]>
Commit | Line | Data |
---|---|---|
37063755 PL |
1 | #!/usr/bin/env python |
2 | import dns | |
3 | ||
4 | from authtests import AuthTest | |
5 | ||
6 | ||
7 | class TestEdnsCookies(AuthTest): | |
8 | _config_template = """ | |
9 | launch=bind | |
10 | edns-cookie-secret=aabbccddeeff11223344556677889900 | |
11 | """ | |
12 | ||
13 | _zones = { | |
14 | 'example.org': """ | |
15 | example.org. 3600 IN SOA {soa} | |
16 | example.org. 3600 IN NS ns1.example.org. | |
17 | example.org. 3600 IN NS ns2.example.org. | |
18 | ns1.example.org. 3600 IN A 192.0.2.10 | |
19 | ns2.example.org. 3600 IN A 192.0.2.11 | |
20 | ||
21 | www.example.org. 3600 IN A 192.0.2.5 | |
22 | """, | |
23 | } | |
24 | ||
25 | def sendAndExpectNoCookie(self, msg, rcode): | |
26 | res = self.sendUDPQuery(msg) | |
27 | self.assertRcodeEqual(res, rcode) | |
28 | self.assertFalse(any([opt.otype == dns.edns.COOKIE for | |
29 | opt in res.options])) | |
30 | ||
31 | def getCookieFromServer(self): | |
32 | opts = [ | |
33 | dns.edns.GenericOption(dns.edns.COOKIE, | |
34 | b'\x22\x11\x33\x44\x55\x66\x77\x88')] | |
35 | query = dns.message.make_query('www.example.org', 'A', options=opts) | |
36 | res = self.sendUDPQuery(query) | |
37 | self.assertRcodeEqual(res, 23) # BADCOOKIE | |
38 | for opt in res.options: | |
39 | if opt.otype == dns.edns.COOKIE: | |
40 | return opt | |
41 | self.fail() | |
42 | ||
43 | def testNoCookie(self): | |
44 | query = dns.message.make_query('www.example.org', 'A', use_edns=0) | |
45 | self.sendAndExpectNoCookie(query, dns.rcode.NOERROR) | |
46 | ||
47 | def testClientCookieTooShort(self): | |
48 | opts = [dns.edns.GenericOption(dns.edns.COOKIE, b'\x22')] | |
49 | query = dns.message.make_query('www.example.org', 'A', options=opts) | |
50 | self.sendAndExpectNoCookie(query, dns.rcode.FORMERR) | |
51 | ||
52 | opts = [dns.edns.GenericOption(dns.edns.COOKIE, | |
53 | b'\x22\x11\x33\x44\x55\x66\x77')] | |
54 | query = dns.message.make_query('www.example.org', 'A', options=opts) | |
55 | self.sendAndExpectNoCookie(query, dns.rcode.FORMERR) | |
56 | ||
57 | def testServerCookieTooShort(self): | |
58 | opts = [ | |
59 | dns.edns.GenericOption(dns.edns.COOKIE, | |
60 | b'\x22\x11\x33\x44\x55\x66\x77\x88\x99')] | |
61 | query = dns.message.make_query('www.example.org', 'A', options=opts) | |
62 | self.sendAndExpectNoCookie(query, dns.rcode.FORMERR) | |
63 | ||
64 | opts = [ | |
65 | dns.edns.GenericOption(dns.edns.COOKIE, | |
66 | b'\x22\x11\x33\x44\x55\x66\x77\x88' + | |
67 | b'\x22\x11\x33\x44\x55\x66\x77')] | |
68 | query = dns.message.make_query('www.example.org', 'A', options=opts) | |
69 | self.sendAndExpectNoCookie(query, dns.rcode.FORMERR) | |
70 | ||
71 | def testOnlyClientCookie(self): | |
72 | opts = [ | |
73 | dns.edns.GenericOption(dns.edns.COOKIE, | |
74 | b'\x22\x11\x33\x44\x55\x66\x77\x88')] | |
75 | query = dns.message.make_query('www.example.org', 'A', options=opts) | |
76 | res = self.sendUDPQuery(query) | |
77 | self.assertRcodeEqual(res, 23) # BADCOOKIE | |
78 | self.assertTrue(any([opt.otype == dns.edns.COOKIE for | |
79 | opt in res.options])) | |
80 | ||
71e1eed5 PL |
81 | def testOnlyClientCookieTCP(self): |
82 | opts = [ | |
83 | dns.edns.GenericOption(dns.edns.COOKIE, | |
84 | b'\x22\x11\x33\x44\x55\x66\x77\x88')] | |
85 | query = dns.message.make_query('www.example.org', 'A', options=opts) | |
86 | res = self.sendTCPQuery(query) | |
87 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
88 | self.assertTrue(any(opt.otype == dns.edns.COOKIE for | |
89 | opt in res.options)) | |
90 | ||
91 | ||
37063755 PL |
92 | def testCorrectCookie(self): |
93 | opts = [self.getCookieFromServer()] | |
94 | query = dns.message.make_query('www.example.org', 'A', options=opts) | |
95 | res = self.sendUDPQuery(query) | |
96 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
97 | ||
98 | def testBrokenCookie(self): | |
99 | data = self.getCookieFromServer().data | |
29992caa | 100 | # replace a byte in the client cookie |
37063755 PL |
101 | data = data.replace(b'\x11', b'\x12') |
102 | opts = [dns.edns.GenericOption(dns.edns.COOKIE, data)] | |
103 | query = dns.message.make_query('www.example.org', 'A', options=opts) | |
104 | res = self.sendUDPQuery(query) | |
105 | self.assertRcodeEqual(res, 23) | |
106 | for opt in res.options: | |
107 | if opt.otype == dns.edns.COOKIE: | |
108 | self.assertNotEqual(opt.data, opts[0].data) | |
109 | return | |
110 | self.fail() |