sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-28 01:58:17 +03:00
Code

python:tests/dns_tkey: test bad and changing tsig algorithms

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit de4ed363d378f2065a4634f94af80ea0e3965c96)
This commit is contained in:
Stefan Metzmacher 2024-05-29 17:26:39 +02:00 committed by Jule Anger
parent 7dabac46b5
commit fdfd4e8adc
2 changed files with 107 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
python/samba/tests/dns_tkey.py
View File

@ -19,6 +19,7 @@
import sys
import optparse
import samba.getopt as options
import samba.ndr as ndr
from samba.dcerpc import dns
from samba.tests.subunitrun import SubunitOptions, TestProgram
from samba.tests.dns_base import DNSTKeyTest
@ -113,6 +114,109 @@ class TestDNSUpdates(DNSTKeyTest):
rcode = self.search_record(self.newrecname)
self.assert_rcode_equals(rcode, dns.DNS_RCODE_NXDOMAIN)
def test_update_tsig_bad_algorithm(self):
"test DNS update with a TSIG record with a bad algorithm"
self.tkey_trans()
algorithm_name = "gss-TSIG"
p = self.make_update_request()
mac = self.sign_packet(p, self.tkey['name'],
algorithm_name=algorithm_name)
(response, response_p) = self.dns_transaction_udp(p, self.server_ip)
self.assert_echoed_dns_error(p, response, response_p, dns.DNS_RCODE_REFUSED)
rcode = self.search_record(self.newrecname)
self.assert_rcode_equals(rcode, dns.DNS_RCODE_NXDOMAIN)
def test_update_tsig_changed_algorithm1(self):
"test DNS update with a TSIG record with a changed algorithm"
algorithm_name = "gss-tsig"
self.tkey_trans(algorithm_name=algorithm_name)
# Now delete the record, it's most likely
# a no-op as it should not be there if the test
# runs the first time
p = self.make_update_request(delete=True)
mac = self.sign_packet(p, self.tkey['name'], algorithm_name=algorithm_name)
(response, response_p) = self.dns_transaction_udp(p, self.server_ip)
self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
self.verify_packet(response, response_p, mac)
# Now do an update with the algorithm_name
# changed in the requests TSIG message.
p = self.make_update_request()
algorithm_name = "gss.microsoft.com"
mac = self.sign_packet(p, self.tkey['name'],
algorithm_name=algorithm_name)
algorithm_name = "gss-tsig"
(response, response_p) = self.dns_transaction_udp(p, self.server_ip,
allow_remaining=True)
self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
self.verify_packet(response, response_p, mac)
# Check the record is around
rcode = self.search_record(self.newrecname)
self.assert_rcode_equals(rcode, dns.DNS_RCODE_OK)
# Now delete the record, with the original
# algorithm_name used in the tkey exchange
p = self.make_update_request(delete=True)
mac = self.sign_packet(p, self.tkey['name'], algorithm_name=algorithm_name)
(response, response_p) = self.dns_transaction_udp(p, self.server_ip)
self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
self.verify_packet(response, response_p, mac)
rcode = self.search_record(self.newrecname)
self.assert_rcode_equals(rcode, dns.DNS_RCODE_NXDOMAIN)
def test_update_tsig_changed_algorithm2(self):
"test DNS update with a TSIG record with a changed algorithm"
algorithm_name = "gss.microsoft.com"
self.tkey_trans(algorithm_name=algorithm_name)
# Now delete the record, it's most likely
# a no-op as it should not be there if the test
# runs the first time
p = self.make_update_request(delete=True)
mac = self.sign_packet(p, self.tkey['name'], algorithm_name=algorithm_name)
(response, response_p) = self.dns_transaction_udp(p, self.server_ip)
self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
self.verify_packet(response, response_p, mac)
# Now do an update with the algorithm_name
# changed in the requests TSIG message.
p = self.make_update_request()
algorithm_name = "gss-tsig"
mac = self.sign_packet(p, self.tkey['name'],
algorithm_name=algorithm_name)
algorithm_name = "gss.microsoft.com"
(response, response_p) = self.dns_transaction_udp(p, self.server_ip,
allow_truncated=True)
self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
response_p_pack = ndr.ndr_pack(response)
if len(response_p_pack) == len(response_p):
self.verify_packet(response, response_p, mac)
else:
pass # Windows bug
# Check the record is around
rcode = self.search_record(self.newrecname)
self.assert_rcode_equals(rcode, dns.DNS_RCODE_OK)
# Now delete the record, with the original
# algorithm_name used in the tkey exchange
p = self.make_update_request(delete=True)
mac = self.sign_packet(p, self.tkey['name'], algorithm_name=algorithm_name)
(response, response_p) = self.dns_transaction_udp(p, self.server_ip)
self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
self.verify_packet(response, response_p, mac)
rcode = self.search_record(self.newrecname)
self.assert_rcode_equals(rcode, dns.DNS_RCODE_NXDOMAIN)
def test_update_gss_tsig_tkey_req_additional(self):
"test DNS update with correct gss-tsig record tkey req in additional"

3
selftest/knownfail.d/dns_tkey
View File

@ -6,3 +6,6 @@
^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_tsig_tkey_req_answers.fl2008r2dc
^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_microsoft_com_tkey_req_additional.fl2008r2dc
^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_microsoft_com_tkey_req_answers.fl2008r2dc
^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_bad_algorithm.fl2008r2dc
^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_changed_algorithm1.fl2008r2dc
^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_changed_algorithm2.fl2008r2dc