]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/test-dnssec.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #2495 from heftig/master
[thirdparty/systemd.git] / src / resolve / test-dnssec.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2015 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <arpa/inet.h>
21 #include <netinet/in.h>
22 #include <sys/socket.h>
23
24 #include "alloc-util.h"
25 #include "resolved-dns-dnssec.h"
26 #include "resolved-dns-rr.h"
27 #include "string-util.h"
28 #include "hexdecoct.h"
29
30 static void test_dnssec_verify_rrset2(void) {
31
32 static const uint8_t signature_blob[] = {
33 0x48, 0x45, 0xc8, 0x8b, 0xc0, 0x14, 0x92, 0xf5, 0x15, 0xc6, 0x84, 0x9d, 0x2f, 0xe3, 0x32, 0x11,
34 0x7d, 0xf1, 0xe6, 0x87, 0xb9, 0x42, 0xd3, 0x8b, 0x9e, 0xaf, 0x92, 0x31, 0x0a, 0x53, 0xad, 0x8b,
35 0xa7, 0x5c, 0x83, 0x39, 0x8c, 0x28, 0xac, 0xce, 0x6e, 0x9c, 0x18, 0xe3, 0x31, 0x16, 0x6e, 0xca,
36 0x38, 0x31, 0xaf, 0xd9, 0x94, 0xf1, 0x84, 0xb1, 0xdf, 0x5a, 0xc2, 0x73, 0x22, 0xf6, 0xcb, 0xa2,
37 0xe7, 0x8c, 0x77, 0x0c, 0x74, 0x2f, 0xc2, 0x13, 0xb0, 0x93, 0x51, 0xa9, 0x4f, 0xae, 0x0a, 0xda,
38 0x45, 0xcc, 0xfd, 0x43, 0x99, 0x36, 0x9a, 0x0d, 0x21, 0xe0, 0xeb, 0x30, 0x65, 0xd4, 0xa0, 0x27,
39 0x37, 0x3b, 0xe4, 0xc1, 0xc5, 0xa1, 0x2a, 0xd1, 0x76, 0xc4, 0x7e, 0x64, 0x0e, 0x5a, 0xa6, 0x50,
40 0x24, 0xd5, 0x2c, 0xcc, 0x6d, 0xe5, 0x37, 0xea, 0xbd, 0x09, 0x34, 0xed, 0x24, 0x06, 0xa1, 0x22,
41 };
42
43 static const uint8_t dnskey_blob[] = {
44 0x03, 0x01, 0x00, 0x01, 0xc3, 0x7f, 0x1d, 0xd1, 0x1c, 0x97, 0xb1, 0x13, 0x34, 0x3a, 0x9a, 0xea,
45 0xee, 0xd9, 0x5a, 0x11, 0x1b, 0x17, 0xc7, 0xe3, 0xd4, 0xda, 0x20, 0xbc, 0x5d, 0xba, 0x74, 0xe3,
46 0x37, 0x99, 0xec, 0x25, 0xce, 0x93, 0x7f, 0xbd, 0x22, 0x73, 0x7e, 0x14, 0x71, 0xe0, 0x60, 0x07,
47 0xd4, 0x39, 0x8b, 0x5e, 0xe9, 0xba, 0x25, 0xe8, 0x49, 0xe9, 0x34, 0xef, 0xfe, 0x04, 0x5c, 0xa5,
48 0x27, 0xcd, 0xa9, 0xda, 0x70, 0x05, 0x21, 0xab, 0x15, 0x82, 0x24, 0xc3, 0x94, 0xf5, 0xd7, 0xb7,
49 0xc4, 0x66, 0xcb, 0x32, 0x6e, 0x60, 0x2b, 0x55, 0x59, 0x28, 0x89, 0x8a, 0x72, 0xde, 0x88, 0x56,
50 0x27, 0x95, 0xd9, 0xac, 0x88, 0x4f, 0x65, 0x2b, 0x68, 0xfc, 0xe6, 0x41, 0xc1, 0x1b, 0xef, 0x4e,
51 0xd6, 0xc2, 0x0f, 0x64, 0x88, 0x95, 0x5e, 0xdd, 0x3a, 0x02, 0x07, 0x50, 0xa9, 0xda, 0xa4, 0x49,
52 0x74, 0x62, 0xfe, 0xd7,
53 };
54
55 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *nsec = NULL, *rrsig = NULL, *dnskey = NULL;
56 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
57 DnssecResult result;
58
59 nsec = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_NSEC, "nasa.gov");
60 assert_se(nsec);
61
62 nsec->nsec.next_domain_name = strdup("3D-Printing.nasa.gov");
63 assert_se(nsec->nsec.next_domain_name);
64
65 nsec->nsec.types = bitmap_new();
66 assert_se(nsec->nsec.types);
67 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_A) >= 0);
68 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_NS) >= 0);
69 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_SOA) >= 0);
70 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_MX) >= 0);
71 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_TXT) >= 0);
72 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_RRSIG) >= 0);
73 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_NSEC) >= 0);
74 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_DNSKEY) >= 0);
75 assert_se(bitmap_set(nsec->nsec.types, 65534) >= 0);
76
77 log_info("NSEC: %s", strna(dns_resource_record_to_string(nsec)));
78
79 rrsig = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_RRSIG, "NaSa.GOV.");
80 assert_se(rrsig);
81
82 rrsig->rrsig.type_covered = DNS_TYPE_NSEC;
83 rrsig->rrsig.algorithm = DNSSEC_ALGORITHM_RSASHA256;
84 rrsig->rrsig.labels = 2;
85 rrsig->rrsig.original_ttl = 300;
86 rrsig->rrsig.expiration = 0x5689002f;
87 rrsig->rrsig.inception = 0x56617230;
88 rrsig->rrsig.key_tag = 30390;
89 rrsig->rrsig.signer = strdup("Nasa.Gov.");
90 assert_se(rrsig->rrsig.signer);
91 rrsig->rrsig.signature_size = sizeof(signature_blob);
92 rrsig->rrsig.signature = memdup(signature_blob, rrsig->rrsig.signature_size);
93 assert_se(rrsig->rrsig.signature);
94
95 log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig)));
96
97 dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nASA.gOV");
98 assert_se(dnskey);
99
100 dnskey->dnskey.flags = 256;
101 dnskey->dnskey.protocol = 3;
102 dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
103 dnskey->dnskey.key_size = sizeof(dnskey_blob);
104 dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
105 assert_se(dnskey->dnskey.key);
106
107 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
108 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
109
110 assert_se(dnssec_key_match_rrsig(nsec->key, rrsig) > 0);
111 assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey, false) > 0);
112
113 answer = dns_answer_new(1);
114 assert_se(answer);
115 assert_se(dns_answer_add(answer, nsec, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
116
117 /* Validate the RR as it if was 2015-12-11 today */
118 assert_se(dnssec_verify_rrset(answer, nsec->key, rrsig, dnskey, 1449849318*USEC_PER_SEC, &result) >= 0);
119 assert_se(result == DNSSEC_VALIDATED);
120 }
121
122 static void test_dnssec_verify_rrset(void) {
123
124 static const uint8_t signature_blob[] = {
125 0x7f, 0x79, 0xdd, 0x5e, 0x89, 0x79, 0x18, 0xd0, 0x34, 0x86, 0x8c, 0x72, 0x77, 0x75, 0x48, 0x4d,
126 0xc3, 0x7d, 0x38, 0x04, 0xab, 0xcd, 0x9e, 0x4c, 0x82, 0xb0, 0x92, 0xca, 0xe9, 0x66, 0xe9, 0x6e,
127 0x47, 0xc7, 0x68, 0x8c, 0x94, 0xf6, 0x69, 0xcb, 0x75, 0x94, 0xe6, 0x30, 0xa6, 0xfb, 0x68, 0x64,
128 0x96, 0x1a, 0x84, 0xe1, 0xdc, 0x16, 0x4c, 0x83, 0x6c, 0x44, 0xf2, 0x74, 0x4d, 0x74, 0x79, 0x8f,
129 0xf3, 0xf4, 0x63, 0x0d, 0xef, 0x5a, 0xe7, 0xe2, 0xfd, 0xf2, 0x2b, 0x38, 0x7c, 0x28, 0x96, 0x9d,
130 0xb6, 0xcd, 0x5c, 0x3b, 0x57, 0xe2, 0x24, 0x78, 0x65, 0xd0, 0x9e, 0x77, 0x83, 0x09, 0x6c, 0xff,
131 0x3d, 0x52, 0x3f, 0x6e, 0xd1, 0xed, 0x2e, 0xf9, 0xee, 0x8e, 0xa6, 0xbe, 0x9a, 0xa8, 0x87, 0x76,
132 0xd8, 0x77, 0xcc, 0x96, 0xa0, 0x98, 0xa1, 0xd1, 0x68, 0x09, 0x43, 0xcf, 0x56, 0xd9, 0xd1, 0x66,
133 };
134
135 static const uint8_t dnskey_blob[] = {
136 0x03, 0x01, 0x00, 0x01, 0x9b, 0x49, 0x9b, 0xc1, 0xf9, 0x9a, 0xe0, 0x4e, 0xcf, 0xcb, 0x14, 0x45,
137 0x2e, 0xc9, 0xf9, 0x74, 0xa7, 0x18, 0xb5, 0xf3, 0xde, 0x39, 0x49, 0xdf, 0x63, 0x33, 0x97, 0x52,
138 0xe0, 0x8e, 0xac, 0x50, 0x30, 0x8e, 0x09, 0xd5, 0x24, 0x3d, 0x26, 0xa4, 0x49, 0x37, 0x2b, 0xb0,
139 0x6b, 0x1b, 0xdf, 0xde, 0x85, 0x83, 0xcb, 0x22, 0x4e, 0x60, 0x0a, 0x91, 0x1a, 0x1f, 0xc5, 0x40,
140 0xb1, 0xc3, 0x15, 0xc1, 0x54, 0x77, 0x86, 0x65, 0x53, 0xec, 0x10, 0x90, 0x0c, 0x91, 0x00, 0x5e,
141 0x15, 0xdc, 0x08, 0x02, 0x4c, 0x8c, 0x0d, 0xc0, 0xac, 0x6e, 0xc4, 0x3e, 0x1b, 0x80, 0x19, 0xe4,
142 0xf7, 0x5f, 0x77, 0x51, 0x06, 0x87, 0x61, 0xde, 0xa2, 0x18, 0x0f, 0x40, 0x8b, 0x79, 0x72, 0xfa,
143 0x8d, 0x1a, 0x44, 0x47, 0x0d, 0x8e, 0x3a, 0x2d, 0xc7, 0x39, 0xbf, 0x56, 0x28, 0x97, 0xd9, 0x20,
144 0x4f, 0x00, 0x51, 0x3b,
145 };
146
147 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *a = NULL, *rrsig = NULL, *dnskey = NULL;
148 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
149 DnssecResult result;
150
151 a = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_A, "nAsA.gov");
152 assert_se(a);
153
154 a->a.in_addr.s_addr = inet_addr("52.0.14.116");
155
156 log_info("A: %s", strna(dns_resource_record_to_string(a)));
157
158 rrsig = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_RRSIG, "NaSa.GOV.");
159 assert_se(rrsig);
160
161 rrsig->rrsig.type_covered = DNS_TYPE_A;
162 rrsig->rrsig.algorithm = DNSSEC_ALGORITHM_RSASHA256;
163 rrsig->rrsig.labels = 2;
164 rrsig->rrsig.original_ttl = 600;
165 rrsig->rrsig.expiration = 0x5683135c;
166 rrsig->rrsig.inception = 0x565b7da8;
167 rrsig->rrsig.key_tag = 63876;
168 rrsig->rrsig.signer = strdup("Nasa.Gov.");
169 assert_se(rrsig->rrsig.signer);
170 rrsig->rrsig.signature_size = sizeof(signature_blob);
171 rrsig->rrsig.signature = memdup(signature_blob, rrsig->rrsig.signature_size);
172 assert_se(rrsig->rrsig.signature);
173
174 log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig)));
175
176 dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nASA.gOV");
177 assert_se(dnskey);
178
179 dnskey->dnskey.flags = 256;
180 dnskey->dnskey.protocol = 3;
181 dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
182 dnskey->dnskey.key_size = sizeof(dnskey_blob);
183 dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
184 assert_se(dnskey->dnskey.key);
185
186 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
187 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
188
189 assert_se(dnssec_key_match_rrsig(a->key, rrsig) > 0);
190 assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey, false) > 0);
191
192 answer = dns_answer_new(1);
193 assert_se(answer);
194 assert_se(dns_answer_add(answer, a, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
195
196 /* Validate the RR as it if was 2015-12-2 today */
197 assert_se(dnssec_verify_rrset(answer, a->key, rrsig, dnskey, 1449092754*USEC_PER_SEC, &result) >= 0);
198 assert_se(result == DNSSEC_VALIDATED);
199 }
200
201 static void test_dnssec_verify_dns_key(void) {
202
203 static const uint8_t ds1_fprint[] = {
204 0x46, 0x8B, 0xC8, 0xDD, 0xC7, 0xE8, 0x27, 0x03, 0x40, 0xBB, 0x8A, 0x1F, 0x3B, 0x2E, 0x45, 0x9D,
205 0x80, 0x67, 0x14, 0x01,
206 };
207 static const uint8_t ds2_fprint[] = {
208 0x8A, 0xEE, 0x80, 0x47, 0x05, 0x5F, 0x83, 0xD1, 0x48, 0xBA, 0x8F, 0xF6, 0xDD, 0xA7, 0x60, 0xCE,
209 0x94, 0xF7, 0xC7, 0x5E, 0x52, 0x4C, 0xF2, 0xE9, 0x50, 0xB9, 0x2E, 0xCB, 0xEF, 0x96, 0xB9, 0x98,
210 };
211 static const uint8_t dnskey_blob[] = {
212 0x03, 0x01, 0x00, 0x01, 0xa8, 0x12, 0xda, 0x4f, 0xd2, 0x7d, 0x54, 0x14, 0x0e, 0xcc, 0x5b, 0x5e,
213 0x45, 0x9c, 0x96, 0x98, 0xc0, 0xc0, 0x85, 0x81, 0xb1, 0x47, 0x8c, 0x7d, 0xe8, 0x39, 0x50, 0xcc,
214 0xc5, 0xd0, 0xf2, 0x00, 0x81, 0x67, 0x79, 0xf6, 0xcc, 0x9d, 0xad, 0x6c, 0xbb, 0x7b, 0x6f, 0x48,
215 0x97, 0x15, 0x1c, 0xfd, 0x0b, 0xfe, 0xd3, 0xd7, 0x7d, 0x9f, 0x81, 0x26, 0xd3, 0xc5, 0x65, 0x49,
216 0xcf, 0x46, 0x62, 0xb0, 0x55, 0x6e, 0x47, 0xc7, 0x30, 0xef, 0x51, 0xfb, 0x3e, 0xc6, 0xef, 0xde,
217 0x27, 0x3f, 0xfa, 0x57, 0x2d, 0xa7, 0x1d, 0x80, 0x46, 0x9a, 0x5f, 0x14, 0xb3, 0xb0, 0x2c, 0xbe,
218 0x72, 0xca, 0xdf, 0xb2, 0xff, 0x36, 0x5b, 0x4f, 0xec, 0x58, 0x8e, 0x8d, 0x01, 0xe9, 0xa9, 0xdf,
219 0xb5, 0x60, 0xad, 0x52, 0x4d, 0xfc, 0xa9, 0x3e, 0x8d, 0x35, 0x95, 0xb3, 0x4e, 0x0f, 0xca, 0x45,
220 0x1b, 0xf7, 0xef, 0x3a, 0x88, 0x25, 0x08, 0xc7, 0x4e, 0x06, 0xc1, 0x62, 0x1a, 0xce, 0xd8, 0x77,
221 0xbd, 0x02, 0x65, 0xf8, 0x49, 0xfb, 0xce, 0xf6, 0xa8, 0x09, 0xfc, 0xde, 0xb2, 0x09, 0x9d, 0x39,
222 0xf8, 0x63, 0x9c, 0x32, 0x42, 0x7c, 0xa0, 0x30, 0x86, 0x72, 0x7a, 0x4a, 0xc6, 0xd4, 0xb3, 0x2d,
223 0x24, 0xef, 0x96, 0x3f, 0xc2, 0xda, 0xd3, 0xf2, 0x15, 0x6f, 0xda, 0x65, 0x4b, 0x81, 0x28, 0x68,
224 0xf4, 0xfe, 0x3e, 0x71, 0x4f, 0x50, 0x96, 0x72, 0x58, 0xa1, 0x89, 0xdd, 0x01, 0x61, 0x39, 0x39,
225 0xc6, 0x76, 0xa4, 0xda, 0x02, 0x70, 0x3d, 0xc0, 0xdc, 0x8d, 0x70, 0x72, 0x04, 0x90, 0x79, 0xd4,
226 0xec, 0x65, 0xcf, 0x49, 0x35, 0x25, 0x3a, 0x14, 0x1a, 0x45, 0x20, 0xeb, 0x31, 0xaf, 0x92, 0xba,
227 0x20, 0xd3, 0xcd, 0xa7, 0x13, 0x44, 0xdc, 0xcf, 0xf0, 0x27, 0x34, 0xb9, 0xe7, 0x24, 0x6f, 0x73,
228 0xe7, 0xea, 0x77, 0x03,
229 };
230
231 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *dnskey = NULL, *ds1 = NULL, *ds2 = NULL;
232
233 /* The two DS RRs in effect for nasa.gov on 2015-12-01. */
234 ds1 = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "nasa.gov");
235 assert_se(ds1);
236
237 ds1->ds.key_tag = 47857;
238 ds1->ds.algorithm = DNSSEC_ALGORITHM_RSASHA256;
239 ds1->ds.digest_type = DNSSEC_DIGEST_SHA1;
240 ds1->ds.digest_size = sizeof(ds1_fprint);
241 ds1->ds.digest = memdup(ds1_fprint, ds1->ds.digest_size);
242 assert_se(ds1->ds.digest);
243
244 log_info("DS1: %s", strna(dns_resource_record_to_string(ds1)));
245
246 ds2 = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "NASA.GOV");
247 assert_se(ds2);
248
249 ds2->ds.key_tag = 47857;
250 ds2->ds.algorithm = DNSSEC_ALGORITHM_RSASHA256;
251 ds2->ds.digest_type = DNSSEC_DIGEST_SHA256;
252 ds2->ds.digest_size = sizeof(ds2_fprint);
253 ds2->ds.digest = memdup(ds2_fprint, ds2->ds.digest_size);
254 assert_se(ds2->ds.digest);
255
256 log_info("DS2: %s", strna(dns_resource_record_to_string(ds2)));
257
258 dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nasa.GOV");
259 assert_se(dnskey);
260
261 dnskey->dnskey.flags = 257;
262 dnskey->dnskey.protocol = 3;
263 dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
264 dnskey->dnskey.key_size = sizeof(dnskey_blob);
265 dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
266 assert_se(dnskey->dnskey.key);
267
268 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
269 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
270
271 assert_se(dnssec_verify_dnskey_by_ds(dnskey, ds1, false) > 0);
272 assert_se(dnssec_verify_dnskey_by_ds(dnskey, ds2, false) > 0);
273 }
274
275 static void test_dnssec_canonicalize_one(const char *original, const char *canonical, int r) {
276 char canonicalized[DNSSEC_CANONICAL_HOSTNAME_MAX];
277
278 assert_se(dnssec_canonicalize(original, canonicalized, sizeof(canonicalized)) == r);
279 if (r < 0)
280 return;
281
282 assert_se(streq(canonicalized, canonical));
283 }
284
285 static void test_dnssec_canonicalize(void) {
286 test_dnssec_canonicalize_one("", ".", 1);
287 test_dnssec_canonicalize_one(".", ".", 1);
288 test_dnssec_canonicalize_one("foo", "foo.", 4);
289 test_dnssec_canonicalize_one("foo.", "foo.", 4);
290 test_dnssec_canonicalize_one("FOO.", "foo.", 4);
291 test_dnssec_canonicalize_one("FOO.bar.", "foo.bar.", 8);
292 test_dnssec_canonicalize_one("FOO..bar.", NULL, -EINVAL);
293 }
294
295 static void test_dnssec_nsec3_hash(void) {
296 static const uint8_t salt[] = { 0xB0, 0x1D, 0xFA, 0xCE };
297 static const uint8_t next_hashed_name[] = { 0x84, 0x10, 0x26, 0x53, 0xc9, 0xfa, 0x4d, 0x85, 0x6c, 0x97, 0x82, 0xe2, 0x8f, 0xdf, 0x2d, 0x5e, 0x87, 0x69, 0xc4, 0x52 };
298 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
299 uint8_t h[DNSSEC_HASH_SIZE_MAX];
300 _cleanup_free_ char *b = NULL;
301 int k;
302
303 /* The NSEC3 RR for eurid.eu on 2015-12-14. */
304 rr = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_NSEC3, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM.eurid.eu.");
305 assert_se(rr);
306
307 rr->nsec3.algorithm = DNSSEC_DIGEST_SHA1;
308 rr->nsec3.flags = 1;
309 rr->nsec3.iterations = 1;
310 rr->nsec3.salt = memdup(salt, sizeof(salt));
311 assert_se(rr->nsec3.salt);
312 rr->nsec3.salt_size = sizeof(salt);
313 rr->nsec3.next_hashed_name = memdup(next_hashed_name, sizeof(next_hashed_name));
314 assert_se(rr->nsec3.next_hashed_name);
315 rr->nsec3.next_hashed_name_size = sizeof(next_hashed_name);
316
317 log_info("NSEC3: %s", strna(dns_resource_record_to_string(rr)));
318
319 k = dnssec_nsec3_hash(rr, "eurid.eu", &h);
320 assert_se(k >= 0);
321
322 b = base32hexmem(h, k, false);
323 assert_se(b);
324 assert_se(strcasecmp(b, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM") == 0);
325 }
326
327 int main(int argc, char*argv[]) {
328
329 test_dnssec_canonicalize();
330 test_dnssec_verify_dns_key();
331 test_dnssec_verify_rrset();
332 test_dnssec_verify_rrset2();
333 test_dnssec_nsec3_hash();
334
335 return 0;
336 }
Unnamed repository; edit this file 'description' to name the repository.