2007-08-15 09:18:32 -04:00
|
|
|
/*
|
|
|
|
|
* testcode/unitverify.c - unit test for signature verification routines.
|
|
|
|
|
*
|
|
|
|
|
* Copyright (c) 2007, NLnet Labs. All rights reserved.
|
|
|
|
|
*
|
|
|
|
|
* This software is open source.
|
|
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
*
|
|
|
|
|
* Redistributions of source code must retain the above copyright notice,
|
|
|
|
|
* this list of conditions and the following disclaimer.
|
|
|
|
|
*
|
|
|
|
|
* Redistributions in binary form must reproduce the above copyright notice,
|
|
|
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
|
|
|
* and/or other materials provided with the distribution.
|
|
|
|
|
*
|
|
|
|
|
* Neither the name of the NLNET LABS nor the names of its contributors may
|
|
|
|
|
* be used to endorse or promote products derived from this software without
|
|
|
|
|
* specific prior written permission.
|
|
|
|
|
*
|
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
2014-02-07 08:28:39 -05:00
|
|
|
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
|
|
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
|
|
|
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
|
|
|
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
|
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
|
|
|
|
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
|
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
|
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
|
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
|
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
2007-08-15 09:18:32 -04:00
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
/**
|
|
|
|
|
* \file
|
|
|
|
|
* Calls verification unit tests. Exits with code 1 on a failure.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "config.h"
|
|
|
|
|
#include "util/log.h"
|
|
|
|
|
#include "testcode/unitmain.h"
|
|
|
|
|
#include "validator/val_sigcrypt.h"
|
2012-07-20 10:08:51 -04:00
|
|
|
#include "validator/val_secalgo.h"
|
2007-08-17 07:41:49 -04:00
|
|
|
#include "validator/val_nsec.h"
|
2007-09-17 05:25:54 -04:00
|
|
|
#include "validator/val_nsec3.h"
|
2007-08-15 09:18:32 -04:00
|
|
|
#include "validator/validator.h"
|
2013-10-31 11:09:26 -04:00
|
|
|
#include "testcode/testpkts.h"
|
2007-08-15 09:18:32 -04:00
|
|
|
#include "util/data/msgreply.h"
|
|
|
|
|
#include "util/data/msgparse.h"
|
2007-09-17 05:25:54 -04:00
|
|
|
#include "util/data/dname.h"
|
2007-10-18 16:31:43 -04:00
|
|
|
#include "util/regional.h"
|
2007-08-15 09:18:32 -04:00
|
|
|
#include "util/alloc.h"
|
2007-09-17 05:25:54 -04:00
|
|
|
#include "util/rbtree.h"
|
2007-08-15 09:18:32 -04:00
|
|
|
#include "util/net_help.h"
|
|
|
|
|
#include "util/module.h"
|
|
|
|
|
#include "util/config_file.h"
|
2015-03-26 06:21:38 -04:00
|
|
|
#include "sldns/sbuffer.h"
|
|
|
|
|
#include "sldns/keyraw.h"
|
|
|
|
|
#include "sldns/str2wire.h"
|
|
|
|
|
#include "sldns/wire2str.h"
|
2007-08-15 09:18:32 -04:00
|
|
|
|
2025-04-25 05:12:28 -04:00
|
|
|
#ifdef HAVE_SSL
|
|
|
|
|
#ifdef HAVE_OPENSSL_ERR_H
|
|
|
|
|
#include <openssl/err.h>
|
|
|
|
|
#endif
|
|
|
|
|
#endif
|
|
|
|
|
|
2007-08-15 09:18:32 -04:00
|
|
|
/** verbose signature test */
|
|
|
|
|
static int vsig = 0;
|
|
|
|
|
|
|
|
|
|
/** entry to packet buffer with wireformat */
|
|
|
|
|
static void
|
2013-12-03 04:11:16 -05:00
|
|
|
entry_to_buf(struct entry* e, sldns_buffer* pkt)
|
2007-08-15 09:18:32 -04:00
|
|
|
{
|
|
|
|
|
unit_assert(e->reply_list);
|
|
|
|
|
if(e->reply_list->reply_from_hex) {
|
2013-12-03 04:11:16 -05:00
|
|
|
sldns_buffer_copy(pkt, e->reply_list->reply_from_hex);
|
2007-08-15 09:18:32 -04:00
|
|
|
} else {
|
2013-12-03 04:11:16 -05:00
|
|
|
sldns_buffer_clear(pkt);
|
|
|
|
|
sldns_buffer_write(pkt, e->reply_list->reply_pkt,
|
2013-10-31 11:09:26 -04:00
|
|
|
e->reply_list->reply_len);
|
2013-12-03 04:11:16 -05:00
|
|
|
sldns_buffer_flip(pkt);
|
2007-08-15 09:18:32 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** entry to reply info conversion */
|
|
|
|
|
static void
|
2007-10-18 16:31:43 -04:00
|
|
|
entry_to_repinfo(struct entry* e, struct alloc_cache* alloc,
|
2013-12-03 04:11:16 -05:00
|
|
|
struct regional* region, sldns_buffer* pkt, struct query_info* qi,
|
2007-08-15 09:18:32 -04:00
|
|
|
struct reply_info** rep)
|
|
|
|
|
{
|
|
|
|
|
int ret;
|
|
|
|
|
struct edns_data edns;
|
|
|
|
|
entry_to_buf(e, pkt);
|
2007-09-21 09:55:07 -04:00
|
|
|
/* lock alloc lock to please lock checking software.
|
|
|
|
|
* alloc_special_obtain assumes it is talking to a ub-alloc,
|
|
|
|
|
* and does not need to perform locking. Here the alloc is
|
|
|
|
|
* the only one, so we lock it here */
|
|
|
|
|
lock_quick_lock(&alloc->lock);
|
2007-08-15 09:18:32 -04:00
|
|
|
ret = reply_info_parse(pkt, alloc, qi, rep, region, &edns);
|
2007-09-21 09:55:07 -04:00
|
|
|
lock_quick_unlock(&alloc->lock);
|
2007-08-15 09:18:32 -04:00
|
|
|
if(ret != 0) {
|
2013-10-31 11:09:26 -04:00
|
|
|
char rcode[16];
|
2013-12-03 04:11:16 -05:00
|
|
|
sldns_wire2str_rcode_buf(ret, rcode, sizeof(rcode));
|
2013-10-31 11:09:26 -04:00
|
|
|
printf("parse code %d: %s\n", ret, rcode);
|
2007-08-15 09:18:32 -04:00
|
|
|
unit_assert(ret != 0);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** extract DNSKEY rrset from answer and convert it */
|
|
|
|
|
static struct ub_packed_rrset_key*
|
2007-10-18 16:31:43 -04:00
|
|
|
extract_keys(struct entry* e, struct alloc_cache* alloc,
|
2013-12-03 04:11:16 -05:00
|
|
|
struct regional* region, sldns_buffer* pkt)
|
2007-08-15 09:18:32 -04:00
|
|
|
{
|
|
|
|
|
struct ub_packed_rrset_key* dnskey = NULL;
|
|
|
|
|
struct query_info qinfo;
|
|
|
|
|
struct reply_info* rep = NULL;
|
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
|
|
entry_to_repinfo(e, alloc, region, pkt, &qinfo, &rep);
|
|
|
|
|
for(i=0; i<rep->an_numrrsets; i++) {
|
|
|
|
|
if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DNSKEY) {
|
|
|
|
|
dnskey = rep->rrsets[i];
|
|
|
|
|
rep->rrsets[i] = NULL;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
unit_assert(dnskey);
|
|
|
|
|
|
|
|
|
|
reply_info_parsedelete(rep, alloc);
|
|
|
|
|
query_info_clear(&qinfo);
|
|
|
|
|
return dnskey;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** return true if answer should be bogus */
|
|
|
|
|
static int
|
2009-01-06 06:31:21 -05:00
|
|
|
should_be_bogus(struct ub_packed_rrset_key* rrset, struct query_info* qinfo)
|
2007-08-15 09:18:32 -04:00
|
|
|
{
|
|
|
|
|
struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
|
|
|
|
|
entry.data;
|
|
|
|
|
if(d->rrsig_count == 0)
|
|
|
|
|
return 1;
|
2008-09-30 09:06:07 -04:00
|
|
|
/* name 'bogus' as first label signals bogus */
|
|
|
|
|
if(rrset->rk.dname_len > 6 && memcmp(rrset->rk.dname+1, "bogus", 5)==0)
|
|
|
|
|
return 1;
|
2009-01-06 06:31:21 -05:00
|
|
|
if(qinfo->qname_len > 6 && memcmp(qinfo->qname+1, "bogus", 5)==0)
|
|
|
|
|
return 1;
|
2007-08-15 09:18:32 -04:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-20 10:58:12 -05:00
|
|
|
/** return number of rrs in an rrset */
|
|
|
|
|
static size_t
|
|
|
|
|
rrset_get_count(struct ub_packed_rrset_key* rrset)
|
|
|
|
|
{
|
|
|
|
|
struct packed_rrset_data* d = (struct packed_rrset_data*)
|
|
|
|
|
rrset->entry.data;
|
|
|
|
|
if(!d) return 0;
|
|
|
|
|
return d->count;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** setup sig alg list from dnskey */
|
|
|
|
|
static void
|
|
|
|
|
setup_sigalg(struct ub_packed_rrset_key* dnskey, uint8_t* sigalg)
|
|
|
|
|
{
|
|
|
|
|
uint8_t a[ALGO_NEEDS_MAX];
|
|
|
|
|
size_t i, n = 0;
|
|
|
|
|
memset(a, 0, sizeof(a));
|
|
|
|
|
for(i=0; i<rrset_get_count(dnskey); i++) {
|
2010-12-20 11:08:52 -05:00
|
|
|
uint8_t algo = (uint8_t)dnskey_get_algo(dnskey, i);
|
2010-12-20 10:58:12 -05:00
|
|
|
if(a[algo] == 0) {
|
|
|
|
|
a[algo] = 1;
|
|
|
|
|
sigalg[n++] = algo;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
sigalg[n] = 0;
|
|
|
|
|
}
|
|
|
|
|
|
2007-08-15 09:18:32 -04:00
|
|
|
/** verify and test one rrset against the key rrset */
|
|
|
|
|
static void
|
|
|
|
|
verifytest_rrset(struct module_env* env, struct val_env* ve,
|
2009-01-06 06:31:21 -05:00
|
|
|
struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
|
|
|
|
|
struct query_info* qinfo)
|
2007-08-15 09:18:32 -04:00
|
|
|
{
|
|
|
|
|
enum sec_status sec;
|
2024-07-08 09:29:20 -04:00
|
|
|
char reasonbuf[256];
|
2009-10-07 12:45:47 -04:00
|
|
|
char* reason = NULL;
|
2010-12-20 10:58:12 -05:00
|
|
|
uint8_t sigalg[ALGO_NEEDS_MAX+1];
|
2024-02-13 07:02:08 -05:00
|
|
|
int verified = 0;
|
2007-08-15 09:18:32 -04:00
|
|
|
if(vsig) {
|
2008-02-07 04:46:49 -05:00
|
|
|
log_nametypeclass(VERB_QUERY, "verify of rrset",
|
2007-08-15 09:18:32 -04:00
|
|
|
rrset->rk.dname, ntohs(rrset->rk.type),
|
|
|
|
|
ntohs(rrset->rk.rrset_class));
|
|
|
|
|
}
|
2010-12-20 10:58:12 -05:00
|
|
|
setup_sigalg(dnskey, sigalg); /* check all algorithms in the dnskey */
|
2018-01-19 04:50:35 -05:00
|
|
|
/* ok to give null as qstate here, won't be used for answer section. */
|
2024-07-08 09:29:20 -04:00
|
|
|
sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, &reason,
|
|
|
|
|
NULL, LDNS_SECTION_ANSWER, NULL, &verified, reasonbuf,
|
|
|
|
|
sizeof(reasonbuf));
|
2007-08-15 09:18:32 -04:00
|
|
|
if(vsig) {
|
2009-10-07 12:45:47 -04:00
|
|
|
printf("verify outcome is: %s %s\n", sec_status_to_string(sec),
|
|
|
|
|
reason?reason:"");
|
2007-08-15 09:18:32 -04:00
|
|
|
}
|
2015-11-17 08:31:22 -05:00
|
|
|
if(should_be_bogus(rrset, qinfo)) {
|
2007-08-15 09:18:32 -04:00
|
|
|
unit_assert(sec == sec_status_bogus);
|
|
|
|
|
} else {
|
|
|
|
|
unit_assert(sec == sec_status_secure);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** verify and test an entry - every rr in the message */
|
|
|
|
|
static void
|
2007-10-18 16:31:43 -04:00
|
|
|
verifytest_entry(struct entry* e, struct alloc_cache* alloc,
|
2013-12-03 04:11:16 -05:00
|
|
|
struct regional* region, sldns_buffer* pkt,
|
2007-10-18 16:31:43 -04:00
|
|
|
struct ub_packed_rrset_key* dnskey, struct module_env* env,
|
|
|
|
|
struct val_env* ve)
|
2007-08-15 09:18:32 -04:00
|
|
|
{
|
|
|
|
|
struct query_info qinfo;
|
|
|
|
|
struct reply_info* rep = NULL;
|
|
|
|
|
size_t i;
|
|
|
|
|
|
2007-10-18 16:31:43 -04:00
|
|
|
regional_free_all(region);
|
2007-08-15 09:18:32 -04:00
|
|
|
if(vsig) {
|
2013-12-03 04:11:16 -05:00
|
|
|
char* s = sldns_wire2str_pkt(e->reply_list->reply_pkt,
|
2013-10-31 11:09:26 -04:00
|
|
|
e->reply_list->reply_len);
|
|
|
|
|
printf("verifying pkt:\n%s\n", s?s:"outofmemory");
|
|
|
|
|
free(s);
|
2007-08-15 09:18:32 -04:00
|
|
|
}
|
|
|
|
|
entry_to_repinfo(e, alloc, region, pkt, &qinfo, &rep);
|
|
|
|
|
|
|
|
|
|
for(i=0; i<rep->rrset_count; i++) {
|
2009-01-06 06:31:21 -05:00
|
|
|
verifytest_rrset(env, ve, rep->rrsets[i], dnskey, &qinfo);
|
2007-08-15 09:18:32 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
reply_info_parsedelete(rep, alloc);
|
|
|
|
|
query_info_clear(&qinfo);
|
|
|
|
|
}
|
|
|
|
|
|
2007-08-16 05:33:35 -04:00
|
|
|
/** find RRset in reply by type */
|
|
|
|
|
static struct ub_packed_rrset_key*
|
|
|
|
|
find_rrset_type(struct reply_info* rep, uint16_t type)
|
|
|
|
|
{
|
|
|
|
|
size_t i;
|
|
|
|
|
for(i=0; i<rep->rrset_count; i++) {
|
|
|
|
|
if(ntohs(rep->rrsets[i]->rk.type) == type)
|
|
|
|
|
return rep->rrsets[i];
|
|
|
|
|
}
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** DS sig test an entry - get DNSKEY and DS in entry and verify */
|
|
|
|
|
static void
|
2007-10-18 16:31:43 -04:00
|
|
|
dstest_entry(struct entry* e, struct alloc_cache* alloc,
|
2013-12-03 04:11:16 -05:00
|
|
|
struct regional* region, sldns_buffer* pkt, struct module_env* env)
|
2007-08-16 05:33:35 -04:00
|
|
|
{
|
|
|
|
|
struct query_info qinfo;
|
|
|
|
|
struct reply_info* rep = NULL;
|
|
|
|
|
struct ub_packed_rrset_key* ds, *dnskey;
|
|
|
|
|
int ret;
|
|
|
|
|
|
2007-10-18 16:31:43 -04:00
|
|
|
regional_free_all(region);
|
2007-08-16 05:33:35 -04:00
|
|
|
if(vsig) {
|
2013-12-03 04:11:16 -05:00
|
|
|
char* s = sldns_wire2str_pkt(e->reply_list->reply_pkt,
|
2013-10-31 11:09:26 -04:00
|
|
|
e->reply_list->reply_len);
|
|
|
|
|
printf("verifying DS-DNSKEY match:\n%s\n", s?s:"outofmemory");
|
|
|
|
|
free(s);
|
2007-08-16 05:33:35 -04:00
|
|
|
}
|
|
|
|
|
entry_to_repinfo(e, alloc, region, pkt, &qinfo, &rep);
|
|
|
|
|
ds = find_rrset_type(rep, LDNS_RR_TYPE_DS);
|
|
|
|
|
dnskey = find_rrset_type(rep, LDNS_RR_TYPE_DNSKEY);
|
|
|
|
|
/* check test is OK */
|
|
|
|
|
unit_assert(ds && dnskey);
|
|
|
|
|
|
|
|
|
|
ret = ds_digest_match_dnskey(env, dnskey, 0, ds, 0);
|
|
|
|
|
if(strncmp((char*)qinfo.qname, "\003yes", 4) == 0) {
|
|
|
|
|
if(vsig) {
|
|
|
|
|
printf("result(yes)= %s\n", ret?"yes":"no");
|
|
|
|
|
}
|
|
|
|
|
unit_assert(ret);
|
|
|
|
|
} else if (strncmp((char*)qinfo.qname, "\002no", 3) == 0) {
|
|
|
|
|
if(vsig) {
|
|
|
|
|
printf("result(no)= %s\n", ret?"yes":"no");
|
|
|
|
|
}
|
|
|
|
|
unit_assert(!ret);
|
2008-02-07 04:46:49 -05:00
|
|
|
verbose(VERB_QUERY, "DS fail: OK; matched unit test");
|
2007-08-16 05:33:35 -04:00
|
|
|
} else {
|
|
|
|
|
fatal_exit("Bad qname in DS unit test, yes or no");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
reply_info_parsedelete(rep, alloc);
|
|
|
|
|
query_info_clear(&qinfo);
|
|
|
|
|
}
|
|
|
|
|
|
2007-08-15 09:18:32 -04:00
|
|
|
/** verify from a file */
|
|
|
|
|
static void
|
|
|
|
|
verifytest_file(const char* fname, const char* at_date)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* The file contains a list of ldns-testpkts entries.
|
|
|
|
|
* The first entry must be a query for DNSKEY.
|
|
|
|
|
* The answer rrset is the keyset that will be used for verification
|
|
|
|
|
*/
|
|
|
|
|
struct ub_packed_rrset_key* dnskey;
|
2007-10-18 16:31:43 -04:00
|
|
|
struct regional* region = regional_create();
|
2007-08-15 09:18:32 -04:00
|
|
|
struct alloc_cache alloc;
|
2013-12-03 04:11:16 -05:00
|
|
|
sldns_buffer* buf = sldns_buffer_new(65535);
|
2007-08-15 09:18:32 -04:00
|
|
|
struct entry* e;
|
2012-11-07 03:49:53 -05:00
|
|
|
struct entry* list = read_datafile(fname, 1);
|
2007-08-15 09:18:32 -04:00
|
|
|
struct module_env env;
|
|
|
|
|
struct val_env ve;
|
2013-08-20 08:23:42 -04:00
|
|
|
time_t now = time(NULL);
|
2017-07-24 06:44:30 -04:00
|
|
|
unit_show_func("signature verify", fname);
|
2007-08-15 09:18:32 -04:00
|
|
|
|
|
|
|
|
if(!list)
|
|
|
|
|
fatal_exit("could not read %s: %s", fname, strerror(errno));
|
|
|
|
|
alloc_init(&alloc, NULL, 1);
|
|
|
|
|
memset(&env, 0, sizeof(env));
|
|
|
|
|
memset(&ve, 0, sizeof(ve));
|
|
|
|
|
env.scratch = region;
|
|
|
|
|
env.scratch_buffer = buf;
|
2008-02-19 08:12:23 -05:00
|
|
|
env.now = &now;
|
2007-08-15 09:18:32 -04:00
|
|
|
ve.date_override = cfg_convert_timeval(at_date);
|
|
|
|
|
unit_assert(region && buf);
|
|
|
|
|
dnskey = extract_keys(list, &alloc, region, buf);
|
2008-02-07 04:46:49 -05:00
|
|
|
if(vsig) log_nametypeclass(VERB_QUERY, "test dnskey",
|
2007-08-15 09:18:32 -04:00
|
|
|
dnskey->rk.dname, ntohs(dnskey->rk.type),
|
|
|
|
|
ntohs(dnskey->rk.rrset_class));
|
|
|
|
|
/* ready to go! */
|
|
|
|
|
for(e = list->next; e; e = e->next) {
|
|
|
|
|
verifytest_entry(e, &alloc, region, buf, dnskey, &env, &ve);
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-18 18:17:02 -04:00
|
|
|
ub_packed_rrset_parsedelete(dnskey, &alloc);
|
2007-08-15 09:18:32 -04:00
|
|
|
delete_entry(list);
|
2007-10-18 16:31:43 -04:00
|
|
|
regional_destroy(region);
|
2007-08-15 09:18:32 -04:00
|
|
|
alloc_clear(&alloc);
|
2013-12-03 04:11:16 -05:00
|
|
|
sldns_buffer_free(buf);
|
2007-08-15 09:18:32 -04:00
|
|
|
}
|
|
|
|
|
|
2007-08-16 05:33:35 -04:00
|
|
|
/** verify DS matches DNSKEY from a file */
|
|
|
|
|
static void
|
|
|
|
|
dstest_file(const char* fname)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* The file contains a list of ldns-testpkts entries.
|
|
|
|
|
* The first entry must be a query for DNSKEY.
|
|
|
|
|
* The answer rrset is the keyset that will be used for verification
|
|
|
|
|
*/
|
2007-10-18 16:31:43 -04:00
|
|
|
struct regional* region = regional_create();
|
2007-08-16 05:33:35 -04:00
|
|
|
struct alloc_cache alloc;
|
2013-12-03 04:11:16 -05:00
|
|
|
sldns_buffer* buf = sldns_buffer_new(65535);
|
2007-08-16 05:33:35 -04:00
|
|
|
struct entry* e;
|
2012-11-07 03:49:53 -05:00
|
|
|
struct entry* list = read_datafile(fname, 1);
|
2007-08-16 05:33:35 -04:00
|
|
|
struct module_env env;
|
2017-07-24 06:44:30 -04:00
|
|
|
unit_show_func("DS verify", fname);
|
2007-08-16 05:33:35 -04:00
|
|
|
|
|
|
|
|
if(!list)
|
|
|
|
|
fatal_exit("could not read %s: %s", fname, strerror(errno));
|
|
|
|
|
alloc_init(&alloc, NULL, 1);
|
|
|
|
|
memset(&env, 0, sizeof(env));
|
|
|
|
|
env.scratch = region;
|
|
|
|
|
env.scratch_buffer = buf;
|
|
|
|
|
unit_assert(region && buf);
|
|
|
|
|
|
|
|
|
|
/* ready to go! */
|
|
|
|
|
for(e = list; e; e = e->next) {
|
|
|
|
|
dstest_entry(e, &alloc, region, buf, &env);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
delete_entry(list);
|
2007-10-18 16:31:43 -04:00
|
|
|
regional_destroy(region);
|
2007-08-16 05:33:35 -04:00
|
|
|
alloc_clear(&alloc);
|
2013-12-03 04:11:16 -05:00
|
|
|
sldns_buffer_free(buf);
|
2007-08-16 05:33:35 -04:00
|
|
|
}
|
|
|
|
|
|
2007-09-13 11:02:33 -04:00
|
|
|
/** helper for unittest of NSEC routines */
|
|
|
|
|
static int
|
|
|
|
|
unitest_nsec_has_type_rdata(char* bitmap, size_t len, uint16_t type)
|
|
|
|
|
{
|
|
|
|
|
return nsecbitmap_has_type_rdata((uint8_t*)bitmap, len, type);
|
|
|
|
|
}
|
|
|
|
|
|
2007-08-17 07:41:49 -04:00
|
|
|
/** Test NSEC type bitmap routine */
|
|
|
|
|
static void
|
2010-07-07 09:13:36 -04:00
|
|
|
nsectest(void)
|
2007-08-17 07:41:49 -04:00
|
|
|
{
|
|
|
|
|
/* bitmap starts at type bitmap rdata field */
|
|
|
|
|
/* from rfc 4034 example */
|
|
|
|
|
char* bitmap = "\000\006\100\001\000\000\000\003"
|
|
|
|
|
"\004\033\000\000\000\000\000\000"
|
|
|
|
|
"\000\000\000\000\000\000\000\000"
|
|
|
|
|
"\000\000\000\000\000\000\000\000"
|
|
|
|
|
"\000\000\000\000\040";
|
|
|
|
|
size_t len = 37;
|
|
|
|
|
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 0));
|
|
|
|
|
unit_assert(unitest_nsec_has_type_rdata(bitmap, len, LDNS_RR_TYPE_A));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 2));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 3));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 4));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 5));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 6));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 7));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 8));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 9));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 10));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 11));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 12));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 13));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 14));
|
|
|
|
|
unit_assert(unitest_nsec_has_type_rdata(bitmap, len, LDNS_RR_TYPE_MX));
|
|
|
|
|
unit_assert(unitest_nsec_has_type_rdata(bitmap, len, LDNS_RR_TYPE_RRSIG));
|
|
|
|
|
unit_assert(unitest_nsec_has_type_rdata(bitmap, len, LDNS_RR_TYPE_NSEC));
|
|
|
|
|
unit_assert(unitest_nsec_has_type_rdata(bitmap, len, 1234));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1233));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1235));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1236));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1237));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1238));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1239));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1240));
|
|
|
|
|
unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 2230));
|
|
|
|
|
}
|
|
|
|
|
|
2007-09-17 05:25:54 -04:00
|
|
|
/** Test hash algo - NSEC3 hash it and compare result */
|
|
|
|
|
static void
|
2017-01-19 05:25:41 -05:00
|
|
|
nsec3_hash_test_entry(struct entry* e, rbtree_type* ct,
|
2007-10-18 16:31:43 -04:00
|
|
|
struct alloc_cache* alloc, struct regional* region,
|
2013-12-03 04:11:16 -05:00
|
|
|
sldns_buffer* buf)
|
2007-09-17 05:25:54 -04:00
|
|
|
{
|
|
|
|
|
struct query_info qinfo;
|
|
|
|
|
struct reply_info* rep = NULL;
|
2024-11-15 04:47:27 -05:00
|
|
|
struct ub_packed_rrset_key* answer, *nsec3, *nsec3_region;
|
2013-08-14 03:56:22 -04:00
|
|
|
struct nsec3_cached_hash* hash = NULL;
|
2007-09-17 05:25:54 -04:00
|
|
|
int ret;
|
|
|
|
|
uint8_t* qname;
|
|
|
|
|
|
|
|
|
|
if(vsig) {
|
2013-12-03 04:11:16 -05:00
|
|
|
char* s = sldns_wire2str_pkt(e->reply_list->reply_pkt,
|
2013-10-31 11:09:26 -04:00
|
|
|
e->reply_list->reply_len);
|
|
|
|
|
printf("verifying NSEC3 hash:\n%s\n", s?s:"outofmemory");
|
|
|
|
|
free(s);
|
2007-09-17 05:25:54 -04:00
|
|
|
}
|
|
|
|
|
entry_to_repinfo(e, alloc, region, buf, &qinfo, &rep);
|
|
|
|
|
nsec3 = find_rrset_type(rep, LDNS_RR_TYPE_NSEC3);
|
|
|
|
|
answer = find_rrset_type(rep, LDNS_RR_TYPE_AAAA);
|
2007-10-18 16:31:43 -04:00
|
|
|
qname = regional_alloc_init(region, qinfo.qname, qinfo.qname_len);
|
2007-09-17 05:25:54 -04:00
|
|
|
/* check test is OK */
|
|
|
|
|
unit_assert(nsec3 && answer && qname);
|
|
|
|
|
|
2024-11-15 04:47:27 -05:00
|
|
|
/* Copy the nsec3 to the region, so it can stay referenced by the
|
|
|
|
|
* ct tree entry. The region is freed when the file is done. */
|
|
|
|
|
nsec3_region = packed_rrset_copy_region(nsec3, region, 0);
|
|
|
|
|
|
|
|
|
|
ret = nsec3_hash_name(ct, region, buf, nsec3_region, 0, qname,
|
2007-09-17 05:25:54 -04:00
|
|
|
qinfo.qname_len, &hash);
|
2024-02-13 07:02:43 -05:00
|
|
|
if(ret < 1) {
|
2007-09-17 05:25:54 -04:00
|
|
|
printf("Bad nsec3_hash_name retcode %d\n", ret);
|
2024-02-13 07:02:43 -05:00
|
|
|
unit_assert(ret == 1 || ret == 2);
|
2007-09-17 05:25:54 -04:00
|
|
|
}
|
|
|
|
|
unit_assert(hash->dname && hash->hash && hash->hash_len &&
|
|
|
|
|
hash->b32 && hash->b32_len);
|
|
|
|
|
unit_assert(hash->b32_len == (size_t)answer->rk.dname[0]);
|
|
|
|
|
/* does not do lowercasing. */
|
|
|
|
|
unit_assert(memcmp(hash->b32, answer->rk.dname+1, hash->b32_len)
|
|
|
|
|
== 0);
|
|
|
|
|
|
|
|
|
|
reply_info_parsedelete(rep, alloc);
|
|
|
|
|
query_info_clear(&qinfo);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/** Read file to test NSEC3 hash algo */
|
|
|
|
|
static void
|
|
|
|
|
nsec3_hash_test(const char* fname)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* The list contains a list of ldns-testpkts entries.
|
|
|
|
|
* Every entry is a test.
|
|
|
|
|
* The qname is hashed.
|
|
|
|
|
* The answer section AAAA RR name is the required result.
|
|
|
|
|
* The auth section NSEC3 is used to get hash parameters.
|
|
|
|
|
* The hash cache is maintained per file.
|
|
|
|
|
*
|
|
|
|
|
* The test does not perform canonicalization during the compare.
|
|
|
|
|
*/
|
2017-01-19 05:25:41 -05:00
|
|
|
rbtree_type ct;
|
2007-10-18 16:31:43 -04:00
|
|
|
struct regional* region = regional_create();
|
2007-09-17 05:25:54 -04:00
|
|
|
struct alloc_cache alloc;
|
2013-12-03 04:11:16 -05:00
|
|
|
sldns_buffer* buf = sldns_buffer_new(65535);
|
2007-09-17 05:25:54 -04:00
|
|
|
struct entry* e;
|
2012-11-07 03:49:53 -05:00
|
|
|
struct entry* list = read_datafile(fname, 1);
|
2017-07-24 06:44:30 -04:00
|
|
|
unit_show_func("NSEC3 hash", fname);
|
2007-09-17 05:25:54 -04:00
|
|
|
|
|
|
|
|
if(!list)
|
|
|
|
|
fatal_exit("could not read %s: %s", fname, strerror(errno));
|
|
|
|
|
rbtree_init(&ct, &nsec3_hash_cmp);
|
|
|
|
|
alloc_init(&alloc, NULL, 1);
|
|
|
|
|
unit_assert(region && buf);
|
|
|
|
|
|
|
|
|
|
/* ready to go! */
|
|
|
|
|
for(e = list; e; e = e->next) {
|
|
|
|
|
nsec3_hash_test_entry(e, &ct, &alloc, region, buf);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
delete_entry(list);
|
2007-10-18 16:31:43 -04:00
|
|
|
regional_destroy(region);
|
2007-09-17 05:25:54 -04:00
|
|
|
alloc_clear(&alloc);
|
2013-12-03 04:11:16 -05:00
|
|
|
sldns_buffer_free(buf);
|
2007-09-17 05:25:54 -04:00
|
|
|
}
|
|
|
|
|
|
2018-07-31 03:15:12 -04:00
|
|
|
#define xstr(s) str(s)
|
|
|
|
|
#define str(s) #s
|
|
|
|
|
|
|
|
|
|
#define SRCDIRSTR xstr(SRCDIR)
|
|
|
|
|
|
2025-04-25 05:12:28 -04:00
|
|
|
#if defined(HAVE_SSL) && defined(USE_SHA1)
|
|
|
|
|
/* Detect if openssl is configured to disable RSASHA1 signatures,
|
|
|
|
|
* with the rh-allow-sha1-signatures disabled. */
|
|
|
|
|
static int
|
|
|
|
|
rh_allow_sha1_signatures_disabled(void)
|
|
|
|
|
{
|
|
|
|
|
EVP_MD_CTX* ctx;
|
|
|
|
|
EVP_PKEY* evp_key;
|
|
|
|
|
/* This key is rdata from nlnetlabs.nl DNSKEY from 20250424005001,
|
|
|
|
|
* with id=50602 (ksk), size=2048b.
|
|
|
|
|
* A 2048 bit key is taken to avoid key too small errors. */
|
|
|
|
|
unsigned char key[] = {
|
|
|
|
|
0x03, 0x01, 0x00, 0x01, 0xBC, 0x0B, 0xE8, 0xBB,
|
|
|
|
|
0x97, 0x4C, 0xB5, 0xED, 0x6F, 0x6D, 0xC2, 0xB1,
|
|
|
|
|
0x78, 0x69, 0x93, 0x1C, 0x72, 0x19, 0xB1, 0x05,
|
|
|
|
|
0x51, 0x13, 0xA1, 0xFC, 0xBF, 0x01, 0x58, 0x0D,
|
|
|
|
|
0x44, 0x10, 0x5F, 0x0B, 0x75, 0x0E, 0x11, 0x9A,
|
|
|
|
|
0xC8, 0xF8, 0x0F, 0x90, 0xFC, 0xB8, 0x09, 0xD1,
|
|
|
|
|
0x14, 0x39, 0x0D, 0x84, 0xCE, 0x97, 0x88, 0x82,
|
|
|
|
|
0x3D, 0xC5, 0xCB, 0x1A, 0xBF, 0x00, 0x46, 0x37,
|
|
|
|
|
0x01, 0xF1, 0xCD, 0x46, 0xA2, 0x8F, 0x83, 0x19,
|
|
|
|
|
0x42, 0xED, 0x6F, 0xAF, 0x37, 0x1F, 0x18, 0x82,
|
|
|
|
|
0x4B, 0x70, 0x2D, 0x50, 0xA5, 0xA6, 0x66, 0x48,
|
|
|
|
|
0x7F, 0x56, 0xA8, 0x86, 0x05, 0x41, 0xC8, 0xBE,
|
|
|
|
|
0x4F, 0x8B, 0x38, 0x51, 0xF0, 0xEB, 0xAD, 0x2F,
|
|
|
|
|
0x7A, 0xC0, 0xEF, 0xC7, 0xD2, 0x72, 0x6F, 0x16,
|
|
|
|
|
0x66, 0xAF, 0x59, 0x55, 0xFF, 0xEE, 0x9D, 0x50,
|
|
|
|
|
0xE9, 0xDB, 0xF4, 0x02, 0xBC, 0x33, 0x5C, 0xC5,
|
|
|
|
|
0xDA, 0x1C, 0x6A, 0xD1, 0x55, 0xD1, 0x20, 0x2B,
|
|
|
|
|
0x63, 0x03, 0x4B, 0x77, 0x45, 0x46, 0x78, 0x31,
|
|
|
|
|
0xE4, 0x90, 0xB9, 0x7F, 0x00, 0xFB, 0x62, 0x7C,
|
|
|
|
|
0x07, 0xD3, 0xC1, 0x00, 0xA0, 0x54, 0x63, 0x74,
|
|
|
|
|
0x0A, 0x17, 0x7B, 0xE7, 0xAD, 0x38, 0x07, 0x86,
|
|
|
|
|
0x68, 0xE4, 0xFD, 0x20, 0x68, 0xD5, 0x33, 0x92,
|
|
|
|
|
0xCA, 0x90, 0xDD, 0xA4, 0xE9, 0xF2, 0x11, 0xBD,
|
|
|
|
|
0x9D, 0xA5, 0xF5, 0xEB, 0xB9, 0xFE, 0x8F, 0xA1,
|
|
|
|
|
0xE4, 0xBF, 0xA4, 0xA4, 0x34, 0x5C, 0x6A, 0x95,
|
|
|
|
|
0xB6, 0x42, 0x22, 0xF6, 0xD6, 0x10, 0x9C, 0x9B,
|
|
|
|
|
0x0A, 0x56, 0xE7, 0x42, 0xE5, 0x7F, 0x1F, 0x4E,
|
|
|
|
|
0xBE, 0x4F, 0x8C, 0xED, 0x30, 0x63, 0xA7, 0x88,
|
|
|
|
|
0x93, 0xED, 0x37, 0x3C, 0x80, 0xBC, 0xD1, 0x66,
|
|
|
|
|
0xBD, 0xB8, 0x2E, 0x65, 0xC4, 0xC8, 0x00, 0x5B,
|
|
|
|
|
0xE7, 0x85, 0x96, 0xDD, 0xAA, 0x05, 0xE6, 0x4F,
|
|
|
|
|
0x03, 0x64, 0xFA, 0x2D, 0xF6, 0x88, 0x14, 0x8F,
|
|
|
|
|
0x15, 0x4D, 0xFD, 0xD3
|
|
|
|
|
};
|
|
|
|
|
size_t keylen = 260;
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_EVP_MD_CTX_NEW
|
|
|
|
|
ctx = EVP_MD_CTX_new();
|
|
|
|
|
#else
|
|
|
|
|
ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
|
|
|
|
|
if(ctx) EVP_MD_CTX_init(ctx);
|
|
|
|
|
#endif
|
|
|
|
|
if(!ctx) return 0;
|
|
|
|
|
|
|
|
|
|
evp_key = sldns_key_rsa2pkey_raw(key, keylen);
|
|
|
|
|
if(!evp_key) {
|
|
|
|
|
#ifdef HAVE_EVP_MD_CTX_NEW
|
|
|
|
|
EVP_MD_CTX_destroy(ctx);
|
|
|
|
|
#else
|
|
|
|
|
EVP_MD_CTX_cleanup(ctx);
|
|
|
|
|
free(ctx);
|
|
|
|
|
#endif
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifndef HAVE_EVP_DIGESTVERIFY
|
|
|
|
|
(void)evp_key; /* not used */
|
|
|
|
|
if(EVP_DigestInit(ctx, EVP_sha1()) == 0)
|
|
|
|
|
#else
|
|
|
|
|
if(EVP_DigestVerifyInit(ctx, NULL, EVP_sha1(), NULL, evp_key) == 0)
|
|
|
|
|
#endif
|
|
|
|
|
{
|
|
|
|
|
unsigned long e = ERR_get_error();
|
|
|
|
|
#ifdef EVP_R_INVALID_DIGEST
|
|
|
|
|
if (ERR_GET_LIB(e) == ERR_LIB_EVP &&
|
|
|
|
|
ERR_GET_REASON(e) == EVP_R_INVALID_DIGEST) {
|
|
|
|
|
/* rh-allow-sha1-signatures makes use of sha1 invalid. */
|
|
|
|
|
if(vsig)
|
|
|
|
|
printf("Detected that rh-allow-sha1-signatures is off, and disables SHA1 signatures\n");
|
|
|
|
|
#ifdef HAVE_EVP_MD_CTX_NEW
|
|
|
|
|
EVP_MD_CTX_destroy(ctx);
|
|
|
|
|
#else
|
|
|
|
|
EVP_MD_CTX_cleanup(ctx);
|
|
|
|
|
free(ctx);
|
|
|
|
|
#endif
|
|
|
|
|
EVP_PKEY_free(evp_key);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
#endif /* EVP_R_INVALID_DIGEST */
|
|
|
|
|
/* The signature verify failed for another reason. */
|
|
|
|
|
log_crypto_err_code("EVP_DigestVerifyInit", e);
|
|
|
|
|
#ifdef HAVE_EVP_MD_CTX_NEW
|
|
|
|
|
EVP_MD_CTX_destroy(ctx);
|
|
|
|
|
#else
|
|
|
|
|
EVP_MD_CTX_cleanup(ctx);
|
|
|
|
|
free(ctx);
|
|
|
|
|
#endif
|
|
|
|
|
EVP_PKEY_free(evp_key);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
#ifdef HAVE_EVP_MD_CTX_NEW
|
|
|
|
|
EVP_MD_CTX_destroy(ctx);
|
|
|
|
|
#else
|
|
|
|
|
EVP_MD_CTX_cleanup(ctx);
|
|
|
|
|
free(ctx);
|
|
|
|
|
#endif
|
|
|
|
|
EVP_PKEY_free(evp_key);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
#endif /* HAVE_SSL && USE_SHA1 */
|
|
|
|
|
|
2007-08-15 09:18:32 -04:00
|
|
|
void
|
2010-07-07 09:13:36 -04:00
|
|
|
verify_test(void)
|
2007-08-15 09:18:32 -04:00
|
|
|
{
|
2025-10-10 03:17:08 -04:00
|
|
|
int do_sha1 = 1;
|
2010-01-06 05:55:14 -05:00
|
|
|
unit_show_feature("signature verify");
|
2025-04-25 05:12:28 -04:00
|
|
|
|
|
|
|
|
#if defined(HAVE_SSL) && defined(USE_SHA1)
|
|
|
|
|
if(rh_allow_sha1_signatures_disabled()) {
|
|
|
|
|
/* Allow the use of SHA1 signatures for the test,
|
|
|
|
|
* in case that OpenSSL disallows use of RSASHA1
|
|
|
|
|
* with rh-allow-sha1-signatures disabled. */
|
2025-08-22 04:04:57 -04:00
|
|
|
#ifndef UB_ON_WINDOWS
|
2025-04-25 05:12:28 -04:00
|
|
|
setenv("OPENSSL_ENABLE_SHA1_SIGNATURES", "1", 0);
|
2025-08-22 04:04:57 -04:00
|
|
|
#else
|
|
|
|
|
_putenv("OPENSSL_ENABLE_SHA1_SIGNATURES=1");
|
|
|
|
|
#endif
|
2025-10-10 03:17:08 -04:00
|
|
|
do_sha1 = 1;
|
2025-04-25 05:12:28 -04:00
|
|
|
}
|
2025-10-10 03:17:08 -04:00
|
|
|
#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
|
|
|
|
|
if (EVP_default_properties_is_fips_enabled(NULL))
|
|
|
|
|
do_sha1 = 0;
|
2025-04-25 05:12:28 -04:00
|
|
|
#endif
|
2025-10-10 03:17:08 -04:00
|
|
|
#endif /* HAVE_SSL and USE_SHA1 */
|
2025-04-25 05:12:28 -04:00
|
|
|
|
2017-03-09 08:18:08 -05:00
|
|
|
#ifdef USE_SHA1
|
2025-10-10 03:17:08 -04:00
|
|
|
if(do_sha1) {
|
|
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_signatures.1", "20070818005004");
|
|
|
|
|
}
|
2017-03-09 08:18:08 -05:00
|
|
|
#endif
|
|
|
|
|
#if defined(USE_DSA) && defined(USE_SHA1)
|
2025-10-10 03:17:08 -04:00
|
|
|
if(do_sha1) {
|
|
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_signatures.2", "20080414005004");
|
|
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_signatures.3", "20080416005004");
|
|
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_signatures.4", "20080416005004");
|
|
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_signatures.5", "20080416005004");
|
|
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_signatures.6", "20080416005004");
|
|
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_signatures.7", "20070829144150");
|
|
|
|
|
}
|
2016-03-23 04:19:49 -04:00
|
|
|
#endif /* USE_DSA */
|
2017-03-09 08:18:08 -05:00
|
|
|
#ifdef USE_SHA1
|
2025-10-10 03:17:08 -04:00
|
|
|
if(do_sha1) {
|
|
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_signatures.8", "20070829144150");
|
|
|
|
|
}
|
2017-03-09 08:18:08 -05:00
|
|
|
#endif
|
2015-11-17 04:43:07 -05:00
|
|
|
#if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2)
|
2018-07-31 03:15:12 -04:00
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_sigs.rsasha256", "20070829144150");
|
2017-03-09 08:18:08 -05:00
|
|
|
# ifdef USE_SHA1
|
2025-10-10 03:17:08 -04:00
|
|
|
if(do_sha1) {
|
|
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_sigs.sha1_and_256", "20070829144150");
|
|
|
|
|
}
|
2017-03-09 08:18:08 -05:00
|
|
|
# endif
|
2018-07-31 03:15:12 -04:00
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_sigs.rsasha256_draft", "20090101000000");
|
2008-09-30 09:06:07 -04:00
|
|
|
#endif
|
2015-11-17 04:43:07 -05:00
|
|
|
#if (defined(HAVE_EVP_SHA512) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2)
|
2018-07-31 03:15:12 -04:00
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_sigs.rsasha512_draft", "20070829144150");
|
|
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_signatures.9", "20171215000000");
|
2008-09-30 09:06:07 -04:00
|
|
|
#endif
|
2017-03-09 08:18:08 -05:00
|
|
|
#ifdef USE_SHA1
|
2025-10-10 03:17:08 -04:00
|
|
|
if(do_sha1) {
|
|
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_sigs.hinfo", "20090107100022");
|
|
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_sigs.revoked", "20080414005004");
|
|
|
|
|
}
|
2017-03-09 08:18:08 -05:00
|
|
|
#endif
|
2009-08-07 11:23:35 -04:00
|
|
|
#ifdef USE_GOST
|
2013-12-03 04:11:16 -05:00
|
|
|
if(sldns_key_EVP_load_gost_id())
|
2018-07-31 03:15:12 -04:00
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_sigs.gost", "20090807060504");
|
2009-08-07 11:29:25 -04:00
|
|
|
else printf("Warning: skipped GOST, openssl does not provide gost.\n");
|
2012-02-08 08:22:44 -05:00
|
|
|
#endif
|
|
|
|
|
#ifdef USE_ECDSA
|
2012-06-22 11:20:56 -04:00
|
|
|
/* test for support in case we use libNSS and ECC is removed */
|
|
|
|
|
if(dnskey_algo_id_is_supported(LDNS_ECDSAP256SHA256)) {
|
2018-07-31 03:15:12 -04:00
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_sigs.ecdsa_p256", "20100908100439");
|
|
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_sigs.ecdsa_p384", "20100908100439");
|
2012-06-22 11:20:56 -04:00
|
|
|
}
|
2018-07-31 03:15:12 -04:00
|
|
|
dstest_file(SRCDIRSTR "/testdata/test_ds.sha384");
|
2009-08-06 09:38:55 -04:00
|
|
|
#endif
|
2017-05-30 08:28:25 -04:00
|
|
|
#ifdef USE_ED25519
|
|
|
|
|
if(dnskey_algo_id_is_supported(LDNS_ED25519)) {
|
2018-07-31 03:15:12 -04:00
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_sigs.ed25519", "20170530140439");
|
2017-05-30 08:28:25 -04:00
|
|
|
}
|
|
|
|
|
#endif
|
2018-04-05 10:44:17 -04:00
|
|
|
#ifdef USE_ED448
|
|
|
|
|
if(dnskey_algo_id_is_supported(LDNS_ED448)) {
|
2018-07-31 03:15:12 -04:00
|
|
|
verifytest_file(SRCDIRSTR "/testdata/test_sigs.ed448", "20180408143630");
|
2018-04-05 10:44:17 -04:00
|
|
|
}
|
|
|
|
|
#endif
|
2017-03-09 08:18:08 -05:00
|
|
|
#ifdef USE_SHA1
|
2025-10-10 03:17:08 -04:00
|
|
|
if(do_sha1) {
|
|
|
|
|
dstest_file(SRCDIRSTR "/testdata/test_ds.sha1");
|
|
|
|
|
}
|
2017-03-09 08:18:08 -05:00
|
|
|
#endif
|
2007-08-17 07:41:49 -04:00
|
|
|
nsectest();
|
2018-07-31 03:15:12 -04:00
|
|
|
nsec3_hash_test(SRCDIRSTR "/testdata/test_nsec3_hash.1");
|
2007-08-15 09:18:32 -04:00
|
|
|
}
|
