mod-cookies: secondary cookie secret

author: Jan Hák <jan.hak@nic.cz> 2024-10-17 14:47:37 +0200
committer: Daniel Salzman <daniel.salzman@nic.cz> 2024-10-26 15:57:22 +0200
commit: 1483e4414e8a73a138a4e3e33c9398b778e87289 (patch)
tree: 2e04a7b9bb963f23fc90a84adb2861a38c0b00ff /tests-extra/tests
parent: Merge branch 'kjournalprint_M_zij_fllwup' into 'master' (diff)
download: knot-1483e4414e8a73a138a4e3e33c9398b778e87289.tar.xz
knot-1483e4414e8a73a138a4e3e33c9398b778e87289.zip
1 files changed, 54 insertions, 4 deletions
diff --git a/tests-extra/tests/modules/cookies/test.py b/tests-extra/tests/modules/cookies/test.py
index 73acd9d1d..1f86ab59e 100644
--- a/tests-extra/tests/modules/cookies/test.py
+++ b/tests-extra/tests/modules/cookies/test.py
@@ -13,19 +13,21 @@ from dnstest.test import Test
 from dnstest.module import ModCookies
 from dnstest.utils import *
 
+secret1 = bytearray(b'\xde\xad\xbe\xef\xde\xad\xbe\xef\xde\xad\xbe\xef\xde\xad\xbe\xef')
+secret2 = bytearray(b'\x8b\xad\xf0\x0d\x8b\xad\xf0\x0d\x8b\xad\xf0\x0d\x8b\xad\xf0\x0d')
 clientCookie = bytearray(b'\xde\xad\xbe\xef\xfe\xeb\xda\xed')
 clientCookieLen = 8
 cookieOpcode = 10
 rcodeNoerror = 0
 rcodeBadcookie = 23
 
-def reconfigure(server, zone, secret_lifetime, badcookie_slip):
+def reconfigure(server, zone, badcookie_slip, secret_lifetime = None, secret = None):
     """
     Reconfigure server module.
     """
     server.clear_modules(None)
     server.add_module(None, ModCookies(secret_lifetime=secret_lifetime,
-                      badcookie_slip=badcookie_slip))
+                      badcookie_slip=badcookie_slip, secret=secret))
     server.gen_confile()
     server.reload()
     server.zone_wait(zone)
@@ -54,7 +56,7 @@ t.link(zone, knot)
 
 t.start()
 
-reconfigure(knot, zone, 5, 1)
+reconfigure(knot, zone, 1, secret_lifetime=5)
 
 # Try a query without EDNS
 query = dns.message.make_query("dns1.example.com", "A", use_edns=False)
@@ -93,7 +95,7 @@ cookieOpt = response.options[0]
 query = dns.message.make_query("dns1.example.com", "A", use_edns=True, options=[cookieOpt])
 response = check_rcode(knot, query, rcodeNoerror, "CORRECT COOKIE 2")
 
-reconfigure(knot, zone, 1000000, 4)
+reconfigure(knot, zone, 4, secret_lifetime=1000000)
 
 cookieOpt = dns.edns.option_from_wire(cookieOpcode, clientCookie, 0, clientCookieLen)
 query = dns.message.make_query("dns1.example.com", "A", use_edns=True, options=[cookieOpt]);
@@ -109,4 +111,52 @@ for i in range(3):
 query = dns.message.make_query("dns1.example.com", "A", use_edns=True, options=[cookieOpt]);
 check_rcode(knot, query, rcodeBadcookie, "BADCOOKIE")
 
+## Fixed secret(s)
+
+reconfigure(knot, zone, 1, secret=[secret1])
+
+# Receive a server cookie for secret1
+cookieOpt = dns.edns.option_from_wire(cookieOpcode, clientCookie, 0, clientCookieLen)
+query = dns.message.make_query("dns1.example.com", "A", use_edns=True, options=[cookieOpt])
+response = check_rcode(knot, query, rcodeBadcookie, "ONLY CLIENT COOKIE - SECRET1")
+
+# Try a query with the received cookie
+cookieOpt1 = response.options[0]
+query = dns.message.make_query("dns1.example.com", "A", use_edns=True, options=[cookieOpt1])
+check_rcode(knot, query, rcodeNoerror, "CORRECT COOKIE - SECRET1")
+
+reconfigure(knot, zone, 1, secret=[secret2])
+
+# Re-try a query with the received cookie against secret2
+query = dns.message.make_query("dns1.example.com", "A", use_edns=True, options=[cookieOpt1])
+response = check_rcode(knot, query, rcodeBadcookie, "BADCOOKIE - SECRET2")
+cookieOpt2 = response.options[0]
+
+# Re-try a query with the received cookie against secret1 again
+reconfigure(knot, zone, 1, secret=[secret1])
+query = dns.message.make_query("dns1.example.com", "A", use_edns=True, options=[cookieOpt1])
+check_rcode(knot, query, rcodeNoerror, "CORRECT COOKIE - SECRET1")
+
+reconfigure(knot, zone, 1, secret=[secret2, secret1])
+
+# Re-try cookie with secret1
+query = dns.message.make_query("dns1.example.com", "A", use_edns=True, options=[cookieOpt1])
+check_rcode(knot, query, rcodeNoerror, "CORRECT COOKIE - SECRET1,2")
+
+# Re-try cookie with secret2
+query = dns.message.make_query("dns1.example.com", "A", use_edns=True, options=[cookieOpt2])
+check_rcode(knot, query, rcodeNoerror, "CORRECT COOKIE - SECRET2,1")
+
+# Get new server cookie when two secret are configured
+cookieOpt = dns.edns.option_from_wire(cookieOpcode, clientCookie, 0, clientCookieLen)
+query = dns.message.make_query("dns1.example.com", "A", use_edns=True, options=[cookieOpt])
+response = check_rcode(knot, query, rcodeBadcookie, "ONLY CLIENT COOKIE - SECRET2,1")
+cookieOpt21 = response.options[0]
+
+reconfigure(knot, zone, 1, secret=[secret2])
+
+# Re-try cookie with first secret2
+query = dns.message.make_query("dns1.example.com", "A", use_edns=True, options=[cookieOpt21])
+check_rcode(knot, query, rcodeNoerror, "CORRECT COOKIE - SECRET2,1")
+
 t.end()
author	Jan Hák <jan.hak@nic.cz>	2024-10-17 14:47:37 +0200
committer	Daniel Salzman <daniel.salzman@nic.cz>	2024-10-26 15:57:22 +0200
commit	1483e4414e8a73a138a4e3e33c9398b778e87289 (patch)
tree	2e04a7b9bb963f23fc90a84adb2861a38c0b00ff /tests-extra/tests
parent	Merge branch 'kjournalprint_M_zij_fllwup' into 'master' (diff)
download	knot-1483e4414e8a73a138a4e3e33c9398b778e87289.tar.xz knot-1483e4414e8a73a138a4e3e33c9398b778e87289.zip