]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/test-dnssec.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
build-sys: use #if Y instead of #ifdef Y everywhere
[thirdparty/systemd.git] / src / resolve / test-dnssec.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2015 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <arpa/inet.h>
21 #include <netinet/in.h>
22 #include <sys/socket.h>
23
24 #include "alloc-util.h"
25 #include "resolved-dns-dnssec.h"
26 #include "resolved-dns-rr.h"
27 #include "string-util.h"
28 #include "hexdecoct.h"
29
30 static void test_dnssec_canonicalize_one(const char *original, const char *canonical, int r) {
31 char canonicalized[DNSSEC_CANONICAL_HOSTNAME_MAX];
32
33 assert_se(dnssec_canonicalize(original, canonicalized, sizeof(canonicalized)) == r);
34 if (r < 0)
35 return;
36
37 assert_se(streq(canonicalized, canonical));
38 }
39
40 static void test_dnssec_canonicalize(void) {
41 test_dnssec_canonicalize_one("", ".", 1);
42 test_dnssec_canonicalize_one(".", ".", 1);
43 test_dnssec_canonicalize_one("foo", "foo.", 4);
44 test_dnssec_canonicalize_one("foo.", "foo.", 4);
45 test_dnssec_canonicalize_one("FOO.", "foo.", 4);
46 test_dnssec_canonicalize_one("FOO.bar.", "foo.bar.", 8);
47 test_dnssec_canonicalize_one("FOO..bar.", NULL, -EINVAL);
48 }
49
50 #if HAVE_GCRYPT
51
52 static void test_dnssec_verify_dns_key(void) {
53
54 static const uint8_t ds1_fprint[] = {
55 0x46, 0x8B, 0xC8, 0xDD, 0xC7, 0xE8, 0x27, 0x03, 0x40, 0xBB, 0x8A, 0x1F, 0x3B, 0x2E, 0x45, 0x9D,
56 0x80, 0x67, 0x14, 0x01,
57 };
58 static const uint8_t ds2_fprint[] = {
59 0x8A, 0xEE, 0x80, 0x47, 0x05, 0x5F, 0x83, 0xD1, 0x48, 0xBA, 0x8F, 0xF6, 0xDD, 0xA7, 0x60, 0xCE,
60 0x94, 0xF7, 0xC7, 0x5E, 0x52, 0x4C, 0xF2, 0xE9, 0x50, 0xB9, 0x2E, 0xCB, 0xEF, 0x96, 0xB9, 0x98,
61 };
62 static const uint8_t dnskey_blob[] = {
63 0x03, 0x01, 0x00, 0x01, 0xa8, 0x12, 0xda, 0x4f, 0xd2, 0x7d, 0x54, 0x14, 0x0e, 0xcc, 0x5b, 0x5e,
64 0x45, 0x9c, 0x96, 0x98, 0xc0, 0xc0, 0x85, 0x81, 0xb1, 0x47, 0x8c, 0x7d, 0xe8, 0x39, 0x50, 0xcc,
65 0xc5, 0xd0, 0xf2, 0x00, 0x81, 0x67, 0x79, 0xf6, 0xcc, 0x9d, 0xad, 0x6c, 0xbb, 0x7b, 0x6f, 0x48,
66 0x97, 0x15, 0x1c, 0xfd, 0x0b, 0xfe, 0xd3, 0xd7, 0x7d, 0x9f, 0x81, 0x26, 0xd3, 0xc5, 0x65, 0x49,
67 0xcf, 0x46, 0x62, 0xb0, 0x55, 0x6e, 0x47, 0xc7, 0x30, 0xef, 0x51, 0xfb, 0x3e, 0xc6, 0xef, 0xde,
68 0x27, 0x3f, 0xfa, 0x57, 0x2d, 0xa7, 0x1d, 0x80, 0x46, 0x9a, 0x5f, 0x14, 0xb3, 0xb0, 0x2c, 0xbe,
69 0x72, 0xca, 0xdf, 0xb2, 0xff, 0x36, 0x5b, 0x4f, 0xec, 0x58, 0x8e, 0x8d, 0x01, 0xe9, 0xa9, 0xdf,
70 0xb5, 0x60, 0xad, 0x52, 0x4d, 0xfc, 0xa9, 0x3e, 0x8d, 0x35, 0x95, 0xb3, 0x4e, 0x0f, 0xca, 0x45,
71 0x1b, 0xf7, 0xef, 0x3a, 0x88, 0x25, 0x08, 0xc7, 0x4e, 0x06, 0xc1, 0x62, 0x1a, 0xce, 0xd8, 0x77,
72 0xbd, 0x02, 0x65, 0xf8, 0x49, 0xfb, 0xce, 0xf6, 0xa8, 0x09, 0xfc, 0xde, 0xb2, 0x09, 0x9d, 0x39,
73 0xf8, 0x63, 0x9c, 0x32, 0x42, 0x7c, 0xa0, 0x30, 0x86, 0x72, 0x7a, 0x4a, 0xc6, 0xd4, 0xb3, 0x2d,
74 0x24, 0xef, 0x96, 0x3f, 0xc2, 0xda, 0xd3, 0xf2, 0x15, 0x6f, 0xda, 0x65, 0x4b, 0x81, 0x28, 0x68,
75 0xf4, 0xfe, 0x3e, 0x71, 0x4f, 0x50, 0x96, 0x72, 0x58, 0xa1, 0x89, 0xdd, 0x01, 0x61, 0x39, 0x39,
76 0xc6, 0x76, 0xa4, 0xda, 0x02, 0x70, 0x3d, 0xc0, 0xdc, 0x8d, 0x70, 0x72, 0x04, 0x90, 0x79, 0xd4,
77 0xec, 0x65, 0xcf, 0x49, 0x35, 0x25, 0x3a, 0x14, 0x1a, 0x45, 0x20, 0xeb, 0x31, 0xaf, 0x92, 0xba,
78 0x20, 0xd3, 0xcd, 0xa7, 0x13, 0x44, 0xdc, 0xcf, 0xf0, 0x27, 0x34, 0xb9, 0xe7, 0x24, 0x6f, 0x73,
79 0xe7, 0xea, 0x77, 0x03,
80 };
81
82 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *dnskey = NULL, *ds1 = NULL, *ds2 = NULL;
83
84 /* The two DS RRs in effect for nasa.gov on 2015-12-01. */
85 ds1 = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "nasa.gov");
86 assert_se(ds1);
87
88 ds1->ds.key_tag = 47857;
89 ds1->ds.algorithm = DNSSEC_ALGORITHM_RSASHA256;
90 ds1->ds.digest_type = DNSSEC_DIGEST_SHA1;
91 ds1->ds.digest_size = sizeof(ds1_fprint);
92 ds1->ds.digest = memdup(ds1_fprint, ds1->ds.digest_size);
93 assert_se(ds1->ds.digest);
94
95 log_info("DS1: %s", strna(dns_resource_record_to_string(ds1)));
96
97 ds2 = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "NASA.GOV");
98 assert_se(ds2);
99
100 ds2->ds.key_tag = 47857;
101 ds2->ds.algorithm = DNSSEC_ALGORITHM_RSASHA256;
102 ds2->ds.digest_type = DNSSEC_DIGEST_SHA256;
103 ds2->ds.digest_size = sizeof(ds2_fprint);
104 ds2->ds.digest = memdup(ds2_fprint, ds2->ds.digest_size);
105 assert_se(ds2->ds.digest);
106
107 log_info("DS2: %s", strna(dns_resource_record_to_string(ds2)));
108
109 dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nasa.GOV");
110 assert_se(dnskey);
111
112 dnskey->dnskey.flags = 257;
113 dnskey->dnskey.protocol = 3;
114 dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
115 dnskey->dnskey.key_size = sizeof(dnskey_blob);
116 dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
117 assert_se(dnskey->dnskey.key);
118
119 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
120 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
121
122 assert_se(dnssec_verify_dnskey_by_ds(dnskey, ds1, false) > 0);
123 assert_se(dnssec_verify_dnskey_by_ds(dnskey, ds2, false) > 0);
124 }
125
126 static void test_dnssec_verify_rrset(void) {
127
128 static const uint8_t signature_blob[] = {
129 0x7f, 0x79, 0xdd, 0x5e, 0x89, 0x79, 0x18, 0xd0, 0x34, 0x86, 0x8c, 0x72, 0x77, 0x75, 0x48, 0x4d,
130 0xc3, 0x7d, 0x38, 0x04, 0xab, 0xcd, 0x9e, 0x4c, 0x82, 0xb0, 0x92, 0xca, 0xe9, 0x66, 0xe9, 0x6e,
131 0x47, 0xc7, 0x68, 0x8c, 0x94, 0xf6, 0x69, 0xcb, 0x75, 0x94, 0xe6, 0x30, 0xa6, 0xfb, 0x68, 0x64,
132 0x96, 0x1a, 0x84, 0xe1, 0xdc, 0x16, 0x4c, 0x83, 0x6c, 0x44, 0xf2, 0x74, 0x4d, 0x74, 0x79, 0x8f,
133 0xf3, 0xf4, 0x63, 0x0d, 0xef, 0x5a, 0xe7, 0xe2, 0xfd, 0xf2, 0x2b, 0x38, 0x7c, 0x28, 0x96, 0x9d,
134 0xb6, 0xcd, 0x5c, 0x3b, 0x57, 0xe2, 0x24, 0x78, 0x65, 0xd0, 0x9e, 0x77, 0x83, 0x09, 0x6c, 0xff,
135 0x3d, 0x52, 0x3f, 0x6e, 0xd1, 0xed, 0x2e, 0xf9, 0xee, 0x8e, 0xa6, 0xbe, 0x9a, 0xa8, 0x87, 0x76,
136 0xd8, 0x77, 0xcc, 0x96, 0xa0, 0x98, 0xa1, 0xd1, 0x68, 0x09, 0x43, 0xcf, 0x56, 0xd9, 0xd1, 0x66,
137 };
138
139 static const uint8_t dnskey_blob[] = {
140 0x03, 0x01, 0x00, 0x01, 0x9b, 0x49, 0x9b, 0xc1, 0xf9, 0x9a, 0xe0, 0x4e, 0xcf, 0xcb, 0x14, 0x45,
141 0x2e, 0xc9, 0xf9, 0x74, 0xa7, 0x18, 0xb5, 0xf3, 0xde, 0x39, 0x49, 0xdf, 0x63, 0x33, 0x97, 0x52,
142 0xe0, 0x8e, 0xac, 0x50, 0x30, 0x8e, 0x09, 0xd5, 0x24, 0x3d, 0x26, 0xa4, 0x49, 0x37, 0x2b, 0xb0,
143 0x6b, 0x1b, 0xdf, 0xde, 0x85, 0x83, 0xcb, 0x22, 0x4e, 0x60, 0x0a, 0x91, 0x1a, 0x1f, 0xc5, 0x40,
144 0xb1, 0xc3, 0x15, 0xc1, 0x54, 0x77, 0x86, 0x65, 0x53, 0xec, 0x10, 0x90, 0x0c, 0x91, 0x00, 0x5e,
145 0x15, 0xdc, 0x08, 0x02, 0x4c, 0x8c, 0x0d, 0xc0, 0xac, 0x6e, 0xc4, 0x3e, 0x1b, 0x80, 0x19, 0xe4,
146 0xf7, 0x5f, 0x77, 0x51, 0x06, 0x87, 0x61, 0xde, 0xa2, 0x18, 0x0f, 0x40, 0x8b, 0x79, 0x72, 0xfa,
147 0x8d, 0x1a, 0x44, 0x47, 0x0d, 0x8e, 0x3a, 0x2d, 0xc7, 0x39, 0xbf, 0x56, 0x28, 0x97, 0xd9, 0x20,
148 0x4f, 0x00, 0x51, 0x3b,
149 };
150
151 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *a = NULL, *rrsig = NULL, *dnskey = NULL;
152 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
153 DnssecResult result;
154
155 a = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_A, "nAsA.gov");
156 assert_se(a);
157
158 a->a.in_addr.s_addr = inet_addr("52.0.14.116");
159
160 log_info("A: %s", strna(dns_resource_record_to_string(a)));
161
162 rrsig = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_RRSIG, "NaSa.GOV.");
163 assert_se(rrsig);
164
165 rrsig->rrsig.type_covered = DNS_TYPE_A;
166 rrsig->rrsig.algorithm = DNSSEC_ALGORITHM_RSASHA256;
167 rrsig->rrsig.labels = 2;
168 rrsig->rrsig.original_ttl = 600;
169 rrsig->rrsig.expiration = 0x5683135c;
170 rrsig->rrsig.inception = 0x565b7da8;
171 rrsig->rrsig.key_tag = 63876;
172 rrsig->rrsig.signer = strdup("Nasa.Gov.");
173 assert_se(rrsig->rrsig.signer);
174 rrsig->rrsig.signature_size = sizeof(signature_blob);
175 rrsig->rrsig.signature = memdup(signature_blob, rrsig->rrsig.signature_size);
176 assert_se(rrsig->rrsig.signature);
177
178 log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig)));
179
180 dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nASA.gOV");
181 assert_se(dnskey);
182
183 dnskey->dnskey.flags = 256;
184 dnskey->dnskey.protocol = 3;
185 dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
186 dnskey->dnskey.key_size = sizeof(dnskey_blob);
187 dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
188 assert_se(dnskey->dnskey.key);
189
190 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
191 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
192
193 assert_se(dnssec_key_match_rrsig(a->key, rrsig) > 0);
194 assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey, false) > 0);
195
196 answer = dns_answer_new(1);
197 assert_se(answer);
198 assert_se(dns_answer_add(answer, a, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
199
200 /* Validate the RR as it if was 2015-12-2 today */
201 assert_se(dnssec_verify_rrset(answer, a->key, rrsig, dnskey, 1449092754*USEC_PER_SEC, &result) >= 0);
202 assert_se(result == DNSSEC_VALIDATED);
203 }
204
205 static void test_dnssec_verify_rrset2(void) {
206
207 static const uint8_t signature_blob[] = {
208 0x48, 0x45, 0xc8, 0x8b, 0xc0, 0x14, 0x92, 0xf5, 0x15, 0xc6, 0x84, 0x9d, 0x2f, 0xe3, 0x32, 0x11,
209 0x7d, 0xf1, 0xe6, 0x87, 0xb9, 0x42, 0xd3, 0x8b, 0x9e, 0xaf, 0x92, 0x31, 0x0a, 0x53, 0xad, 0x8b,
210 0xa7, 0x5c, 0x83, 0x39, 0x8c, 0x28, 0xac, 0xce, 0x6e, 0x9c, 0x18, 0xe3, 0x31, 0x16, 0x6e, 0xca,
211 0x38, 0x31, 0xaf, 0xd9, 0x94, 0xf1, 0x84, 0xb1, 0xdf, 0x5a, 0xc2, 0x73, 0x22, 0xf6, 0xcb, 0xa2,
212 0xe7, 0x8c, 0x77, 0x0c, 0x74, 0x2f, 0xc2, 0x13, 0xb0, 0x93, 0x51, 0xa9, 0x4f, 0xae, 0x0a, 0xda,
213 0x45, 0xcc, 0xfd, 0x43, 0x99, 0x36, 0x9a, 0x0d, 0x21, 0xe0, 0xeb, 0x30, 0x65, 0xd4, 0xa0, 0x27,
214 0x37, 0x3b, 0xe4, 0xc1, 0xc5, 0xa1, 0x2a, 0xd1, 0x76, 0xc4, 0x7e, 0x64, 0x0e, 0x5a, 0xa6, 0x50,
215 0x24, 0xd5, 0x2c, 0xcc, 0x6d, 0xe5, 0x37, 0xea, 0xbd, 0x09, 0x34, 0xed, 0x24, 0x06, 0xa1, 0x22,
216 };
217
218 static const uint8_t dnskey_blob[] = {
219 0x03, 0x01, 0x00, 0x01, 0xc3, 0x7f, 0x1d, 0xd1, 0x1c, 0x97, 0xb1, 0x13, 0x34, 0x3a, 0x9a, 0xea,
220 0xee, 0xd9, 0x5a, 0x11, 0x1b, 0x17, 0xc7, 0xe3, 0xd4, 0xda, 0x20, 0xbc, 0x5d, 0xba, 0x74, 0xe3,
221 0x37, 0x99, 0xec, 0x25, 0xce, 0x93, 0x7f, 0xbd, 0x22, 0x73, 0x7e, 0x14, 0x71, 0xe0, 0x60, 0x07,
222 0xd4, 0x39, 0x8b, 0x5e, 0xe9, 0xba, 0x25, 0xe8, 0x49, 0xe9, 0x34, 0xef, 0xfe, 0x04, 0x5c, 0xa5,
223 0x27, 0xcd, 0xa9, 0xda, 0x70, 0x05, 0x21, 0xab, 0x15, 0x82, 0x24, 0xc3, 0x94, 0xf5, 0xd7, 0xb7,
224 0xc4, 0x66, 0xcb, 0x32, 0x6e, 0x60, 0x2b, 0x55, 0x59, 0x28, 0x89, 0x8a, 0x72, 0xde, 0x88, 0x56,
225 0x27, 0x95, 0xd9, 0xac, 0x88, 0x4f, 0x65, 0x2b, 0x68, 0xfc, 0xe6, 0x41, 0xc1, 0x1b, 0xef, 0x4e,
226 0xd6, 0xc2, 0x0f, 0x64, 0x88, 0x95, 0x5e, 0xdd, 0x3a, 0x02, 0x07, 0x50, 0xa9, 0xda, 0xa4, 0x49,
227 0x74, 0x62, 0xfe, 0xd7,
228 };
229
230 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *nsec = NULL, *rrsig = NULL, *dnskey = NULL;
231 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
232 DnssecResult result;
233
234 nsec = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_NSEC, "nasa.gov");
235 assert_se(nsec);
236
237 nsec->nsec.next_domain_name = strdup("3D-Printing.nasa.gov");
238 assert_se(nsec->nsec.next_domain_name);
239
240 nsec->nsec.types = bitmap_new();
241 assert_se(nsec->nsec.types);
242 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_A) >= 0);
243 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_NS) >= 0);
244 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_SOA) >= 0);
245 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_MX) >= 0);
246 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_TXT) >= 0);
247 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_RRSIG) >= 0);
248 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_NSEC) >= 0);
249 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_DNSKEY) >= 0);
250 assert_se(bitmap_set(nsec->nsec.types, 65534) >= 0);
251
252 log_info("NSEC: %s", strna(dns_resource_record_to_string(nsec)));
253
254 rrsig = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_RRSIG, "NaSa.GOV.");
255 assert_se(rrsig);
256
257 rrsig->rrsig.type_covered = DNS_TYPE_NSEC;
258 rrsig->rrsig.algorithm = DNSSEC_ALGORITHM_RSASHA256;
259 rrsig->rrsig.labels = 2;
260 rrsig->rrsig.original_ttl = 300;
261 rrsig->rrsig.expiration = 0x5689002f;
262 rrsig->rrsig.inception = 0x56617230;
263 rrsig->rrsig.key_tag = 30390;
264 rrsig->rrsig.signer = strdup("Nasa.Gov.");
265 assert_se(rrsig->rrsig.signer);
266 rrsig->rrsig.signature_size = sizeof(signature_blob);
267 rrsig->rrsig.signature = memdup(signature_blob, rrsig->rrsig.signature_size);
268 assert_se(rrsig->rrsig.signature);
269
270 log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig)));
271
272 dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nASA.gOV");
273 assert_se(dnskey);
274
275 dnskey->dnskey.flags = 256;
276 dnskey->dnskey.protocol = 3;
277 dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
278 dnskey->dnskey.key_size = sizeof(dnskey_blob);
279 dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
280 assert_se(dnskey->dnskey.key);
281
282 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
283 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
284
285 assert_se(dnssec_key_match_rrsig(nsec->key, rrsig) > 0);
286 assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey, false) > 0);
287
288 answer = dns_answer_new(1);
289 assert_se(answer);
290 assert_se(dns_answer_add(answer, nsec, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
291
292 /* Validate the RR as it if was 2015-12-11 today */
293 assert_se(dnssec_verify_rrset(answer, nsec->key, rrsig, dnskey, 1449849318*USEC_PER_SEC, &result) >= 0);
294 assert_se(result == DNSSEC_VALIDATED);
295 }
296
297 static void test_dnssec_nsec3_hash(void) {
298 static const uint8_t salt[] = { 0xB0, 0x1D, 0xFA, 0xCE };
299 static const uint8_t next_hashed_name[] = { 0x84, 0x10, 0x26, 0x53, 0xc9, 0xfa, 0x4d, 0x85, 0x6c, 0x97, 0x82, 0xe2, 0x8f, 0xdf, 0x2d, 0x5e, 0x87, 0x69, 0xc4, 0x52 };
300 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
301 uint8_t h[DNSSEC_HASH_SIZE_MAX];
302 _cleanup_free_ char *b = NULL;
303 int k;
304
305 /* The NSEC3 RR for eurid.eu on 2015-12-14. */
306 rr = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_NSEC3, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM.eurid.eu.");
307 assert_se(rr);
308
309 rr->nsec3.algorithm = DNSSEC_DIGEST_SHA1;
310 rr->nsec3.flags = 1;
311 rr->nsec3.iterations = 1;
312 rr->nsec3.salt = memdup(salt, sizeof(salt));
313 assert_se(rr->nsec3.salt);
314 rr->nsec3.salt_size = sizeof(salt);
315 rr->nsec3.next_hashed_name = memdup(next_hashed_name, sizeof(next_hashed_name));
316 assert_se(rr->nsec3.next_hashed_name);
317 rr->nsec3.next_hashed_name_size = sizeof(next_hashed_name);
318
319 log_info("NSEC3: %s", strna(dns_resource_record_to_string(rr)));
320
321 k = dnssec_nsec3_hash(rr, "eurid.eu", &h);
322 assert_se(k >= 0);
323
324 b = base32hexmem(h, k, false);
325 assert_se(b);
326 assert_se(strcasecmp(b, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM") == 0);
327 }
328
329 #endif
330
331 int main(int argc, char*argv[]) {
332
333 test_dnssec_canonicalize();
334
335 #if HAVE_GCRYPT
336 test_dnssec_verify_dns_key();
337 test_dnssec_verify_rrset();
338 test_dnssec_verify_rrset2();
339 test_dnssec_nsec3_hash();
340 #endif
341
342 return 0;
343 }
Unnamed repository; edit this file 'description' to name the repository.