diff options
author | Brian Wellington <bwelling@xbill.org> | 2020-06-29 13:48:09 -0700 |
---|---|---|
committer | Brian Wellington <bwelling@xbill.org> | 2020-06-30 08:32:59 -0700 |
commit | 8c6ba9e62fce0b7acaa1995f57b36908f9277684 (patch) | |
tree | debd14fd8ffb15790b6c6a5b1fc7f189b5277d14 | |
parent | 6ea8e8a71fd855c61b3d6095ce536105fbedf8d7 (diff) | |
download | dnspython-8c6ba9e62fce0b7acaa1995f57b36908f9277684.tar.gz |
Change dns.tsig.validate() to take a TSIG record.
-rw-r--r-- | dns/message.py | 3 | ||||
-rw-r--r-- | dns/tsig.py | 45 |
2 files changed, 15 insertions, 33 deletions
diff --git a/dns/message.py b/dns/message.py index 1e67c99..1676ba8 100644 --- a/dns/message.py +++ b/dns/message.py @@ -785,12 +785,11 @@ class _WireReader: self.message.tsig_ctx = \ dns.tsig.validate(self.wire, absolute_name, + rd, secret, int(time.time()), self.message.request_mac, rr_start, - self.current, - rdlen, self.message.tsig_ctx, self.message.multi, self.message.first) diff --git a/dns/tsig.py b/dns/tsig.py index 5744f1a..a9d85de 100644 --- a/dns/tsig.py +++ b/dns/tsig.py @@ -138,8 +138,8 @@ def sign(wire, keyname, secret, time, fudge, original_id, error, return (tsig_rdata, mac, ctx) -def validate(wire, keyname, secret, now, request_mac, tsig_start, tsig_rdata, - tsig_rdlen, ctx=None, multi=False, first=True): +def validate(wire, keyname, rdata, secret, now, request_mac, tsig_start, + ctx=None, multi=False, first=True): """Validate the specified TSIG rdata against the other input parameters. @raises FormError: The TSIG is badly formed. @@ -153,41 +153,24 @@ def validate(wire, keyname, secret, now, request_mac, tsig_start, tsig_rdata, raise dns.exception.FormError adcount -= 1 new_wire = wire[0:10] + struct.pack("!H", adcount) + wire[12:tsig_start] - current = tsig_rdata - (aname, used) = dns.name.from_wire(wire, current) - current = current + used - (upper_time, lower_time, fudge, mac_size) = \ - struct.unpack("!HIHH", wire[current:current + 10]) - time = (upper_time << 32) + lower_time - current += 10 - mac = wire[current:current + mac_size] - current += mac_size - (original_id, error, other_size) = \ - struct.unpack("!HHH", wire[current:current + 6]) - current += 6 - other_data = wire[current:current + other_size] - current += other_size - if current != tsig_rdata + tsig_rdlen: - raise dns.exception.FormError - if error != 0: - if error == BADSIG: + if rdata.error != 0: + if rdata.error == BADSIG: raise PeerBadSignature - elif error == BADKEY: + elif rdata.error == BADKEY: raise PeerBadKey - elif error == BADTIME: + elif rdata.error == BADTIME: raise PeerBadTime - elif error == BADTRUNC: + elif rdata.error == BADTRUNC: raise PeerBadTruncation else: - raise PeerError('unknown TSIG error code %d' % error) - time_low = time - fudge - time_high = time + fudge - if now < time_low or now > time_high: + raise PeerError('unknown TSIG error code %d' % rdata.error) + if abs(rdata.time_signed - now) > rdata.fudge: raise BadTime - (junk, our_mac, ctx) = sign(new_wire, keyname, secret, time, fudge, - original_id, error, other_data, - request_mac, ctx, multi, first, aname) - if our_mac != mac: + (junk, our_mac, ctx) = sign(new_wire, keyname, secret, rdata.time_signed, + rdata.fudge, rdata.original_id, rdata.error, + rdata.other, request_mac, ctx, multi, first, + rdata.algorithm) + if our_mac != rdata.mac: raise BadSignature return ctx |