From a38d599260c8fdcfc4ecd7b474ce41393771fbc7 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 24 Feb 2026 13:35:07 +1100
Subject: [PATCH] Test maximum length NSEC3 hash detection

Adds text and wire format unit tests to verify the newly enforced
maximum NSEC3 hash length constraints.  These tests ensure that hash
lengths up to the 39-byte maximum are accepted, while larger sizes
correctly fail.

(cherry picked from commit e83a182056b5624566a576669417e62eb94bffe9)
---
 tests/dns/rdata_test.c | 34 +++++++++++++++++++++++++++++++---
 1 file changed, 31 insertions(+), 3 deletions(-)

diff --git a/tests/dns/rdata_test.c b/tests/dns/rdata_test.c
index f2e9ba62e6..ab6b2a974c 100644
--- a/tests/dns/rdata_test.c
+++ b/tests/dns/rdata_test.c
@@ -2420,8 +2420,7 @@ ISC_RUN_TEST_IMPL(nsec) {
  * RFC 5155.
  */
 ISC_RUN_TEST_IMPL(nsec3) {
-	text_ok_t text_ok[] = { TEXT_INVALID(""),
-				TEXT_INVALID("."),
+	text_ok_t text_ok[] = { TEXT_INVALID(""), TEXT_INVALID("."),
 				TEXT_INVALID(". RRSIG"),
 				TEXT_INVALID("1 0 10 76931F"),
 				TEXT_INVALID("1 0 10 76931F "
@@ -2437,9 +2436,38 @@ ISC_RUN_TEST_IMPL(nsec3) {
 					   "AJHVGTICN6K0VDA53GCHFMT219SRRQLM"),
 				TEXT_VALID("1 0 10 - "
 					   "AJHVGTICN6K0VDA53GCHFMT219SRRQLM"),
+				/* 123456789012345678901234567890123456789 */
+				TEXT_VALID("2 0 10 - "
+					   "64P36D1L6ORJGE9G64P36D1L6ORJGE9G64P"
+					   "36D1L6ORJGE9G64P36D1L6ORJGE8"),
+				/* 1234567890123456789012345678901234567890 */
+				TEXT_INVALID("2 0 10 - "
+					     "64P36D1L6ORJGE9G64P36D1L6ORJGE9G6"
+					     "4P36D1L6ORJGE9G64P36D1L6ORJGE9G"),
 				TEXT_SENTINEL() };
+	wire_ok_t wire_ok[] = {
+		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00),
+		/* maximal hash */
+		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x01, 0x02, 0x03,
+			   0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x00, 0x01, 0x02,
+			   0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x00, 0x01,
+			   0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x00,
+			   0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+			   0x09),
+		/* Too big hash */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x01, 0x02,
+			     0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x00,
+			     0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+			     0x09, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
+			     0x07, 0x08, 0x09, 0x00, 0x01, 0x02, 0x03, 0x04,
+			     0x05, 0x06, 0x07, 0x08, 0x09, 0x00),
+		/*
+		 * Sentinel.
+		 */
+		WIRE_SENTINEL()
+	};
 
-	check_rdata(text_ok, NULL, NULL, false, dns_rdataclass_in,
+	check_rdata(text_ok, wire_ok, NULL, false, dns_rdataclass_in,
 		    dns_rdatatype_nsec3, sizeof(dns_rdata_nsec3_t));
 }