From a5f135c6752ad3168901cb1c34e76b95c421de11 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Dec 2022 23:51:19 -0500 Subject: [PATCH] chore(deps): bump github.com/miekg/dns from 1.1.43 to 1.1.50 (#385) Bumps [github.com/miekg/dns](https://github.com/miekg/dns) from 1.1.43 to 1.1.50. - [Release notes](https://github.com/miekg/dns/releases) - [Changelog](https://github.com/miekg/dns/blob/master/Makefile.release) - [Commits](https://github.com/miekg/dns/compare/v1.1.43...v1.1.50) --- updated-dependencies: - dependency-name: github.com/miekg/dns dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 7 +- vendor/github.com/miekg/dns/README.md | 4 + vendor/github.com/miekg/dns/acceptfunc.go | 2 +- vendor/github.com/miekg/dns/client.go | 127 +++++--- vendor/github.com/miekg/dns/defaults.go | 5 + vendor/github.com/miekg/dns/dnssec.go | 48 +-- vendor/github.com/miekg/dns/doc.go | 2 +- vendor/github.com/miekg/dns/edns.go | 98 +++--- vendor/github.com/miekg/dns/hash.go | 31 ++ vendor/github.com/miekg/dns/msg.go | 14 +- vendor/github.com/miekg/dns/msg_helpers.go | 26 +- vendor/github.com/miekg/dns/server.go | 42 +-- vendor/github.com/miekg/dns/sig0.go | 51 ++-- vendor/github.com/miekg/dns/svcb.go | 330 ++++++++++++++++----- vendor/github.com/miekg/dns/tools.go | 9 + vendor/github.com/miekg/dns/tsig.go | 65 ++-- vendor/github.com/miekg/dns/update.go | 4 +- vendor/github.com/miekg/dns/version.go | 2 +- vendor/github.com/miekg/dns/xfr.go | 27 +- vendor/modules.txt | 2 +- 21 files changed, 617 insertions(+), 281 deletions(-) create mode 100644 vendor/github.com/miekg/dns/hash.go create mode 100644 vendor/github.com/miekg/dns/tools.go diff --git a/go.mod b/go.mod index abd7ee48..dff436f6 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/google/uuid v1.3.0 github.com/gorilla/mux v1.8.0 github.com/lib/pq v1.10.7 - github.com/miekg/dns v1.1.43 + github.com/miekg/dns v1.1.50 github.com/prometheus/client_golang v1.14.0 github.com/wcharczuk/go-chart/v2 v2.1.0 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 diff --git a/go.sum b/go.sum index 0663e04c..61f2747e 100644 --- a/go.sum +++ b/go.sum @@ -246,8 +246,8 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/ github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI= github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg= -github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4= +github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA= +github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= @@ -403,6 +403,7 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= @@ -486,7 +487,6 @@ golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -583,6 +583,7 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.7 h1:6j8CgantCy3yc8JGBqkDLMKWqZ0RDU2g1HVgacojGWQ= golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/vendor/github.com/miekg/dns/README.md b/vendor/github.com/miekg/dns/README.md index d5b78ef4..5a799d88 100644 --- a/vendor/github.com/miekg/dns/README.md +++ b/vendor/github.com/miekg/dns/README.md @@ -73,6 +73,10 @@ A not-so-up-to-date-list-that-may-be-actually-current: * https://github.com/bodgit/tsig * https://github.com/v2fly/v2ray-core (test only) * https://kuma.io/ +* https://www.misaka.io/services/dns +* https://ping.sx/dig +* https://fleetdeck.io/ +* https://github.com/markdingo/autoreverse Send pull request if you want to be listed here. diff --git a/vendor/github.com/miekg/dns/acceptfunc.go b/vendor/github.com/miekg/dns/acceptfunc.go index 3f29a48c..ac479db9 100644 --- a/vendor/github.com/miekg/dns/acceptfunc.go +++ b/vendor/github.com/miekg/dns/acceptfunc.go @@ -12,7 +12,7 @@ type MsgAcceptFunc func(dh Header) MsgAcceptAction // // * Zero bit isn't zero // -// * has more than 1 question in the question section +// * does not have exactly 1 question in the question section // // * has more than 1 RR in the Answer section // diff --git a/vendor/github.com/miekg/dns/client.go b/vendor/github.com/miekg/dns/client.go index f907698b..9aa65853 100644 --- a/vendor/github.com/miekg/dns/client.go +++ b/vendor/github.com/miekg/dns/client.go @@ -18,6 +18,18 @@ const ( tcpIdleTimeout time.Duration = 8 * time.Second ) +func isPacketConn(c net.Conn) bool { + if _, ok := c.(net.PacketConn); !ok { + return false + } + + if ua, ok := c.LocalAddr().(*net.UnixAddr); ok { + return ua.Net == "unixgram" || ua.Net == "unixpacket" + } + + return true +} + // A Conn represents a connection to a DNS server. type Conn struct { net.Conn // a net.Conn holding the connection @@ -27,6 +39,14 @@ type Conn struct { tsigRequestMAC string } +func (co *Conn) tsigProvider() TsigProvider { + if co.TsigProvider != nil { + return co.TsigProvider + } + // tsigSecretProvider will return ErrSecret if co.TsigSecret is nil. + return tsigSecretProvider(co.TsigSecret) +} + // A Client defines parameters for a DNS client. type Client struct { Net string // if "tcp" or "tcp-tls" (DNS over TLS) a TCP query will be initiated, otherwise an UDP one (default is "" for UDP) @@ -82,6 +102,12 @@ func (c *Client) writeTimeout() time.Duration { // Dial connects to the address on the named network. func (c *Client) Dial(address string) (conn *Conn, err error) { + return c.DialContext(context.Background(), address) +} + +// DialContext connects to the address on the named network, with a context.Context. +// For TLS over TCP (DoT) the context isn't used yet. This will be enabled when Go 1.18 is released. +func (c *Client) DialContext(ctx context.Context, address string) (conn *Conn, err error) { // create a new dialer with the appropriate timeout var d net.Dialer if c.Dialer == nil { @@ -101,9 +127,17 @@ func (c *Client) Dial(address string) (conn *Conn, err error) { if useTLS { network = strings.TrimSuffix(network, "-tls") + // TODO(miekg): Enable after Go 1.18 is released, to be able to support two prev. releases. + /* + tlsDialer := tls.Dialer{ + NetDialer: &d, + Config: c.TLSConfig, + } + conn.Conn, err = tlsDialer.DialContext(ctx, network, address) + */ conn.Conn, err = tls.DialWithDialer(&d, network, address, c.TLSConfig) } else { - conn.Conn, err = d.Dial(network, address) + conn.Conn, err = d.DialContext(ctx, network, address) } if err != nil { return nil, err @@ -139,24 +173,34 @@ func (c *Client) Exchange(m *Msg, address string) (r *Msg, rtt time.Duration, er // ExchangeWithConn has the same behavior as Exchange, just with a predetermined connection // that will be used instead of creating a new one. // Usage pattern with a *dns.Client: +// // c := new(dns.Client) // // connection management logic goes here // // conn := c.Dial(address) // in, rtt, err := c.ExchangeWithConn(message, conn) // -// This allows users of the library to implement their own connection management, -// as opposed to Exchange, which will always use new connections and incur the added overhead -// that entails when using "tcp" and especially "tcp-tls" clients. +// This allows users of the library to implement their own connection management, +// as opposed to Exchange, which will always use new connections and incur the added overhead +// that entails when using "tcp" and especially "tcp-tls" clients. +// +// When the singleflight is set for this client the context is _not_ forwarded to the (shared) exchange, to +// prevent one cancelation from canceling all outstanding requests. func (c *Client) ExchangeWithConn(m *Msg, conn *Conn) (r *Msg, rtt time.Duration, err error) { + return c.exchangeWithConnContext(context.Background(), m, conn) +} + +func (c *Client) exchangeWithConnContext(ctx context.Context, m *Msg, conn *Conn) (r *Msg, rtt time.Duration, err error) { if !c.SingleInflight { - return c.exchange(m, conn) + return c.exchangeContext(ctx, m, conn) } q := m.Question[0] key := fmt.Sprintf("%s:%d:%d", q.Name, q.Qtype, q.Qclass) r, rtt, err, shared := c.group.Do(key, func() (*Msg, time.Duration, error) { - return c.exchange(m, conn) + // When we're doing singleflight we don't want one context cancelation, cancel _all_ outstanding queries. + // Hence we ignore the context and use Background(). + return c.exchangeContext(context.Background(), m, conn) }) if r != nil && shared { r = r.Copy() @@ -165,8 +209,7 @@ func (c *Client) ExchangeWithConn(m *Msg, conn *Conn) (r *Msg, rtt time.Duration return r, rtt, err } -func (c *Client) exchange(m *Msg, co *Conn) (r *Msg, rtt time.Duration, err error) { - +func (c *Client) exchangeContext(ctx context.Context, m *Msg, co *Conn) (r *Msg, rtt time.Duration, err error) { opt := m.IsEdns0() // If EDNS0 is used use that for size. if opt != nil && opt.UDPSize() >= MinMsgSize { @@ -177,16 +220,28 @@ func (c *Client) exchange(m *Msg, co *Conn) (r *Msg, rtt time.Duration, err erro co.UDPSize = c.UDPSize } - co.TsigSecret, co.TsigProvider = c.TsigSecret, c.TsigProvider - t := time.Now() // write with the appropriate write timeout - co.SetWriteDeadline(t.Add(c.getTimeoutForRequest(c.writeTimeout()))) + t := time.Now() + writeDeadline := t.Add(c.getTimeoutForRequest(c.writeTimeout())) + readDeadline := t.Add(c.getTimeoutForRequest(c.readTimeout())) + if deadline, ok := ctx.Deadline(); ok { + if deadline.Before(writeDeadline) { + writeDeadline = deadline + } + if deadline.Before(readDeadline) { + readDeadline = deadline + } + } + co.SetWriteDeadline(writeDeadline) + co.SetReadDeadline(readDeadline) + + co.TsigSecret, co.TsigProvider = c.TsigSecret, c.TsigProvider + if err = co.WriteMsg(m); err != nil { return nil, 0, err } - co.SetReadDeadline(time.Now().Add(c.getTimeoutForRequest(c.readTimeout()))) - if _, ok := co.Conn.(net.PacketConn); ok { + if isPacketConn(co.Conn) { for { r, err = co.ReadMsg() // Ignore replies with mismatched IDs because they might be @@ -224,15 +279,8 @@ func (co *Conn) ReadMsg() (*Msg, error) { return m, err } if t := m.IsTsig(); t != nil { - if co.TsigProvider != nil { - err = tsigVerifyProvider(p, co.TsigProvider, co.tsigRequestMAC, false) - } else { - if _, ok := co.TsigSecret[t.Hdr.Name]; !ok { - return m, ErrSecret - } - // Need to work on the original message p, as that was used to calculate the tsig. - err = TsigVerify(p, co.TsigSecret[t.Hdr.Name], co.tsigRequestMAC, false) - } + // Need to work on the original message p, as that was used to calculate the tsig. + err = TsigVerifyWithProvider(p, co.tsigProvider(), co.tsigRequestMAC, false) } return m, err } @@ -247,7 +295,7 @@ func (co *Conn) ReadMsgHeader(hdr *Header) ([]byte, error) { err error ) - if _, ok := co.Conn.(net.PacketConn); ok { + if isPacketConn(co.Conn) { if co.UDPSize > MinMsgSize { p = make([]byte, co.UDPSize) } else { @@ -287,7 +335,7 @@ func (co *Conn) Read(p []byte) (n int, err error) { return 0, ErrConnEmpty } - if _, ok := co.Conn.(net.PacketConn); ok { + if isPacketConn(co.Conn) { // UDP connection return co.Conn.Read(p) } @@ -309,17 +357,8 @@ func (co *Conn) Read(p []byte) (n int, err error) { func (co *Conn) WriteMsg(m *Msg) (err error) { var out []byte if t := m.IsTsig(); t != nil { - mac := "" - if co.TsigProvider != nil { - out, mac, err = tsigGenerateProvider(m, co.TsigProvider, co.tsigRequestMAC, false) - } else { - if _, ok := co.TsigSecret[t.Hdr.Name]; !ok { - return ErrSecret - } - out, mac, err = TsigGenerate(m, co.TsigSecret[t.Hdr.Name], co.tsigRequestMAC, false) - } - // Set for the next read, although only used in zone transfers - co.tsigRequestMAC = mac + // Set tsigRequestMAC for the next read, although only used in zone transfers. + out, co.tsigRequestMAC, err = TsigGenerateWithProvider(m, co.tsigProvider(), co.tsigRequestMAC, false) } else { out, err = m.Pack() } @@ -336,7 +375,7 @@ func (co *Conn) Write(p []byte) (int, error) { return 0, &Error{err: "message too large"} } - if _, ok := co.Conn.(net.PacketConn); ok { + if isPacketConn(co.Conn) { return co.Conn.Write(p) } @@ -435,15 +474,11 @@ func DialTimeoutWithTLS(network, address string, tlsConfig *tls.Config, timeout // context, if present. If there is both a context deadline and a configured // timeout on the client, the earliest of the two takes effect. func (c *Client) ExchangeContext(ctx context.Context, m *Msg, a string) (r *Msg, rtt time.Duration, err error) { - var timeout time.Duration - if deadline, ok := ctx.Deadline(); !ok { - timeout = 0 - } else { - timeout = time.Until(deadline) + conn, err := c.DialContext(ctx, a) + if err != nil { + return nil, 0, err } - // not passing the context to the underlying calls, as the API does not support - // context. For timeouts you should set up Client.Dialer and call Client.Exchange. - // TODO(tmthrgd,miekg): this is a race condition. - c.Dialer = &net.Dialer{Timeout: timeout} - return c.Exchange(m, a) + defer conn.Close() + + return c.exchangeWithConnContext(ctx, m, conn) } diff --git a/vendor/github.com/miekg/dns/defaults.go b/vendor/github.com/miekg/dns/defaults.go index d47b0b1f..f2cdbf43 100644 --- a/vendor/github.com/miekg/dns/defaults.go +++ b/vendor/github.com/miekg/dns/defaults.go @@ -218,6 +218,11 @@ func IsDomainName(s string) (labels int, ok bool) { wasDot = false case '.': + if i == 0 && len(s) > 1 { + // leading dots are not legal except for the root zone + return labels, false + } + if wasDot { // two dots back to back is not legal return labels, false diff --git a/vendor/github.com/miekg/dns/dnssec.go b/vendor/github.com/miekg/dns/dnssec.go index 8539aae6..ea01aa81 100644 --- a/vendor/github.com/miekg/dns/dnssec.go +++ b/vendor/github.com/miekg/dns/dnssec.go @@ -65,6 +65,9 @@ var AlgorithmToString = map[uint8]string{ } // AlgorithmToHash is a map of algorithm crypto hash IDs to crypto.Hash's. +// For newer algorithm that do their own hashing (i.e. ED25519) the returned value +// is 0, implying no (external) hashing should occur. The non-exported identityHash is then +// used. var AlgorithmToHash = map[uint8]crypto.Hash{ RSAMD5: crypto.MD5, // Deprecated in RFC 6725 DSA: crypto.SHA1, @@ -74,7 +77,7 @@ var AlgorithmToHash = map[uint8]crypto.Hash{ ECDSAP256SHA256: crypto.SHA256, ECDSAP384SHA384: crypto.SHA384, RSASHA512: crypto.SHA512, - ED25519: crypto.Hash(0), + ED25519: 0, } // DNSSEC hashing algorithm codes. @@ -137,12 +140,12 @@ func (k *DNSKEY) KeyTag() uint16 { var keytag int switch k.Algorithm { case RSAMD5: - // Look at the bottom two bytes of the modules, which the last - // item in the pubkey. // This algorithm has been deprecated, but keep this key-tag calculation. + // Look at the bottom two bytes of the modules, which the last item in the pubkey. + // See https://www.rfc-editor.org/errata/eid193 . modulus, _ := fromBase64([]byte(k.PublicKey)) if len(modulus) > 1 { - x := binary.BigEndian.Uint16(modulus[len(modulus)-2:]) + x := binary.BigEndian.Uint16(modulus[len(modulus)-3:]) keytag = int(x) } default: @@ -296,35 +299,20 @@ func (rr *RRSIG) Sign(k crypto.Signer, rrset []RR) error { return err } - hash, ok := AlgorithmToHash[rr.Algorithm] - if !ok { - return ErrAlg + h, cryptohash, err := hashFromAlgorithm(rr.Algorithm) + if err != nil { + return err } switch rr.Algorithm { - case ED25519: - // ed25519 signs the raw message and performs hashing internally. - // All other supported signature schemes operate over the pre-hashed - // message, and thus ed25519 must be handled separately here. - // - // The raw message is passed directly into sign and crypto.Hash(0) is - // used to signal to the crypto.Signer that the data has not been hashed. - signature, err := sign(k, append(signdata, wire...), crypto.Hash(0), rr.Algorithm) - if err != nil { - return err - } - - rr.Signature = toBase64(signature) - return nil case RSAMD5, DSA, DSANSEC3SHA1: // See RFC 6944. return ErrAlg default: - h := hash.New() h.Write(signdata) h.Write(wire) - signature, err := sign(k, h.Sum(nil), hash, rr.Algorithm) + signature, err := sign(k, h.Sum(nil), cryptohash, rr.Algorithm) if err != nil { return err } @@ -341,7 +329,7 @@ func sign(k crypto.Signer, hashed []byte, hash crypto.Hash, alg uint8) ([]byte, } switch alg { - case RSASHA1, RSASHA1NSEC3SHA1, RSASHA256, RSASHA512: + case RSASHA1, RSASHA1NSEC3SHA1, RSASHA256, RSASHA512, ED25519: return signature, nil case ECDSAP256SHA256, ECDSAP384SHA384: ecdsaSignature := &struct { @@ -362,8 +350,6 @@ func sign(k crypto.Signer, hashed []byte, hash crypto.Hash, alg uint8) ([]byte, signature := intToBytes(ecdsaSignature.R, intlen) signature = append(signature, intToBytes(ecdsaSignature.S, intlen)...) return signature, nil - case ED25519: - return signature, nil default: return nil, ErrAlg } @@ -437,9 +423,9 @@ func (rr *RRSIG) Verify(k *DNSKEY, rrset []RR) error { // remove the domain name and assume its ours? } - hash, ok := AlgorithmToHash[rr.Algorithm] - if !ok { - return ErrAlg + h, cryptohash, err := hashFromAlgorithm(rr.Algorithm) + if err != nil { + return err } switch rr.Algorithm { @@ -450,10 +436,9 @@ func (rr *RRSIG) Verify(k *DNSKEY, rrset []RR) error { return ErrKey } - h := hash.New() h.Write(signeddata) h.Write(wire) - return rsa.VerifyPKCS1v15(pubkey, hash, h.Sum(nil), sigbuf) + return rsa.VerifyPKCS1v15(pubkey, cryptohash, h.Sum(nil), sigbuf) case ECDSAP256SHA256, ECDSAP384SHA384: pubkey := k.publicKeyECDSA() @@ -465,7 +450,6 @@ func (rr *RRSIG) Verify(k *DNSKEY, rrset []RR) error { r := new(big.Int).SetBytes(sigbuf[:len(sigbuf)/2]) s := new(big.Int).SetBytes(sigbuf[len(sigbuf)/2:]) - h := hash.New() h.Write(signeddata) h.Write(wire) if ecdsa.Verify(pubkey, h.Sum(nil), r, s) { diff --git a/vendor/github.com/miekg/dns/doc.go b/vendor/github.com/miekg/dns/doc.go index 5c83f82e..f00f5722 100644 --- a/vendor/github.com/miekg/dns/doc.go +++ b/vendor/github.com/miekg/dns/doc.go @@ -251,7 +251,7 @@ information. EDNS0 EDNS0 is an extension mechanism for the DNS defined in RFC 2671 and updated by -RFC 6891. It defines an new RR type, the OPT RR, which is then completely +RFC 6891. It defines a new RR type, the OPT RR, which is then completely abused. Basic use pattern for creating an (empty) OPT RR: diff --git a/vendor/github.com/miekg/dns/edns.go b/vendor/github.com/miekg/dns/edns.go index c9181783..14568c2e 100644 --- a/vendor/github.com/miekg/dns/edns.go +++ b/vendor/github.com/miekg/dns/edns.go @@ -14,6 +14,7 @@ const ( EDNS0LLQ = 0x1 // long lived queries: http://tools.ietf.org/html/draft-sekar-dns-llq-01 EDNS0UL = 0x2 // update lease draft: http://files.dns-sd.org/draft-sekar-dns-ul.txt EDNS0NSID = 0x3 // nsid (See RFC 5001) + EDNS0ESU = 0x4 // ENUM Source-URI draft: https://datatracker.ietf.org/doc/html/draft-kaplan-enum-source-uri-00 EDNS0DAU = 0x5 // DNSSEC Algorithm Understood EDNS0DHU = 0x6 // DS Hash Understood EDNS0N3U = 0x7 // NSEC3 Hash Understood @@ -56,6 +57,8 @@ func makeDataOpt(code uint16) EDNS0 { return new(EDNS0_PADDING) case EDNS0EDE: return new(EDNS0_EDE) + case EDNS0ESU: + return &EDNS0_ESU{Code: EDNS0ESU} default: e := new(EDNS0_LOCAL) e.Code = code @@ -95,6 +98,8 @@ func (rr *OPT) String() string { s += "\n; SUBNET: " + o.String() case *EDNS0_COOKIE: s += "\n; COOKIE: " + o.String() + case *EDNS0_TCP_KEEPALIVE: + s += "\n; KEEPALIVE: " + o.String() case *EDNS0_UL: s += "\n; UPDATE LEASE: " + o.String() case *EDNS0_LLQ: @@ -111,6 +116,8 @@ func (rr *OPT) String() string { s += "\n; PADDING: " + o.String() case *EDNS0_EDE: s += "\n; EDE: " + o.String() + case *EDNS0_ESU: + s += "\n; ESU: " + o.String() } } return s @@ -577,14 +584,17 @@ func (e *EDNS0_N3U) copy() EDNS0 { return &EDNS0_N3U{e.Code, e.AlgCode} } type EDNS0_EXPIRE struct { Code uint16 // Always EDNS0EXPIRE Expire uint32 + Empty bool // Empty is used to signal an empty Expire option in a backwards compatible way, it's not used on the wire. } // Option implements the EDNS0 interface. func (e *EDNS0_EXPIRE) Option() uint16 { return EDNS0EXPIRE } -func (e *EDNS0_EXPIRE) String() string { return strconv.FormatUint(uint64(e.Expire), 10) } -func (e *EDNS0_EXPIRE) copy() EDNS0 { return &EDNS0_EXPIRE{e.Code, e.Expire} } +func (e *EDNS0_EXPIRE) copy() EDNS0 { return &EDNS0_EXPIRE{e.Code, e.Expire, e.Empty} } func (e *EDNS0_EXPIRE) pack() ([]byte, error) { + if e.Empty { + return []byte{}, nil + } b := make([]byte, 4) binary.BigEndian.PutUint32(b, e.Expire) return b, nil @@ -593,15 +603,24 @@ func (e *EDNS0_EXPIRE) pack() ([]byte, error) { func (e *EDNS0_EXPIRE) unpack(b []byte) error { if len(b) == 0 { // zero-length EXPIRE query, see RFC 7314 Section 2 + e.Empty = true return nil } if len(b) < 4 { return ErrBuf } e.Expire = binary.BigEndian.Uint32(b) + e.Empty = false return nil } +func (e *EDNS0_EXPIRE) String() (s string) { + if e.Empty { + return "" + } + return strconv.FormatUint(uint64(e.Expire), 10) +} + // The EDNS0_LOCAL option is used for local/experimental purposes. The option // code is recommended to be within the range [EDNS0LOCALSTART, EDNS0LOCALEND] // (RFC6891), although any unassigned code can actually be used. The content of @@ -652,57 +671,52 @@ func (e *EDNS0_LOCAL) unpack(b []byte) error { // EDNS0_TCP_KEEPALIVE is an EDNS0 option that instructs the server to keep // the TCP connection alive. See RFC 7828. type EDNS0_TCP_KEEPALIVE struct { - Code uint16 // Always EDNSTCPKEEPALIVE - Length uint16 // the value 0 if the TIMEOUT is omitted, the value 2 if it is present; - Timeout uint16 // an idle timeout value for the TCP connection, specified in units of 100 milliseconds, encoded in network byte order. + Code uint16 // Always EDNSTCPKEEPALIVE + + // Timeout is an idle timeout value for the TCP connection, specified in + // units of 100 milliseconds, encoded in network byte order. If set to 0, + // pack will return a nil slice. + Timeout uint16 + + // Length is the option's length. + // Deprecated: this field is deprecated and is always equal to 0. + Length uint16 } // Option implements the EDNS0 interface. func (e *EDNS0_TCP_KEEPALIVE) Option() uint16 { return EDNS0TCPKEEPALIVE } func (e *EDNS0_TCP_KEEPALIVE) pack() ([]byte, error) { - if e.Timeout != 0 && e.Length != 2 { - return nil, errors.New("dns: timeout specified but length is not 2") + if e.Timeout > 0 { + b := make([]byte, 2) + binary.BigEndian.PutUint16(b, e.Timeout) + return b, nil } - if e.Timeout == 0 && e.Length != 0 { - return nil, errors.New("dns: timeout not specified but length is not 0") - } - b := make([]byte, 4+e.Length) - binary.BigEndian.PutUint16(b[0:], e.Code) - binary.BigEndian.PutUint16(b[2:], e.Length) - if e.Length == 2 { - binary.BigEndian.PutUint16(b[4:], e.Timeout) - } - return b, nil + return nil, nil } func (e *EDNS0_TCP_KEEPALIVE) unpack(b []byte) error { - if len(b) < 4 { - return ErrBuf - } - e.Length = binary.BigEndian.Uint16(b[2:4]) - if e.Length != 0 && e.Length != 2 { - return errors.New("dns: length mismatch, want 0/2 but got " + strconv.FormatUint(uint64(e.Length), 10)) - } - if e.Length == 2 { - if len(b) < 6 { - return ErrBuf - } - e.Timeout = binary.BigEndian.Uint16(b[4:6]) + switch len(b) { + case 0: + case 2: + e.Timeout = binary.BigEndian.Uint16(b) + default: + return fmt.Errorf("dns: length mismatch, want 0/2 but got %d", len(b)) } return nil } -func (e *EDNS0_TCP_KEEPALIVE) String() (s string) { - s = "use tcp keep-alive" - if e.Length == 0 { +func (e *EDNS0_TCP_KEEPALIVE) String() string { + s := "use tcp keep-alive" + if e.Timeout == 0 { s += ", timeout omitted" } else { s += fmt.Sprintf(", timeout %dms", e.Timeout*100) } - return + return s } -func (e *EDNS0_TCP_KEEPALIVE) copy() EDNS0 { return &EDNS0_TCP_KEEPALIVE{e.Code, e.Length, e.Timeout} } + +func (e *EDNS0_TCP_KEEPALIVE) copy() EDNS0 { return &EDNS0_TCP_KEEPALIVE{e.Code, e.Timeout, e.Length} } // EDNS0_PADDING option is used to add padding to a request/response. The default // value of padding SHOULD be 0x0 but other values MAY be used, for instance if @@ -819,3 +833,19 @@ func (e *EDNS0_EDE) unpack(b []byte) error { e.ExtraText = string(b[2:]) return nil } + +// The EDNS0_ESU option for ENUM Source-URI Extension +type EDNS0_ESU struct { + Code uint16 + Uri string +} + +// Option implements the EDNS0 interface. +func (e *EDNS0_ESU) Option() uint16 { return EDNS0ESU } +func (e *EDNS0_ESU) String() string { return e.Uri } +func (e *EDNS0_ESU) copy() EDNS0 { return &EDNS0_ESU{e.Code, e.Uri} } +func (e *EDNS0_ESU) pack() ([]byte, error) { return []byte(e.Uri), nil } +func (e *EDNS0_ESU) unpack(b []byte) error { + e.Uri = string(b) + return nil +} diff --git a/vendor/github.com/miekg/dns/hash.go b/vendor/github.com/miekg/dns/hash.go new file mode 100644 index 00000000..7d4183e0 --- /dev/null +++ b/vendor/github.com/miekg/dns/hash.go @@ -0,0 +1,31 @@ +package dns + +import ( + "bytes" + "crypto" + "hash" +) + +// identityHash will not hash, it only buffers the data written into it and returns it as-is. +type identityHash struct { + b *bytes.Buffer +} + +// Implement the hash.Hash interface. + +func (i identityHash) Write(b []byte) (int, error) { return i.b.Write(b) } +func (i identityHash) Size() int { return i.b.Len() } +func (i identityHash) BlockSize() int { return 1024 } +func (i identityHash) Reset() { i.b.Reset() } +func (i identityHash) Sum(b []byte) []byte { return append(b, i.b.Bytes()...) } + +func hashFromAlgorithm(alg uint8) (hash.Hash, crypto.Hash, error) { + hashnumber, ok := AlgorithmToHash[alg] + if !ok { + return nil, 0, ErrAlg + } + if hashnumber == 0 { + return identityHash{b: &bytes.Buffer{}}, hashnumber, nil + } + return hashnumber.New(), hashnumber, nil +} diff --git a/vendor/github.com/miekg/dns/msg.go b/vendor/github.com/miekg/dns/msg.go index ead4b693..89ebb64a 100644 --- a/vendor/github.com/miekg/dns/msg.go +++ b/vendor/github.com/miekg/dns/msg.go @@ -265,6 +265,11 @@ loop: wasDot = false case '.': + if i == 0 && len(s) > 1 { + // leading dots are not legal except for the root zone + return len(msg), ErrRdata + } + if wasDot { // two dots back to back is not legal return len(msg), ErrRdata @@ -901,6 +906,11 @@ func (dns *Msg) String() string { s += "ANSWER: " + strconv.Itoa(len(dns.Answer)) + ", " s += "AUTHORITY: " + strconv.Itoa(len(dns.Ns)) + ", " s += "ADDITIONAL: " + strconv.Itoa(len(dns.Extra)) + "\n" + opt := dns.IsEdns0() + if opt != nil { + // OPT PSEUDOSECTION + s += opt.String() + "\n" + } if len(dns.Question) > 0 { s += "\n;; QUESTION SECTION:\n" for _, r := range dns.Question { @@ -923,10 +933,10 @@ func (dns *Msg) String() string { } } } - if len(dns.Extra) > 0 { + if len(dns.Extra) > 0 && (opt == nil || len(dns.Extra) > 1) { s += "\n;; ADDITIONAL SECTION:\n" for _, r := range dns.Extra { - if r != nil { + if r != nil && r.Header().Rrtype != TypeOPT { s += r.String() + "\n" } } diff --git a/vendor/github.com/miekg/dns/msg_helpers.go b/vendor/github.com/miekg/dns/msg_helpers.go index 5904927c..ea2035cd 100644 --- a/vendor/github.com/miekg/dns/msg_helpers.go +++ b/vendor/github.com/miekg/dns/msg_helpers.go @@ -476,7 +476,7 @@ func unpackDataNsec(msg []byte, off int) ([]uint16, int, error) { length, window, lastwindow := 0, 0, -1 for off < len(msg) { if off+2 > len(msg) { - return nsec, len(msg), &Error{err: "overflow unpacking nsecx"} + return nsec, len(msg), &Error{err: "overflow unpacking NSEC(3)"} } window = int(msg[off]) length = int(msg[off+1]) @@ -484,17 +484,17 @@ func unpackDataNsec(msg []byte, off int) ([]uint16, int, error) { if window <= lastwindow { // RFC 4034: Blocks are present in the NSEC RR RDATA in // increasing numerical order. - return nsec, len(msg), &Error{err: "out of order NSEC block"} + return nsec, len(msg), &Error{err: "out of order NSEC(3) block in type bitmap"} } if length == 0 { // RFC 4034: Blocks with no types present MUST NOT be included. - return nsec, len(msg), &Error{err: "empty NSEC block"} + return nsec, len(msg), &Error{err: "empty NSEC(3) block in type bitmap"} } if length > 32 { - return nsec, len(msg), &Error{err: "NSEC block too long"} + return nsec, len(msg), &Error{err: "NSEC(3) block too long in type bitmap"} } if off+length > len(msg) { - return nsec, len(msg), &Error{err: "overflowing NSEC block"} + return nsec, len(msg), &Error{err: "overflowing NSEC(3) block in type bitmap"} } // Walk the bytes in the window and extract the type bits @@ -558,6 +558,16 @@ func packDataNsec(bitmap []uint16, msg []byte, off int) (int, error) { if len(bitmap) == 0 { return off, nil } + if off > len(msg) { + return off, &Error{err: "overflow packing nsec"} + } + toZero := msg[off:] + if maxLen := typeBitMapLen(bitmap); maxLen < len(toZero) { + toZero = toZero[:maxLen] + } + for i := range toZero { + toZero[i] = 0 + } var lastwindow, lastlength uint16 for _, t := range bitmap { window := t / 256 @@ -781,6 +791,8 @@ func unpackDataAplPrefix(msg []byte, off int) (APLPrefix, int, error) { if off+afdlen > len(msg) { return APLPrefix{}, len(msg), &Error{err: "overflow unpacking APL address"} } + + // Address MUST NOT contain trailing zero bytes per RFC3123 Sections 4.1 and 4.2. off += copy(ip, msg[off:off+afdlen]) if afdlen > 0 { last := ip[afdlen-1] @@ -792,10 +804,6 @@ func unpackDataAplPrefix(msg []byte, off int) (APLPrefix, int, error) { IP: ip, Mask: net.CIDRMask(int(prefix), 8*len(ip)), } - network := ipnet.IP.Mask(ipnet.Mask) - if !network.Equal(ipnet.IP) { - return APLPrefix{}, len(msg), &Error{err: "invalid APL address length"} - } return APLPrefix{ Negation: (nlen & 0x80) != 0, diff --git a/vendor/github.com/miekg/dns/server.go b/vendor/github.com/miekg/dns/server.go index b2a63bda..4e5a9aa8 100644 --- a/vendor/github.com/miekg/dns/server.go +++ b/vendor/github.com/miekg/dns/server.go @@ -71,12 +71,12 @@ type response struct { tsigTimersOnly bool tsigStatus error tsigRequestMAC string - tsigSecret map[string]string // the tsig secrets - udp net.PacketConn // i/o connection if UDP was used - tcp net.Conn // i/o connection if TCP was used - udpSession *SessionUDP // oob data to get egress interface right - pcSession net.Addr // address to use when writing to a generic net.PacketConn - writer Writer // writer to output the raw DNS bits + tsigProvider TsigProvider + udp net.PacketConn // i/o connection if UDP was used + tcp net.Conn // i/o connection if TCP was used + udpSession *SessionUDP // oob data to get egress interface right + pcSession net.Addr // address to use when writing to a generic net.PacketConn + writer Writer // writer to output the raw DNS bits } // handleRefused returns a HandlerFunc that returns REFUSED for every request it gets. @@ -211,6 +211,8 @@ type Server struct { WriteTimeout time.Duration // TCP idle timeout for multiple queries, if nil, defaults to 8 * time.Second (RFC 5966). IdleTimeout func() time.Duration + // An implementation of the TsigProvider interface. If defined it replaces TsigSecret and is used for all TSIG operations. + TsigProvider TsigProvider // Secret(s) for Tsig map[]. The zonename must be in canonical form (lowercase, fqdn, see RFC 4034 Section 6.2). TsigSecret map[string]string // If NotifyStartedFunc is set it is called once the server has started listening. @@ -238,6 +240,16 @@ type Server struct { udpPool sync.Pool } +func (srv *Server) tsigProvider() TsigProvider { + if srv.TsigProvider != nil { + return srv.TsigProvider + } + if srv.TsigSecret != nil { + return tsigSecretProvider(srv.TsigSecret) + } + return nil +} + func (srv *Server) isStarted() bool { srv.lock.RLock() started := srv.started @@ -526,7 +538,7 @@ func (srv *Server) serveUDP(l net.PacketConn) error { // Serve a new TCP connection. func (srv *Server) serveTCPConn(wg *sync.WaitGroup, rw net.Conn) { - w := &response{tsigSecret: srv.TsigSecret, tcp: rw} + w := &response{tsigProvider: srv.tsigProvider(), tcp: rw} if srv.DecorateWriter != nil { w.writer = srv.DecorateWriter(w) } else { @@ -581,7 +593,7 @@ func (srv *Server) serveTCPConn(wg *sync.WaitGroup, rw net.Conn) { // Serve a new UDP request. func (srv *Server) serveUDPPacket(wg *sync.WaitGroup, m []byte, u net.PacketConn, udpSession *SessionUDP, pcSession net.Addr) { - w := &response{tsigSecret: srv.TsigSecret, udp: u, udpSession: udpSession, pcSession: pcSession} + w := &response{tsigProvider: srv.tsigProvider(), udp: u, udpSession: udpSession, pcSession: pcSession} if srv.DecorateWriter != nil { w.writer = srv.DecorateWriter(w) } else { @@ -632,15 +644,11 @@ func (srv *Server) serveDNS(m []byte, w *response) { } w.tsigStatus = nil - if w.tsigSecret != nil { + if w.tsigProvider != nil { if t := req.IsTsig(); t != nil { - if secret, ok := w.tsigSecret[t.Hdr.Name]; ok { - w.tsigStatus = TsigVerify(m, secret, "", false) - } else { - w.tsigStatus = ErrSecret - } + w.tsigStatus = TsigVerifyWithProvider(m, w.tsigProvider, "", false) w.tsigTimersOnly = false - w.tsigRequestMAC = req.Extra[len(req.Extra)-1].(*TSIG).MAC + w.tsigRequestMAC = t.MAC } } @@ -718,9 +726,9 @@ func (w *response) WriteMsg(m *Msg) (err error) { } var data []byte - if w.tsigSecret != nil { // if no secrets, dont check for the tsig (which is a longer check) + if w.tsigProvider != nil { // if no provider, dont check for the tsig (which is a longer check) if t := m.IsTsig(); t != nil { - data, w.tsigRequestMAC, err = TsigGenerate(m, w.tsigSecret[t.Hdr.Name], w.tsigRequestMAC, w.tsigTimersOnly) + data, w.tsigRequestMAC, err = TsigGenerateWithProvider(m, w.tsigProvider, w.tsigRequestMAC, w.tsigTimersOnly) if err != nil { return err } diff --git a/vendor/github.com/miekg/dns/sig0.go b/vendor/github.com/miekg/dns/sig0.go index e781c9bb..2c4b1035 100644 --- a/vendor/github.com/miekg/dns/sig0.go +++ b/vendor/github.com/miekg/dns/sig0.go @@ -3,6 +3,7 @@ package dns import ( "crypto" "crypto/ecdsa" + "crypto/ed25519" "crypto/rsa" "encoding/binary" "math/big" @@ -38,18 +39,17 @@ func (rr *SIG) Sign(k crypto.Signer, m *Msg) ([]byte, error) { } buf = buf[:off:cap(buf)] - hash, ok := AlgorithmToHash[rr.Algorithm] - if !ok { - return nil, ErrAlg + h, cryptohash, err := hashFromAlgorithm(rr.Algorithm) + if err != nil { + return nil, err } - hasher := hash.New() // Write SIG rdata - hasher.Write(buf[len(mbuf)+1+2+2+4+2:]) + h.Write(buf[len(mbuf)+1+2+2+4+2:]) // Write message - hasher.Write(buf[:len(mbuf)]) + h.Write(buf[:len(mbuf)]) - signature, err := sign(k, hasher.Sum(nil), hash, rr.Algorithm) + signature, err := sign(k, h.Sum(nil), cryptohash, rr.Algorithm) if err != nil { return nil, err } @@ -82,20 +82,10 @@ func (rr *SIG) Verify(k *KEY, buf []byte) error { return ErrKey } - var hash crypto.Hash - switch rr.Algorithm { - case RSASHA1: - hash = crypto.SHA1 - case RSASHA256, ECDSAP256SHA256: - hash = crypto.SHA256 - case ECDSAP384SHA384: - hash = crypto.SHA384 - case RSASHA512: - hash = crypto.SHA512 - default: - return ErrAlg + h, cryptohash, err := hashFromAlgorithm(rr.Algorithm) + if err != nil { + return err } - hasher := hash.New() buflen := len(buf) qdc := binary.BigEndian.Uint16(buf[4:]) @@ -103,7 +93,6 @@ func (rr *SIG) Verify(k *KEY, buf []byte) error { auc := binary.BigEndian.Uint16(buf[8:]) adc := binary.BigEndian.Uint16(buf[10:]) offset := headerSize - var err error for i := uint16(0); i < qdc && offset < buflen; i++ { _, offset, err = UnpackDomainName(buf, offset) if err != nil { @@ -166,21 +155,21 @@ func (rr *SIG) Verify(k *KEY, buf []byte) error { return &Error{err: "signer name doesn't match key name"} } sigend := offset - hasher.Write(buf[sigstart:sigend]) - hasher.Write(buf[:10]) - hasher.Write([]byte{ + h.Write(buf[sigstart:sigend]) + h.Write(buf[:10]) + h.Write([]byte{ byte((adc - 1) << 8), byte(adc - 1), }) - hasher.Write(buf[12:bodyend]) + h.Write(buf[12:bodyend]) - hashed := hasher.Sum(nil) + hashed := h.Sum(nil) sig := buf[sigend:] switch k.Algorithm { case RSASHA1, RSASHA256, RSASHA512: pk := k.publicKeyRSA() if pk != nil { - return rsa.VerifyPKCS1v15(pk, hash, hashed, sig) + return rsa.VerifyPKCS1v15(pk, cryptohash, hashed, sig) } case ECDSAP256SHA256, ECDSAP384SHA384: pk := k.publicKeyECDSA() @@ -192,6 +181,14 @@ func (rr *SIG) Verify(k *KEY, buf []byte) error { } return ErrSig } + case ED25519: + pk := k.publicKeyED25519() + if pk != nil { + if ed25519.Verify(pk, hashed, sig) { + return nil + } + return ErrSig + } } return ErrKeyAlg } diff --git a/vendor/github.com/miekg/dns/svcb.go b/vendor/github.com/miekg/dns/svcb.go index 3344253c..ea58710d 100644 --- a/vendor/github.com/miekg/dns/svcb.go +++ b/vendor/github.com/miekg/dns/svcb.go @@ -4,6 +4,7 @@ import ( "bytes" "encoding/binary" "errors" + "fmt" "net" "sort" "strconv" @@ -13,16 +14,18 @@ import ( // SVCBKey is the type of the keys used in the SVCB RR. type SVCBKey uint16 -// Keys defined in draft-ietf-dnsop-svcb-https-01 Section 12.3.2. +// Keys defined in draft-ietf-dnsop-svcb-https-08 Section 14.3.2. const ( - SVCB_MANDATORY SVCBKey = 0 - SVCB_ALPN SVCBKey = 1 - SVCB_NO_DEFAULT_ALPN SVCBKey = 2 - SVCB_PORT SVCBKey = 3 - SVCB_IPV4HINT SVCBKey = 4 - SVCB_ECHCONFIG SVCBKey = 5 - SVCB_IPV6HINT SVCBKey = 6 - svcb_RESERVED SVCBKey = 65535 + SVCB_MANDATORY SVCBKey = iota + SVCB_ALPN + SVCB_NO_DEFAULT_ALPN + SVCB_PORT + SVCB_IPV4HINT + SVCB_ECHCONFIG + SVCB_IPV6HINT + SVCB_DOHPATH // draft-ietf-add-svcb-dns-02 Section 9 + + svcb_RESERVED SVCBKey = 65535 ) var svcbKeyToStringMap = map[SVCBKey]string{ @@ -31,8 +34,9 @@ var svcbKeyToStringMap = map[SVCBKey]string{ SVCB_NO_DEFAULT_ALPN: "no-default-alpn", SVCB_PORT: "port", SVCB_IPV4HINT: "ipv4hint", - SVCB_ECHCONFIG: "echconfig", + SVCB_ECHCONFIG: "ech", SVCB_IPV6HINT: "ipv6hint", + SVCB_DOHPATH: "dohpath", } var svcbStringToKeyMap = reverseSVCBKeyMap(svcbKeyToStringMap) @@ -167,10 +171,14 @@ func (rr *SVCB) parse(c *zlexer, o string) *ParseError { } l, _ = c.Next() } + + // "In AliasMode, records SHOULD NOT include any SvcParams, and recipients MUST + // ignore any SvcParams that are present." + // However, we don't check rr.Priority == 0 && len(xs) > 0 here + // It is the responsibility of the user of the library to check this. + // This is to encourage the fixing of the source of this error. + rr.Value = xs - if rr.Priority == 0 && len(xs) > 0 { - return &ParseError{l.token, "SVCB aliasform can't have values", l} - } return nil } @@ -191,6 +199,8 @@ func makeSVCBKeyValue(key SVCBKey) SVCBKeyValue { return new(SVCBECHConfig) case SVCB_IPV6HINT: return new(SVCBIPv6Hint) + case SVCB_DOHPATH: + return new(SVCBDoHPath) case svcb_RESERVED: return nil default: @@ -200,16 +210,24 @@ func makeSVCBKeyValue(key SVCBKey) SVCBKeyValue { } } -// SVCB RR. See RFC xxxx (https://tools.ietf.org/html/draft-ietf-dnsop-svcb-https-01). +// SVCB RR. See RFC xxxx (https://tools.ietf.org/html/draft-ietf-dnsop-svcb-https-08). +// +// NOTE: The HTTPS/SVCB RFCs are in the draft stage. +// The API, including constants and types related to SVCBKeyValues, may +// change in future versions in accordance with the latest drafts. type SVCB struct { Hdr RR_Header - Priority uint16 + Priority uint16 // If zero, Value must be empty or discarded by the user of this library Target string `dns:"domain-name"` - Value []SVCBKeyValue `dns:"pairs"` // Value must be empty if Priority is zero. + Value []SVCBKeyValue `dns:"pairs"` } // HTTPS RR. Everything valid for SVCB applies to HTTPS as well. // Except that the HTTPS record is intended for use with the HTTP and HTTPS protocols. +// +// NOTE: The HTTPS/SVCB RFCs are in the draft stage. +// The API, including constants and types related to SVCBKeyValues, may +// change in future versions in accordance with the latest drafts. type HTTPS struct { SVCB } @@ -235,15 +253,29 @@ type SVCBKeyValue interface { } // SVCBMandatory pair adds to required keys that must be interpreted for the RR -// to be functional. +// to be functional. If ignored, the whole RRSet must be ignored. +// "port" and "no-default-alpn" are mandatory by default if present, +// so they shouldn't be included here. +// +// It is incumbent upon the user of this library to reject the RRSet if +// or avoid constructing such an RRSet that: +// - "mandatory" is included as one of the keys of mandatory +// - no key is listed multiple times in mandatory +// - all keys listed in mandatory are present +// - escape sequences are not used in mandatory +// - mandatory, when present, lists at least one key +// // Basic use pattern for creating a mandatory option: // // s := &dns.SVCB{Hdr: dns.RR_Header{Name: ".", Rrtype: dns.TypeSVCB, Class: dns.ClassINET}} // e := new(dns.SVCBMandatory) -// e.Code = []uint16{65403} +// e.Code = []uint16{dns.SVCB_ALPN} // s.Value = append(s.Value, e) +// t := new(dns.SVCBAlpn) +// t.Alpn = []string{"xmpp-client"} +// s.Value = append(s.Value, t) type SVCBMandatory struct { - Code []SVCBKey // Must not include mandatory + Code []SVCBKey } func (*SVCBMandatory) Key() SVCBKey { return SVCB_MANDATORY } @@ -302,7 +334,8 @@ func (s *SVCBMandatory) copy() SVCBKeyValue { } // SVCBAlpn pair is used to list supported connection protocols. -// Protocol ids can be found at: +// The user of this library must ensure that at least one protocol is listed when alpn is present. +// Protocol IDs can be found at: // https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids // Basic use pattern for creating an alpn option: // @@ -310,13 +343,57 @@ func (s *SVCBMandatory) copy() SVCBKeyValue { // h.Hdr = dns.RR_Header{Name: ".", Rrtype: dns.TypeHTTPS, Class: dns.ClassINET} // e := new(dns.SVCBAlpn) // e.Alpn = []string{"h2", "http/1.1"} -// h.Value = append(o.Value, e) +// h.Value = append(h.Value, e) type SVCBAlpn struct { Alpn []string } -func (*SVCBAlpn) Key() SVCBKey { return SVCB_ALPN } -func (s *SVCBAlpn) String() string { return strings.Join(s.Alpn, ",") } +func (*SVCBAlpn) Key() SVCBKey { return SVCB_ALPN } + +func (s *SVCBAlpn) String() string { + // An ALPN value is a comma-separated list of values, each of which can be + // an arbitrary binary value. In order to allow parsing, the comma and + // backslash characters are themselves excaped. + // + // However, this escaping is done in addition to the normal escaping which + // happens in zone files, meaning that these values must be + // double-escaped. This looks terrible, so if you see a never-ending + // sequence of backslash in a zone file this may be why. + // + // https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-08#appendix-A.1 + var str strings.Builder + for i, alpn := range s.Alpn { + // 4*len(alpn) is the worst case where we escape every character in the alpn as \123, plus 1 byte for the ',' separating the alpn from others + str.Grow(4*len(alpn) + 1) + if i > 0 { + str.WriteByte(',') + } + for j := 0; j < len(alpn); j++ { + e := alpn[j] + if ' ' > e || e > '~' { + str.WriteString(escapeByte(e)) + continue + } + switch e { + // We escape a few characters which may confuse humans or parsers. + case '"', ';', ' ': + str.WriteByte('\\') + str.WriteByte(e) + // The comma and backslash characters themselves must be + // doubly-escaped. We use `\\` for the first backslash and + // the escaped numeric value for the other value. We especially + // don't want a comma in the output. + case ',': + str.WriteString(`\\\044`) + case '\\': + str.WriteString(`\\\092`) + default: + str.WriteByte(e) + } + } + } + return str.String() +} func (s *SVCBAlpn) pack() ([]byte, error) { // Liberally estimate the size of an alpn as 10 octets @@ -351,7 +428,47 @@ func (s *SVCBAlpn) unpack(b []byte) error { } func (s *SVCBAlpn) parse(b string) error { - s.Alpn = strings.Split(b, ",") + if len(b) == 0 { + s.Alpn = []string{} + return nil + } + + alpn := []string{} + a := []byte{} + for p := 0; p < len(b); { + c, q := nextByte(b, p) + if q == 0 { + return errors.New("dns: svcbalpn: unterminated escape") + } + p += q + // If we find a comma, we have finished reading an alpn. + if c == ',' { + if len(a) == 0 { + return errors.New("dns: svcbalpn: empty protocol identifier") + } + alpn = append(alpn, string(a)) + a = []byte{} + continue + } + // If it's a backslash, we need to handle a comma-separated list. + if c == '\\' { + dc, dq := nextByte(b, p) + if dq == 0 { + return errors.New("dns: svcbalpn: unterminated escape decoding comma-separated list") + } + if dc != '\\' && dc != ',' { + return errors.New("dns: svcbalpn: bad escaped character decoding comma-separated list") + } + p += dq + c = dc + } + a = append(a, c) + } + // Add the final alpn. + if len(a) == 0 { + return errors.New("dns: svcbalpn: last protocol identifier empty") + } + s.Alpn = append(alpn, string(a)) return nil } @@ -370,9 +487,13 @@ func (s *SVCBAlpn) copy() SVCBKeyValue { } // SVCBNoDefaultAlpn pair signifies no support for default connection protocols. +// Should be used in conjunction with alpn. // Basic use pattern for creating a no-default-alpn option: // // s := &dns.SVCB{Hdr: dns.RR_Header{Name: ".", Rrtype: dns.TypeSVCB, Class: dns.ClassINET}} +// t := new(dns.SVCBAlpn) +// t.Alpn = []string{"xmpp-client"} +// s.Value = append(s.Value, t) // e := new(dns.SVCBNoDefaultAlpn) // s.Value = append(s.Value, e) type SVCBNoDefaultAlpn struct{} @@ -385,14 +506,14 @@ func (*SVCBNoDefaultAlpn) len() int { return 0 } func (*SVCBNoDefaultAlpn) unpack(b []byte) error { if len(b) != 0 { - return errors.New("dns: svcbnodefaultalpn: no_default_alpn must have no value") + return errors.New("dns: svcbnodefaultalpn: no-default-alpn must have no value") } return nil } func (*SVCBNoDefaultAlpn) parse(b string) error { if b != "" { - return errors.New("dns: svcbnodefaultalpn: no_default_alpn must have no value") + return errors.New("dns: svcbnodefaultalpn: no-default-alpn must have no value") } return nil } @@ -523,7 +644,7 @@ func (s *SVCBIPv4Hint) copy() SVCBKeyValue { } // SVCBECHConfig pair contains the ECHConfig structure defined in draft-ietf-tls-esni [RFC xxxx]. -// Basic use pattern for creating an echconfig option: +// Basic use pattern for creating an ech option: // // h := new(dns.HTTPS) // h.Hdr = dns.RR_Header{Name: ".", Rrtype: dns.TypeHTTPS, Class: dns.ClassINET} @@ -531,7 +652,7 @@ func (s *SVCBIPv4Hint) copy() SVCBKeyValue { // e.ECH = []byte{0xfe, 0x08, ...} // h.Value = append(h.Value, e) type SVCBECHConfig struct { - ECH []byte + ECH []byte // Specifically ECHConfigList including the redundant length prefix } func (*SVCBECHConfig) Key() SVCBKey { return SVCB_ECHCONFIG } @@ -555,7 +676,7 @@ func (s *SVCBECHConfig) unpack(b []byte) error { func (s *SVCBECHConfig) parse(b string) error { x, err := fromBase64([]byte(b)) if err != nil { - return errors.New("dns: svcbechconfig: bad base64 echconfig") + return errors.New("dns: svcbech: bad base64 ech") } s.ECH = x return nil @@ -618,9 +739,6 @@ func (s *SVCBIPv6Hint) String() string { } func (s *SVCBIPv6Hint) parse(b string) error { - if strings.Contains(b, ".") { - return errors.New("dns: svcbipv6hint: expected ipv6, got ipv4") - } str := strings.Split(b, ",") dst := make([]net.IP, len(str)) for i, e := range str { @@ -628,6 +746,9 @@ func (s *SVCBIPv6Hint) parse(b string) error { if ip == nil { return errors.New("dns: svcbipv6hint: bad ip") } + if ip.To4() != nil { + return errors.New("dns: svcbipv6hint: expected ipv6, got ipv4-mapped-ipv6") + } dst[i] = ip } s.Hint = dst @@ -645,6 +766,54 @@ func (s *SVCBIPv6Hint) copy() SVCBKeyValue { } } +// SVCBDoHPath pair is used to indicate the URI template that the +// clients may use to construct a DNS over HTTPS URI. +// +// See RFC xxxx (https://datatracker.ietf.org/doc/html/draft-ietf-add-svcb-dns-02) +// and RFC yyyy (https://datatracker.ietf.org/doc/html/draft-ietf-add-ddr-06). +// +// A basic example of using the dohpath option together with the alpn +// option to indicate support for DNS over HTTPS on a certain path: +// +// s := new(dns.SVCB) +// s.Hdr = dns.RR_Header{Name: ".", Rrtype: dns.TypeSVCB, Class: dns.ClassINET} +// e := new(dns.SVCBAlpn) +// e.Alpn = []string{"h2", "h3"} +// p := new(dns.SVCBDoHPath) +// p.Template = "/dns-query{?dns}" +// s.Value = append(s.Value, e, p) +// +// The parsing currently doesn't validate that Template is a valid +// RFC 6570 URI template. +type SVCBDoHPath struct { + Template string +} + +func (*SVCBDoHPath) Key() SVCBKey { return SVCB_DOHPATH } +func (s *SVCBDoHPath) String() string { return svcbParamToStr([]byte(s.Template)) } +func (s *SVCBDoHPath) len() int { return len(s.Template) } +func (s *SVCBDoHPath) pack() ([]byte, error) { return []byte(s.Template), nil } + +func (s *SVCBDoHPath) unpack(b []byte) error { + s.Template = string(b) + return nil +} + +func (s *SVCBDoHPath) parse(b string) error { + template, err := svcbParseParam(b) + if err != nil { + return fmt.Errorf("dns: svcbdohpath: %w", err) + } + s.Template = string(template) + return nil +} + +func (s *SVCBDoHPath) copy() SVCBKeyValue { + return &SVCBDoHPath{ + Template: s.Template, + } +} + // SVCBLocal pair is intended for experimental/private use. The key is recommended // to be in the range [SVCB_PRIVATE_LOWER, SVCB_PRIVATE_UPPER]. // Basic use pattern for creating a keyNNNNN option: @@ -661,6 +830,7 @@ type SVCBLocal struct { } func (s *SVCBLocal) Key() SVCBKey { return s.KeyCode } +func (s *SVCBLocal) String() string { return svcbParamToStr(s.Data) } func (s *SVCBLocal) pack() ([]byte, error) { return append([]byte(nil), s.Data...), nil } func (s *SVCBLocal) len() int { return len(s.Data) } @@ -669,50 +839,10 @@ func (s *SVCBLocal) unpack(b []byte) error { return nil } -func (s *SVCBLocal) String() string { - var str strings.Builder - str.Grow(4 * len(s.Data)) - for _, e := range s.Data { - if ' ' <= e && e <= '~' { - switch e { - case '"', ';', ' ', '\\': - str.WriteByte('\\') - str.WriteByte(e) - default: - str.WriteByte(e) - } - } else { - str.WriteString(escapeByte(e)) - } - } - return str.String() -} - func (s *SVCBLocal) parse(b string) error { - data := make([]byte, 0, len(b)) - for i := 0; i < len(b); { - if b[i] != '\\' { - data = append(data, b[i]) - i++ - continue - } - if i+1 == len(b) { - return errors.New("dns: svcblocal: svcb private/experimental key escape unterminated") - } - if isDigit(b[i+1]) { - if i+3 < len(b) && isDigit(b[i+2]) && isDigit(b[i+3]) { - a, err := strconv.ParseUint(b[i+1:i+4], 10, 8) - if err == nil { - i += 4 - data = append(data, byte(a)) - continue - } - } - return errors.New("dns: svcblocal: svcb private/experimental key bad escaped octet") - } else { - data = append(data, b[i+1]) - i += 2 - } + data, err := svcbParseParam(b) + if err != nil { + return fmt.Errorf("dns: svcblocal: svcb private/experimental key %w", err) } s.Data = data return nil @@ -753,3 +883,53 @@ func areSVCBPairArraysEqual(a []SVCBKeyValue, b []SVCBKeyValue) bool { } return true } + +// svcbParamStr converts the value of an SVCB parameter into a DNS presentation-format string. +func svcbParamToStr(s []byte) string { + var str strings.Builder + str.Grow(4 * len(s)) + for _, e := range s { + if ' ' <= e && e <= '~' { + switch e { + case '"', ';', ' ', '\\': + str.WriteByte('\\') + str.WriteByte(e) + default: + str.WriteByte(e) + } + } else { + str.WriteString(escapeByte(e)) + } + } + return str.String() +} + +// svcbParseParam parses a DNS presentation-format string into an SVCB parameter value. +func svcbParseParam(b string) ([]byte, error) { + data := make([]byte, 0, len(b)) + for i := 0; i < len(b); { + if b[i] != '\\' { + data = append(data, b[i]) + i++ + continue + } + if i+1 == len(b) { + return nil, errors.New("escape unterminated") + } + if isDigit(b[i+1]) { + if i+3 < len(b) && isDigit(b[i+2]) && isDigit(b[i+3]) { + a, err := strconv.ParseUint(b[i+1:i+4], 10, 8) + if err == nil { + i += 4 + data = append(data, byte(a)) + continue + } + } + return nil, errors.New("bad escaped octet") + } else { + data = append(data, b[i+1]) + i += 2 + } + } + return data, nil +} diff --git a/vendor/github.com/miekg/dns/tools.go b/vendor/github.com/miekg/dns/tools.go new file mode 100644 index 00000000..d1118253 --- /dev/null +++ b/vendor/github.com/miekg/dns/tools.go @@ -0,0 +1,9 @@ +// +build tools + +// We include our tool dependencies for `go generate` here to ensure they're +// properly tracked by the go tool. See the Go Wiki for the rationale behind this: +// https://github.com/golang/go/wiki/Modules#how-can-i-track-tool-dependencies-for-a-module. + +package dns + +import _ "golang.org/x/tools/go/packages" diff --git a/vendor/github.com/miekg/dns/tsig.go b/vendor/github.com/miekg/dns/tsig.go index b49562d8..debfe2dd 100644 --- a/vendor/github.com/miekg/dns/tsig.go +++ b/vendor/github.com/miekg/dns/tsig.go @@ -74,6 +74,24 @@ func (key tsigHMACProvider) Verify(msg []byte, t *TSIG) error { return nil } +type tsigSecretProvider map[string]string + +func (ts tsigSecretProvider) Generate(msg []byte, t *TSIG) ([]byte, error) { + key, ok := ts[t.Hdr.Name] + if !ok { + return nil, ErrSecret + } + return tsigHMACProvider(key).Generate(msg, t) +} + +func (ts tsigSecretProvider) Verify(msg []byte, t *TSIG) error { + key, ok := ts[t.Hdr.Name] + if !ok { + return ErrSecret + } + return tsigHMACProvider(key).Verify(msg, t) +} + // TSIG is the RR the holds the transaction signature of a message. // See RFC 2845 and RFC 4635. type TSIG struct { @@ -140,18 +158,17 @@ type timerWireFmt struct { } // TsigGenerate fills out the TSIG record attached to the message. -// The message should contain -// a "stub" TSIG RR with the algorithm, key name (owner name of the RR), -// time fudge (defaults to 300 seconds) and the current time -// The TSIG MAC is saved in that Tsig RR. -// When TsigGenerate is called for the first time requestMAC is set to the empty string and -// timersOnly is false. -// If something goes wrong an error is returned, otherwise it is nil. +// The message should contain a "stub" TSIG RR with the algorithm, key name +// (owner name of the RR), time fudge (defaults to 300 seconds) and the current +// time The TSIG MAC is saved in that Tsig RR. When TsigGenerate is called for +// the first time requestMAC should be set to the empty string and timersOnly to +// false. func TsigGenerate(m *Msg, secret, requestMAC string, timersOnly bool) ([]byte, string, error) { - return tsigGenerateProvider(m, tsigHMACProvider(secret), requestMAC, timersOnly) + return TsigGenerateWithProvider(m, tsigHMACProvider(secret), requestMAC, timersOnly) } -func tsigGenerateProvider(m *Msg, provider TsigProvider, requestMAC string, timersOnly bool) ([]byte, string, error) { +// TsigGenerateWithProvider is similar to TsigGenerate, but allows for a custom TsigProvider. +func TsigGenerateWithProvider(m *Msg, provider TsigProvider, requestMAC string, timersOnly bool) ([]byte, string, error) { if m.IsTsig() == nil { panic("dns: TSIG not last RR in additional") } @@ -162,20 +179,29 @@ func tsigGenerateProvider(m *Msg, provider TsigProvider, requestMAC string, time if err != nil { return nil, "", err } + buf, err := tsigBuffer(mbuf, rr, requestMAC, timersOnly) if err != nil { return nil, "", err } t := new(TSIG) - // Copy all TSIG fields except MAC and its size, which are filled using the computed digest. + // Copy all TSIG fields except MAC, its size, and time signed which are filled when signing. *t = *rr - mac, err := provider.Generate(buf, rr) - if err != nil { - return nil, "", err + t.TimeSigned = 0 + t.MAC = "" + t.MACSize = 0 + + // Sign unless there is a key or MAC validation error (RFC 8945 5.3.2) + if rr.Error != RcodeBadKey && rr.Error != RcodeBadSig { + mac, err := provider.Generate(buf, rr) + if err != nil { + return nil, "", err + } + t.TimeSigned = rr.TimeSigned + t.MAC = hex.EncodeToString(mac) + t.MACSize = uint16(len(t.MAC) / 2) // Size is half! } - t.MAC = hex.EncodeToString(mac) - t.MACSize = uint16(len(t.MAC) / 2) // Size is half! tbuf := make([]byte, Len(t)) off, err := PackRR(t, tbuf, 0, nil, false) @@ -189,14 +215,15 @@ func tsigGenerateProvider(m *Msg, provider TsigProvider, requestMAC string, time return mbuf, t.MAC, nil } -// TsigVerify verifies the TSIG on a message. -// If the signature does not validate err contains the -// error, otherwise it is nil. +// TsigVerify verifies the TSIG on a message. If the signature does not +// validate the returned error contains the cause. If the signature is OK, the +// error is nil. func TsigVerify(msg []byte, secret, requestMAC string, timersOnly bool) error { return tsigVerify(msg, tsigHMACProvider(secret), requestMAC, timersOnly, uint64(time.Now().Unix())) } -func tsigVerifyProvider(msg []byte, provider TsigProvider, requestMAC string, timersOnly bool) error { +// TsigVerifyWithProvider is similar to TsigVerify, but allows for a custom TsigProvider. +func TsigVerifyWithProvider(msg []byte, provider TsigProvider, requestMAC string, timersOnly bool) error { return tsigVerify(msg, provider, requestMAC, timersOnly, uint64(time.Now().Unix())) } diff --git a/vendor/github.com/miekg/dns/update.go b/vendor/github.com/miekg/dns/update.go index 69dd3865..16f9ee85 100644 --- a/vendor/github.com/miekg/dns/update.go +++ b/vendor/github.com/miekg/dns/update.go @@ -32,7 +32,9 @@ func (u *Msg) Used(rr []RR) { u.Answer = make([]RR, 0, len(rr)) } for _, r := range rr { - r.Header().Class = u.Question[0].Qclass + hdr := r.Header() + hdr.Class = u.Question[0].Qclass + hdr.Ttl = 0 u.Answer = append(u.Answer, r) } } diff --git a/vendor/github.com/miekg/dns/version.go b/vendor/github.com/miekg/dns/version.go index 622c69a1..b1a872bd 100644 --- a/vendor/github.com/miekg/dns/version.go +++ b/vendor/github.com/miekg/dns/version.go @@ -3,7 +3,7 @@ package dns import "fmt" // Version is current version of this library. -var Version = v{1, 1, 43} +var Version = v{1, 1, 50} // v holds the version of this library. type v struct { diff --git a/vendor/github.com/miekg/dns/xfr.go b/vendor/github.com/miekg/dns/xfr.go index 43970e64..1917e91c 100644 --- a/vendor/github.com/miekg/dns/xfr.go +++ b/vendor/github.com/miekg/dns/xfr.go @@ -17,11 +17,22 @@ type Transfer struct { DialTimeout time.Duration // net.DialTimeout, defaults to 2 seconds ReadTimeout time.Duration // net.Conn.SetReadTimeout value for connections, defaults to 2 seconds WriteTimeout time.Duration // net.Conn.SetWriteTimeout value for connections, defaults to 2 seconds + TsigProvider TsigProvider // An implementation of the TsigProvider interface. If defined it replaces TsigSecret and is used for all TSIG operations. TsigSecret map[string]string // Secret(s) for Tsig map[], zonename must be in canonical form (lowercase, fqdn, see RFC 4034 Section 6.2) tsigTimersOnly bool } -// Think we need to away to stop the transfer +func (t *Transfer) tsigProvider() TsigProvider { + if t.TsigProvider != nil { + return t.TsigProvider + } + if t.TsigSecret != nil { + return tsigSecretProvider(t.TsigSecret) + } + return nil +} + +// TODO: Think we need to away to stop the transfer // In performs an incoming transfer with the server in a. // If you would like to set the source IP, or some other attribute @@ -224,12 +235,9 @@ func (t *Transfer) ReadMsg() (*Msg, error) { if err := m.Unpack(p); err != nil { return nil, err } - if ts := m.IsTsig(); ts != nil && t.TsigSecret != nil { - if _, ok := t.TsigSecret[ts.Hdr.Name]; !ok { - return m, ErrSecret - } + if ts, tp := m.IsTsig(), t.tsigProvider(); ts != nil && tp != nil { // Need to work on the original message p, as that was used to calculate the tsig. - err = TsigVerify(p, t.TsigSecret[ts.Hdr.Name], t.tsigRequestMAC, t.tsigTimersOnly) + err = TsigVerifyWithProvider(p, tp, t.tsigRequestMAC, t.tsigTimersOnly) t.tsigRequestMAC = ts.MAC } return m, err @@ -238,11 +246,8 @@ func (t *Transfer) ReadMsg() (*Msg, error) { // WriteMsg writes a message through the transfer connection t. func (t *Transfer) WriteMsg(m *Msg) (err error) { var out []byte - if ts := m.IsTsig(); ts != nil && t.TsigSecret != nil { - if _, ok := t.TsigSecret[ts.Hdr.Name]; !ok { - return ErrSecret - } - out, t.tsigRequestMAC, err = TsigGenerate(m, t.TsigSecret[ts.Hdr.Name], t.tsigRequestMAC, t.tsigTimersOnly) + if ts, tp := m.IsTsig(), t.tsigProvider(); ts != nil && tp != nil { + out, t.tsigRequestMAC, err = TsigGenerateWithProvider(m, tp, t.tsigRequestMAC, t.tsigTimersOnly) } else { out, err = m.Pack() } diff --git a/vendor/modules.txt b/vendor/modules.txt index e4c3dfbf..6294fdad 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -56,7 +56,7 @@ github.com/mattn/go-isatty # github.com/matttproud/golang_protobuf_extensions v1.0.1 ## explicit github.com/matttproud/golang_protobuf_extensions/pbutil -# github.com/miekg/dns v1.1.43 +# github.com/miekg/dns v1.1.50 ## explicit; go 1.14 github.com/miekg/dns # github.com/prometheus/client_golang v1.14.0