BIND 10 master, updated. 1d4cd68ac7b1b5dbab042a1d5b7b82710d0a7769 [master] update ChangeLog
BIND 10 source code commits
bind10-changes at lists.isc.org
Fri Jun 10 10:06:27 UTC 2011
The branch, master has been updated
via 1d4cd68ac7b1b5dbab042a1d5b7b82710d0a7769 (commit)
via 261450e93af0b0406178e9ef121f81e721e0855c (commit)
via 0bb032a0b6ce7ca30fb250a647b81394faeeb730 (commit)
via 99785047d78bc833643292c1b795ea24e7916641 (commit)
via 6135be8219f25c87c5a551354b889e8c4e55fbfa (commit)
via 2636154f904f6123de434503ff72e65e4a27cbae (commit)
via e95a07de2e9eb88d461efd236664a7d12f204e74 (commit)
via 8e105c57dd7c082a36d4710e5ddf27bda118adb5 (commit)
via 479cab63fda13cde6707a71dd16d9bb4c1f93b4a (commit)
from be1bc7ac71892b98cf5449b9df388ba7de462e10 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 1d4cd68ac7b1b5dbab042a1d5b7b82710d0a7769
Author: chenzhengzhang <jerry.zzpku at gmail.com>
Date: Fri Jun 10 18:06:05 2011 +0800
[master] update ChangeLog
commit 261450e93af0b0406178e9ef121f81e721e0855c
Author: chenzhengzhang <jerry.zzpku at gmail.com>
Date: Fri Jun 10 18:05:06 2011 +0800
[master] merge trac955 : xfrin should check TSIG before other part of incoming message
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 5 +++
src/bin/xfrin/tests/xfrin_test.py | 52 ++++++++++++++++++++++++++++++++++++-
src/bin/xfrin/xfrin.py.in | 12 +++++---
3 files changed, 63 insertions(+), 6 deletions(-)
-----------------------------------------------------------------------
diff --git a/ChangeLog b/ChangeLog
index e582b5f..725a0a6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+256. [bug] jerry
+ src/bin/xfrin: update xfrin to check TSIG before other part of
+ incoming message.
+ (Trac955, git 261450e93af0b0406178e9ef121f81e721e0855c)
+
255. [func] zhang likun
src/lib/cache: remove empty code in lib/cache and the corresponding
suppression rule in src/cppcheck-suppress.lst.
diff --git a/src/bin/xfrin/tests/xfrin_test.py b/src/bin/xfrin/tests/xfrin_test.py
index f3e2ee4..2acd9d6 100644
--- a/src/bin/xfrin/tests/xfrin_test.py
+++ b/src/bin/xfrin/tests/xfrin_test.py
@@ -15,6 +15,7 @@
import unittest
import socket
+import io
from isc.testutils.tsigctx_mock import MockTSIGContext
from xfrin import *
@@ -78,7 +79,7 @@ class MockXfrin(Xfrin):
def _get_db_file(self):
pass
-
+
def _cc_check_command(self):
self._shutdown_event.set()
if MockXfrin.check_command_hook:
@@ -207,6 +208,18 @@ class TestXfrinConnection(unittest.TestCase):
mock_ctx.error = error
return mock_ctx
+ def __match_exception(self, expected_exception, expected_msg, expression):
+ # This helper method is a higher-granularity version of assertRaises().
+ # If it's not sufficient to check the exception class (e.g., when
+ # the same type of exceptions can be thrown from many places), this
+ # method can be used to check it with the exception argument.
+ try:
+ expression()
+ except expected_exception as ex:
+ self.assertEqual(str(ex), expected_msg)
+ else:
+ self.assertFalse('exception is expected, but not raised')
+
def test_close(self):
# we shouldn't be using the global asyncore map.
self.assertEqual(len(asyncore.socket_map), 0)
@@ -293,6 +306,31 @@ class TestXfrinConnection(unittest.TestCase):
self.conn.reply_data = self.conn.create_response_data(bad_qid = True)
self.assertRaises(XfrinException, self._handle_xfrin_response)
+ def test_response_error_code_bad_sig(self):
+ self.conn._tsig_key = TSIG_KEY
+ self.conn._tsig_ctx_creator = \
+ lambda key: self.__create_mock_tsig(key, TSIGError.BAD_SIG)
+ self.conn._send_query(RRType.AXFR())
+ self.conn.reply_data = self.conn.create_response_data(
+ rcode=Rcode.SERVFAIL())
+ # xfrin should check TSIG before other part of incoming message
+ # validate log message for XfrinException
+ self.__match_exception(XfrinException,
+ "TSIG verify fail: BADSIG",
+ self._handle_xfrin_response)
+
+ def test_response_bad_qid_bad_key(self):
+ self.conn._tsig_key = TSIG_KEY
+ self.conn._tsig_ctx_creator = \
+ lambda key: self.__create_mock_tsig(key, TSIGError.BAD_KEY)
+ self.conn._send_query(RRType.AXFR())
+ self.conn.reply_data = self.conn.create_response_data(bad_qid=True)
+ # xfrin should check TSIG before other part of incoming message
+ # validate log message for XfrinException
+ self.__match_exception(XfrinException,
+ "TSIG verify fail: BADKEY",
+ self._handle_xfrin_response)
+
def test_response_non_response(self):
self.conn._send_query(RRType.AXFR())
self.conn.reply_data = self.conn.create_response_data(response = False)
@@ -337,6 +375,18 @@ class TestXfrinConnection(unittest.TestCase):
self.conn.response_generator = self._create_soa_response_data
self.assertRaises(XfrinException, self.conn._check_soa_serial)
+ def test_soacheck_bad_qid_bad_sig(self):
+ self.conn._tsig_key = TSIG_KEY
+ self.conn._tsig_ctx_creator = \
+ lambda key: self.__create_mock_tsig(key, TSIGError.BAD_SIG)
+ self.soa_response_params['bad_qid'] = True
+ self.conn.response_generator = self._create_soa_response_data
+ # xfrin should check TSIG before other part of incoming message
+ # validate log message for XfrinException
+ self.__match_exception(XfrinException,
+ "TSIG verify fail: BADSIG",
+ self.conn._check_soa_serial)
+
def test_soacheck_non_response(self):
self.soa_response_params['response'] = False
self.conn.response_generator = self._create_soa_response_data
diff --git a/src/bin/xfrin/xfrin.py.in b/src/bin/xfrin/xfrin.py.in
index 7758a37..a9ca0f2 100755
--- a/src/bin/xfrin/xfrin.py.in
+++ b/src/bin/xfrin/xfrin.py.in
@@ -243,13 +243,13 @@ class XfrinConnection(asyncore.dispatcher):
msg = Message(Message.PARSE)
msg.from_wire(soa_response)
+ # TSIG related checks, including an unexpected signed response
+ self._check_response_tsig(msg, soa_response)
+
# perform some minimal level validation. It's an open issue how
# strict we should be (see the comment in _check_response_header())
self._check_response_header(msg)
- # TSIG related checks, including an unexpected signed response
- self._check_response_tsig(msg, soa_response)
-
# TODO, need select soa record from data source then compare the two
# serial, current just return OK, since this function hasn't been used
# now.
@@ -311,7 +311,7 @@ class XfrinConnection(asyncore.dispatcher):
raise XfrinException('error response: %s' % msg_rcode.to_text())
if not msg.get_header_flag(Message.HEADERFLAG_QR):
- raise XfrinException('response is not a response ')
+ raise XfrinException('response is not a response')
if msg.get_qid() != self._query_id:
raise XfrinException('bad query id')
@@ -362,11 +362,13 @@ class XfrinConnection(asyncore.dispatcher):
recvdata = self._get_request_response(msg_len)
msg = Message(Message.PARSE)
msg.from_wire(recvdata)
- self._check_response_status(msg)
# TSIG related checks, including an unexpected signed response
self._check_response_tsig(msg, recvdata)
+ # Perform response status validation
+ self._check_response_status(msg)
+
answer_section = msg.get_section(Message.SECTION_ANSWER)
for rr in self._handle_answer_section(answer_section):
yield rr
More information about the bind10-changes
mailing list