mirror of
https://github.com/samba-team/samba.git
synced 2025-02-28 01:58:17 +03:00
python:tests/dns_base: generate a real signature in bad_sign_packet()
We just destroy the signature bytes but keep the header unchanged. This makes it easier to look at it in wireshark. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit ae23d512a724650ae2de1178ac43deff8266aa56)
This commit is contained in:
parent
8b8fef4c9c
commit
19fc5bb6b9
@ -317,7 +317,7 @@ class DNSTKeyTest(DNSTest):
|
|||||||
data = request_mac + response_packet_wo_tsig + fake_tsig_packet
|
data = request_mac + response_packet_wo_tsig + fake_tsig_packet
|
||||||
self.g.check_packet(data, data, mac)
|
self.g.check_packet(data, data, mac)
|
||||||
|
|
||||||
def sign_packet(self, packet, key_name):
|
def sign_packet(self, packet, key_name, bad_sig=False):
|
||||||
"Sign a packet, calculate a MAC and add TSIG record"
|
"Sign a packet, calculate a MAC and add TSIG record"
|
||||||
packet_data = ndr.ndr_pack(packet)
|
packet_data = ndr.ndr_pack(packet)
|
||||||
|
|
||||||
@ -336,6 +336,23 @@ class DNSTKeyTest(DNSTest):
|
|||||||
data = packet_data + fake_tsig_packet
|
data = packet_data + fake_tsig_packet
|
||||||
mac = self.g.sign_packet(data, data)
|
mac = self.g.sign_packet(data, data)
|
||||||
mac_list = [x if isinstance(x, int) else ord(x) for x in list(mac)]
|
mac_list = [x if isinstance(x, int) else ord(x) for x in list(mac)]
|
||||||
|
if bad_sig:
|
||||||
|
if len(mac) > 8:
|
||||||
|
mac_list[-8] = mac_list[-8] ^ 0xff
|
||||||
|
if len(mac) > 7:
|
||||||
|
mac_list[-7] = ord('b')
|
||||||
|
if len(mac) > 6:
|
||||||
|
mac_list[-6] = ord('a')
|
||||||
|
if len(mac) > 5:
|
||||||
|
mac_list[-5] = ord('d')
|
||||||
|
if len(mac) > 4:
|
||||||
|
mac_list[-4] = ord('m')
|
||||||
|
if len(mac) > 3:
|
||||||
|
mac_list[-3] = ord('a')
|
||||||
|
if len(mac) > 2:
|
||||||
|
mac_list[-2] = ord('c')
|
||||||
|
if len(mac) > 1:
|
||||||
|
mac_list[-1] = mac_list[-1] ^ 0xff
|
||||||
|
|
||||||
rdata = dns.tsig_record()
|
rdata = dns.tsig_record()
|
||||||
rdata.algorithm_name = "gss-tsig"
|
rdata.algorithm_name = "gss-tsig"
|
||||||
@ -363,33 +380,10 @@ class DNSTKeyTest(DNSTest):
|
|||||||
return mac
|
return mac
|
||||||
|
|
||||||
def bad_sign_packet(self, packet, key_name):
|
def bad_sign_packet(self, packet, key_name):
|
||||||
"""Add bad signature for a packet by bitflipping
|
"""Add bad signature for a packet by
|
||||||
the final byte in the MAC"""
|
bitflipping and hardcoding bytes at the end of the MAC"""
|
||||||
|
|
||||||
mac_list = [x if isinstance(x, int) else ord(x) for x in list("badmac")]
|
return self.sign_packet(packet, key_name, bad_sig=True)
|
||||||
|
|
||||||
rdata = dns.tsig_record()
|
|
||||||
rdata.algorithm_name = "gss-tsig"
|
|
||||||
rdata.time_prefix = 0
|
|
||||||
rdata.time = int(time.time())
|
|
||||||
rdata.fudge = 300
|
|
||||||
rdata.original_id = packet.id
|
|
||||||
rdata.error = 0
|
|
||||||
rdata.other_size = 0
|
|
||||||
rdata.mac = mac_list
|
|
||||||
rdata.mac_size = len(mac_list)
|
|
||||||
|
|
||||||
r = dns.res_rec()
|
|
||||||
r.name = key_name
|
|
||||||
r.rr_type = dns.DNS_QTYPE_TSIG
|
|
||||||
r.rr_class = dns.DNS_QCLASS_ANY
|
|
||||||
r.ttl = 0
|
|
||||||
r.length = 0xffff
|
|
||||||
r.rdata = rdata
|
|
||||||
|
|
||||||
additional = [r]
|
|
||||||
packet.additional = additional
|
|
||||||
packet.arcount = 1
|
|
||||||
|
|
||||||
def search_record(self, name):
|
def search_record(self, name):
|
||||||
p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
|
p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
|
||||||
|
Loading…
x
Reference in New Issue
Block a user