1
0
mirror of https://github.com/samba-team/samba.git synced 2025-02-28 01:58:17 +03:00

python:tests/dns_base: generate a real signature in bad_sign_packet()

We just destroy the signature bytes but keep the header unchanged.

This makes it easier to look at it in wireshark.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ae23d512a724650ae2de1178ac43deff8266aa56)
This commit is contained in:
Stefan Metzmacher 2024-05-29 13:11:24 +02:00 committed by Jule Anger
parent 8b8fef4c9c
commit 19fc5bb6b9

View File

@ -317,7 +317,7 @@ class DNSTKeyTest(DNSTest):
data = request_mac + response_packet_wo_tsig + fake_tsig_packet data = request_mac + response_packet_wo_tsig + fake_tsig_packet
self.g.check_packet(data, data, mac) self.g.check_packet(data, data, mac)
def sign_packet(self, packet, key_name): def sign_packet(self, packet, key_name, bad_sig=False):
"Sign a packet, calculate a MAC and add TSIG record" "Sign a packet, calculate a MAC and add TSIG record"
packet_data = ndr.ndr_pack(packet) packet_data = ndr.ndr_pack(packet)
@ -336,6 +336,23 @@ class DNSTKeyTest(DNSTest):
data = packet_data + fake_tsig_packet data = packet_data + fake_tsig_packet
mac = self.g.sign_packet(data, data) mac = self.g.sign_packet(data, data)
mac_list = [x if isinstance(x, int) else ord(x) for x in list(mac)] mac_list = [x if isinstance(x, int) else ord(x) for x in list(mac)]
if bad_sig:
if len(mac) > 8:
mac_list[-8] = mac_list[-8] ^ 0xff
if len(mac) > 7:
mac_list[-7] = ord('b')
if len(mac) > 6:
mac_list[-6] = ord('a')
if len(mac) > 5:
mac_list[-5] = ord('d')
if len(mac) > 4:
mac_list[-4] = ord('m')
if len(mac) > 3:
mac_list[-3] = ord('a')
if len(mac) > 2:
mac_list[-2] = ord('c')
if len(mac) > 1:
mac_list[-1] = mac_list[-1] ^ 0xff
rdata = dns.tsig_record() rdata = dns.tsig_record()
rdata.algorithm_name = "gss-tsig" rdata.algorithm_name = "gss-tsig"
@ -363,33 +380,10 @@ class DNSTKeyTest(DNSTest):
return mac return mac
def bad_sign_packet(self, packet, key_name): def bad_sign_packet(self, packet, key_name):
"""Add bad signature for a packet by bitflipping """Add bad signature for a packet by
the final byte in the MAC""" bitflipping and hardcoding bytes at the end of the MAC"""
mac_list = [x if isinstance(x, int) else ord(x) for x in list("badmac")] return self.sign_packet(packet, key_name, bad_sig=True)
rdata = dns.tsig_record()
rdata.algorithm_name = "gss-tsig"
rdata.time_prefix = 0
rdata.time = int(time.time())
rdata.fudge = 300
rdata.original_id = packet.id
rdata.error = 0
rdata.other_size = 0
rdata.mac = mac_list
rdata.mac_size = len(mac_list)
r = dns.res_rec()
r.name = key_name
r.rr_type = dns.DNS_QTYPE_TSIG
r.rr_class = dns.DNS_QCLASS_ANY
r.ttl = 0
r.length = 0xffff
r.rdata = rdata
additional = [r]
packet.additional = additional
packet.arcount = 1
def search_record(self, name): def search_record(self, name):
p = self.make_name_packet(dns.DNS_OPCODE_QUERY) p = self.make_name_packet(dns.DNS_OPCODE_QUERY)