASHA512:
+		hash = crypto.SHA512
+	default:
+		return ErrAlg
+	}
+	hasher := hash.New()
+
+	buflen := len(buf)
+	qdc, _ := unpackUint16(buf, 4)
+	anc, _ := unpackUint16(buf, 6)
+	auc, _ := unpackUint16(buf, 8)
+	adc, offset := unpackUint16(buf, 10)
+	var err error
+	for i := uint16(0); i < qdc && offset < buflen; i++ {
+		// decode a name
+		_, offset, err = UnpackDomainName(buf, offset)
+		if err != nil {
+			return err
+		}
+		// skip past Type and Class
+		offset += 2 + 2
+	}
+	for i := uint16(1); i < anc+auc+adc && offset < buflen; i++ {
+		// decode a name
+		_, offset, err = UnpackDomainName(buf, offset)
+		if err != nil {
+			return err
+		}
+		// skip past Type, Class and TTL
+		offset += 2 + 2 + 4
+		var rdlen uint16
+		rdlen, offset = unpackUint16(buf, offset)
+		offset += int(rdlen)
+	}
+	// offset should be just prior to SIG
+	bodyend := offset
+	// Owner name SHOULD be root
+	_, offset, err = UnpackDomainName(buf, offset)
+	if err != nil {
+		return err
+	}
+	// Skip Type, Class, TTL, RDLen
+	offset += 2 + 2 + 4 + 2
+	sigstart := offset
+	offset += 2 + 1 + 1 + 4 // skip Type Covered, Algorithm, Labels, Original TTL
+	// TODO: This should be moved out and used elsewhere
+	unpackUint32 := func(buf []byte, off int) (uint32, int) {
+		r := uint32(buf[off])<<24 | uint32(buf[off+1])<<16 | uint32(buf[off+2])<<8 | uint32(buf[off+3])
+		return r, off + 4
+	}
+	var expire, incept uint32
+	expire, offset = unpackUint32(buf, offset)
+	incept, offset = unpackUint32(buf, offset)
+	now := uint32(time.Now().Unix())
+	if now < incept || now > expire {
+		return ErrTime
+	}
+	offset += 2 // skip key tag
+	var signername string
+	signername, offset, err = UnpackDomainName(buf, offset)
+	if err != nil {
+		return err
+	}
+	// If key has come from the DNS name compression might
+	// have mangled the case of the name
+	if strings.ToLower(signername) != strings.ToLower(k.Header().Name) {
+		return fmt.Errorf("Signer name doesn't match key name")
+	}
+	sigend := offset
+	hasher.Write(buf[sigstart:sigend])
+	hasher.Write(buf[:10])
+	hasher.Write([]byte{
+		byte((adc - 1) << 8),
+		byte(adc - 1),
+	})
+	hasher.Write(buf[12:bodyend])
+
+	hashed := hasher.Sum(nil)
+	sig := buf[sigend:]
+	switch k.Algorithm {
+	case DSA:
+		pk := k.publicKeyDSA()
+		sig = sig[1:]
+		r := big.NewInt(0)
+		r.SetBytes(sig[:len(sig)/2])
+		s := big.NewInt(0)
+		s.SetBytes(sig[len(sig)/2:])
+		if pk != nil {
+			if dsa.Verify(pk, hashed, r, s) {
+				return nil
+			}
+			return ErrSig
+		}
+	case RSASHA1, RSASHA256, RSASHA512:
+		pk := k.publicKeyRSA()
+		if pk != nil {
+			return rsa.VerifyPKCS1v15(pk, hash, hashed, sig)
+		}
+	case ECDSAP256SHA256, ECDSAP384SHA384:
+		pk := k.publicKeyCurve()
+		r := big.NewInt(0)
+		r.SetBytes(sig[:len(sig)/2])
+		s := big.NewInt(0)
+		s.SetBytes(sig[len(sig)/2:])
+		if pk != nil {
+			if ecdsa.Verify(pk, hashed, r, s) {
+				return nil
+			}
+			return ErrSig
+		}
+	}
+	return ErrKeyAlg
+}