]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/test-dnssec.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add SPDX license identifiers to source files under the LGPL
[thirdparty/systemd.git] / src / resolve / test-dnssec.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 This file is part of systemd.
4
5 Copyright 2015 Lennart Poettering
6
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
11
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
16
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
19 ***/
20
21 #include <arpa/inet.h>
22 #include <netinet/in.h>
23 #include <sys/socket.h>
24
25 #include "alloc-util.h"
26 #include "resolved-dns-dnssec.h"
27 #include "resolved-dns-rr.h"
28 #include "string-util.h"
29 #include "hexdecoct.h"
30
31 static void test_dnssec_canonicalize_one(const char *original, const char *canonical, int r) {
32 char canonicalized[DNSSEC_CANONICAL_HOSTNAME_MAX];
33
34 assert_se(dnssec_canonicalize(original, canonicalized, sizeof(canonicalized)) == r);
35 if (r < 0)
36 return;
37
38 assert_se(streq(canonicalized, canonical));
39 }
40
41 static void test_dnssec_canonicalize(void) {
42 test_dnssec_canonicalize_one("", ".", 1);
43 test_dnssec_canonicalize_one(".", ".", 1);
44 test_dnssec_canonicalize_one("foo", "foo.", 4);
45 test_dnssec_canonicalize_one("foo.", "foo.", 4);
46 test_dnssec_canonicalize_one("FOO.", "foo.", 4);
47 test_dnssec_canonicalize_one("FOO.bar.", "foo.bar.", 8);
48 test_dnssec_canonicalize_one("FOO..bar.", NULL, -EINVAL);
49 }
50
51 #if HAVE_GCRYPT
52
53 static void test_dnssec_verify_dns_key(void) {
54
55 static const uint8_t ds1_fprint[] = {
56 0x46, 0x8B, 0xC8, 0xDD, 0xC7, 0xE8, 0x27, 0x03, 0x40, 0xBB, 0x8A, 0x1F, 0x3B, 0x2E, 0x45, 0x9D,
57 0x80, 0x67, 0x14, 0x01,
58 };
59 static const uint8_t ds2_fprint[] = {
60 0x8A, 0xEE, 0x80, 0x47, 0x05, 0x5F, 0x83, 0xD1, 0x48, 0xBA, 0x8F, 0xF6, 0xDD, 0xA7, 0x60, 0xCE,
61 0x94, 0xF7, 0xC7, 0x5E, 0x52, 0x4C, 0xF2, 0xE9, 0x50, 0xB9, 0x2E, 0xCB, 0xEF, 0x96, 0xB9, 0x98,
62 };
63 static const uint8_t dnskey_blob[] = {
64 0x03, 0x01, 0x00, 0x01, 0xa8, 0x12, 0xda, 0x4f, 0xd2, 0x7d, 0x54, 0x14, 0x0e, 0xcc, 0x5b, 0x5e,
65 0x45, 0x9c, 0x96, 0x98, 0xc0, 0xc0, 0x85, 0x81, 0xb1, 0x47, 0x8c, 0x7d, 0xe8, 0x39, 0x50, 0xcc,
66 0xc5, 0xd0, 0xf2, 0x00, 0x81, 0x67, 0x79, 0xf6, 0xcc, 0x9d, 0xad, 0x6c, 0xbb, 0x7b, 0x6f, 0x48,
67 0x97, 0x15, 0x1c, 0xfd, 0x0b, 0xfe, 0xd3, 0xd7, 0x7d, 0x9f, 0x81, 0x26, 0xd3, 0xc5, 0x65, 0x49,
68 0xcf, 0x46, 0x62, 0xb0, 0x55, 0x6e, 0x47, 0xc7, 0x30, 0xef, 0x51, 0xfb, 0x3e, 0xc6, 0xef, 0xde,
69 0x27, 0x3f, 0xfa, 0x57, 0x2d, 0xa7, 0x1d, 0x80, 0x46, 0x9a, 0x5f, 0x14, 0xb3, 0xb0, 0x2c, 0xbe,
70 0x72, 0xca, 0xdf, 0xb2, 0xff, 0x36, 0x5b, 0x4f, 0xec, 0x58, 0x8e, 0x8d, 0x01, 0xe9, 0xa9, 0xdf,
71 0xb5, 0x60, 0xad, 0x52, 0x4d, 0xfc, 0xa9, 0x3e, 0x8d, 0x35, 0x95, 0xb3, 0x4e, 0x0f, 0xca, 0x45,
72 0x1b, 0xf7, 0xef, 0x3a, 0x88, 0x25, 0x08, 0xc7, 0x4e, 0x06, 0xc1, 0x62, 0x1a, 0xce, 0xd8, 0x77,
73 0xbd, 0x02, 0x65, 0xf8, 0x49, 0xfb, 0xce, 0xf6, 0xa8, 0x09, 0xfc, 0xde, 0xb2, 0x09, 0x9d, 0x39,
74 0xf8, 0x63, 0x9c, 0x32, 0x42, 0x7c, 0xa0, 0x30, 0x86, 0x72, 0x7a, 0x4a, 0xc6, 0xd4, 0xb3, 0x2d,
75 0x24, 0xef, 0x96, 0x3f, 0xc2, 0xda, 0xd3, 0xf2, 0x15, 0x6f, 0xda, 0x65, 0x4b, 0x81, 0x28, 0x68,
76 0xf4, 0xfe, 0x3e, 0x71, 0x4f, 0x50, 0x96, 0x72, 0x58, 0xa1, 0x89, 0xdd, 0x01, 0x61, 0x39, 0x39,
77 0xc6, 0x76, 0xa4, 0xda, 0x02, 0x70, 0x3d, 0xc0, 0xdc, 0x8d, 0x70, 0x72, 0x04, 0x90, 0x79, 0xd4,
78 0xec, 0x65, 0xcf, 0x49, 0x35, 0x25, 0x3a, 0x14, 0x1a, 0x45, 0x20, 0xeb, 0x31, 0xaf, 0x92, 0xba,
79 0x20, 0xd3, 0xcd, 0xa7, 0x13, 0x44, 0xdc, 0xcf, 0xf0, 0x27, 0x34, 0xb9, 0xe7, 0x24, 0x6f, 0x73,
80 0xe7, 0xea, 0x77, 0x03,
81 };
82
83 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *dnskey = NULL, *ds1 = NULL, *ds2 = NULL;
84
85 /* The two DS RRs in effect for nasa.gov on 2015-12-01. */
86 ds1 = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "nasa.gov");
87 assert_se(ds1);
88
89 ds1->ds.key_tag = 47857;
90 ds1->ds.algorithm = DNSSEC_ALGORITHM_RSASHA256;
91 ds1->ds.digest_type = DNSSEC_DIGEST_SHA1;
92 ds1->ds.digest_size = sizeof(ds1_fprint);
93 ds1->ds.digest = memdup(ds1_fprint, ds1->ds.digest_size);
94 assert_se(ds1->ds.digest);
95
96 log_info("DS1: %s", strna(dns_resource_record_to_string(ds1)));
97
98 ds2 = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "NASA.GOV");
99 assert_se(ds2);
100
101 ds2->ds.key_tag = 47857;
102 ds2->ds.algorithm = DNSSEC_ALGORITHM_RSASHA256;
103 ds2->ds.digest_type = DNSSEC_DIGEST_SHA256;
104 ds2->ds.digest_size = sizeof(ds2_fprint);
105 ds2->ds.digest = memdup(ds2_fprint, ds2->ds.digest_size);
106 assert_se(ds2->ds.digest);
107
108 log_info("DS2: %s", strna(dns_resource_record_to_string(ds2)));
109
110 dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nasa.GOV");
111 assert_se(dnskey);
112
113 dnskey->dnskey.flags = 257;
114 dnskey->dnskey.protocol = 3;
115 dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
116 dnskey->dnskey.key_size = sizeof(dnskey_blob);
117 dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
118 assert_se(dnskey->dnskey.key);
119
120 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
121 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
122
123 assert_se(dnssec_verify_dnskey_by_ds(dnskey, ds1, false) > 0);
124 assert_se(dnssec_verify_dnskey_by_ds(dnskey, ds2, false) > 0);
125 }
126
127 static void test_dnssec_verify_rrset(void) {
128
129 static const uint8_t signature_blob[] = {
130 0x7f, 0x79, 0xdd, 0x5e, 0x89, 0x79, 0x18, 0xd0, 0x34, 0x86, 0x8c, 0x72, 0x77, 0x75, 0x48, 0x4d,
131 0xc3, 0x7d, 0x38, 0x04, 0xab, 0xcd, 0x9e, 0x4c, 0x82, 0xb0, 0x92, 0xca, 0xe9, 0x66, 0xe9, 0x6e,
132 0x47, 0xc7, 0x68, 0x8c, 0x94, 0xf6, 0x69, 0xcb, 0x75, 0x94, 0xe6, 0x30, 0xa6, 0xfb, 0x68, 0x64,
133 0x96, 0x1a, 0x84, 0xe1, 0xdc, 0x16, 0x4c, 0x83, 0x6c, 0x44, 0xf2, 0x74, 0x4d, 0x74, 0x79, 0x8f,
134 0xf3, 0xf4, 0x63, 0x0d, 0xef, 0x5a, 0xe7, 0xe2, 0xfd, 0xf2, 0x2b, 0x38, 0x7c, 0x28, 0x96, 0x9d,
135 0xb6, 0xcd, 0x5c, 0x3b, 0x57, 0xe2, 0x24, 0x78, 0x65, 0xd0, 0x9e, 0x77, 0x83, 0x09, 0x6c, 0xff,
136 0x3d, 0x52, 0x3f, 0x6e, 0xd1, 0xed, 0x2e, 0xf9, 0xee, 0x8e, 0xa6, 0xbe, 0x9a, 0xa8, 0x87, 0x76,
137 0xd8, 0x77, 0xcc, 0x96, 0xa0, 0x98, 0xa1, 0xd1, 0x68, 0x09, 0x43, 0xcf, 0x56, 0xd9, 0xd1, 0x66,
138 };
139
140 static const uint8_t dnskey_blob[] = {
141 0x03, 0x01, 0x00, 0x01, 0x9b, 0x49, 0x9b, 0xc1, 0xf9, 0x9a, 0xe0, 0x4e, 0xcf, 0xcb, 0x14, 0x45,
142 0x2e, 0xc9, 0xf9, 0x74, 0xa7, 0x18, 0xb5, 0xf3, 0xde, 0x39, 0x49, 0xdf, 0x63, 0x33, 0x97, 0x52,
143 0xe0, 0x8e, 0xac, 0x50, 0x30, 0x8e, 0x09, 0xd5, 0x24, 0x3d, 0x26, 0xa4, 0x49, 0x37, 0x2b, 0xb0,
144 0x6b, 0x1b, 0xdf, 0xde, 0x85, 0x83, 0xcb, 0x22, 0x4e, 0x60, 0x0a, 0x91, 0x1a, 0x1f, 0xc5, 0x40,
145 0xb1, 0xc3, 0x15, 0xc1, 0x54, 0x77, 0x86, 0x65, 0x53, 0xec, 0x10, 0x90, 0x0c, 0x91, 0x00, 0x5e,
146 0x15, 0xdc, 0x08, 0x02, 0x4c, 0x8c, 0x0d, 0xc0, 0xac, 0x6e, 0xc4, 0x3e, 0x1b, 0x80, 0x19, 0xe4,
147 0xf7, 0x5f, 0x77, 0x51, 0x06, 0x87, 0x61, 0xde, 0xa2, 0x18, 0x0f, 0x40, 0x8b, 0x79, 0x72, 0xfa,
148 0x8d, 0x1a, 0x44, 0x47, 0x0d, 0x8e, 0x3a, 0x2d, 0xc7, 0x39, 0xbf, 0x56, 0x28, 0x97, 0xd9, 0x20,
149 0x4f, 0x00, 0x51, 0x3b,
150 };
151
152 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *a = NULL, *rrsig = NULL, *dnskey = NULL;
153 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
154 DnssecResult result;
155
156 a = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_A, "nAsA.gov");
157 assert_se(a);
158
159 a->a.in_addr.s_addr = inet_addr("52.0.14.116");
160
161 log_info("A: %s", strna(dns_resource_record_to_string(a)));
162
163 rrsig = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_RRSIG, "NaSa.GOV.");
164 assert_se(rrsig);
165
166 rrsig->rrsig.type_covered = DNS_TYPE_A;
167 rrsig->rrsig.algorithm = DNSSEC_ALGORITHM_RSASHA256;
168 rrsig->rrsig.labels = 2;
169 rrsig->rrsig.original_ttl = 600;
170 rrsig->rrsig.expiration = 0x5683135c;
171 rrsig->rrsig.inception = 0x565b7da8;
172 rrsig->rrsig.key_tag = 63876;
173 rrsig->rrsig.signer = strdup("Nasa.Gov.");
174 assert_se(rrsig->rrsig.signer);
175 rrsig->rrsig.signature_size = sizeof(signature_blob);
176 rrsig->rrsig.signature = memdup(signature_blob, rrsig->rrsig.signature_size);
177 assert_se(rrsig->rrsig.signature);
178
179 log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig)));
180
181 dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nASA.gOV");
182 assert_se(dnskey);
183
184 dnskey->dnskey.flags = 256;
185 dnskey->dnskey.protocol = 3;
186 dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
187 dnskey->dnskey.key_size = sizeof(dnskey_blob);
188 dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
189 assert_se(dnskey->dnskey.key);
190
191 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
192 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
193
194 assert_se(dnssec_key_match_rrsig(a->key, rrsig) > 0);
195 assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey, false) > 0);
196
197 answer = dns_answer_new(1);
198 assert_se(answer);
199 assert_se(dns_answer_add(answer, a, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
200
201 /* Validate the RR as it if was 2015-12-2 today */
202 assert_se(dnssec_verify_rrset(answer, a->key, rrsig, dnskey, 1449092754*USEC_PER_SEC, &result) >= 0);
203 assert_se(result == DNSSEC_VALIDATED);
204 }
205
206 static void test_dnssec_verify_rrset2(void) {
207
208 static const uint8_t signature_blob[] = {
209 0x48, 0x45, 0xc8, 0x8b, 0xc0, 0x14, 0x92, 0xf5, 0x15, 0xc6, 0x84, 0x9d, 0x2f, 0xe3, 0x32, 0x11,
210 0x7d, 0xf1, 0xe6, 0x87, 0xb9, 0x42, 0xd3, 0x8b, 0x9e, 0xaf, 0x92, 0x31, 0x0a, 0x53, 0xad, 0x8b,
211 0xa7, 0x5c, 0x83, 0x39, 0x8c, 0x28, 0xac, 0xce, 0x6e, 0x9c, 0x18, 0xe3, 0x31, 0x16, 0x6e, 0xca,
212 0x38, 0x31, 0xaf, 0xd9, 0x94, 0xf1, 0x84, 0xb1, 0xdf, 0x5a, 0xc2, 0x73, 0x22, 0xf6, 0xcb, 0xa2,
213 0xe7, 0x8c, 0x77, 0x0c, 0x74, 0x2f, 0xc2, 0x13, 0xb0, 0x93, 0x51, 0xa9, 0x4f, 0xae, 0x0a, 0xda,
214 0x45, 0xcc, 0xfd, 0x43, 0x99, 0x36, 0x9a, 0x0d, 0x21, 0xe0, 0xeb, 0x30, 0x65, 0xd4, 0xa0, 0x27,
215 0x37, 0x3b, 0xe4, 0xc1, 0xc5, 0xa1, 0x2a, 0xd1, 0x76, 0xc4, 0x7e, 0x64, 0x0e, 0x5a, 0xa6, 0x50,
216 0x24, 0xd5, 0x2c, 0xcc, 0x6d, 0xe5, 0x37, 0xea, 0xbd, 0x09, 0x34, 0xed, 0x24, 0x06, 0xa1, 0x22,
217 };
218
219 static const uint8_t dnskey_blob[] = {
220 0x03, 0x01, 0x00, 0x01, 0xc3, 0x7f, 0x1d, 0xd1, 0x1c, 0x97, 0xb1, 0x13, 0x34, 0x3a, 0x9a, 0xea,
221 0xee, 0xd9, 0x5a, 0x11, 0x1b, 0x17, 0xc7, 0xe3, 0xd4, 0xda, 0x20, 0xbc, 0x5d, 0xba, 0x74, 0xe3,
222 0x37, 0x99, 0xec, 0x25, 0xce, 0x93, 0x7f, 0xbd, 0x22, 0x73, 0x7e, 0x14, 0x71, 0xe0, 0x60, 0x07,
223 0xd4, 0x39, 0x8b, 0x5e, 0xe9, 0xba, 0x25, 0xe8, 0x49, 0xe9, 0x34, 0xef, 0xfe, 0x04, 0x5c, 0xa5,
224 0x27, 0xcd, 0xa9, 0xda, 0x70, 0x05, 0x21, 0xab, 0x15, 0x82, 0x24, 0xc3, 0x94, 0xf5, 0xd7, 0xb7,
225 0xc4, 0x66, 0xcb, 0x32, 0x6e, 0x60, 0x2b, 0x55, 0x59, 0x28, 0x89, 0x8a, 0x72, 0xde, 0x88, 0x56,
226 0x27, 0x95, 0xd9, 0xac, 0x88, 0x4f, 0x65, 0x2b, 0x68, 0xfc, 0xe6, 0x41, 0xc1, 0x1b, 0xef, 0x4e,
227 0xd6, 0xc2, 0x0f, 0x64, 0x88, 0x95, 0x5e, 0xdd, 0x3a, 0x02, 0x07, 0x50, 0xa9, 0xda, 0xa4, 0x49,
228 0x74, 0x62, 0xfe, 0xd7,
229 };
230
231 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *nsec = NULL, *rrsig = NULL, *dnskey = NULL;
232 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
233 DnssecResult result;
234
235 nsec = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_NSEC, "nasa.gov");
236 assert_se(nsec);
237
238 nsec->nsec.next_domain_name = strdup("3D-Printing.nasa.gov");
239 assert_se(nsec->nsec.next_domain_name);
240
241 nsec->nsec.types = bitmap_new();
242 assert_se(nsec->nsec.types);
243 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_A) >= 0);
244 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_NS) >= 0);
245 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_SOA) >= 0);
246 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_MX) >= 0);
247 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_TXT) >= 0);
248 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_RRSIG) >= 0);
249 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_NSEC) >= 0);
250 assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_DNSKEY) >= 0);
251 assert_se(bitmap_set(nsec->nsec.types, 65534) >= 0);
252
253 log_info("NSEC: %s", strna(dns_resource_record_to_string(nsec)));
254
255 rrsig = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_RRSIG, "NaSa.GOV.");
256 assert_se(rrsig);
257
258 rrsig->rrsig.type_covered = DNS_TYPE_NSEC;
259 rrsig->rrsig.algorithm = DNSSEC_ALGORITHM_RSASHA256;
260 rrsig->rrsig.labels = 2;
261 rrsig->rrsig.original_ttl = 300;
262 rrsig->rrsig.expiration = 0x5689002f;
263 rrsig->rrsig.inception = 0x56617230;
264 rrsig->rrsig.key_tag = 30390;
265 rrsig->rrsig.signer = strdup("Nasa.Gov.");
266 assert_se(rrsig->rrsig.signer);
267 rrsig->rrsig.signature_size = sizeof(signature_blob);
268 rrsig->rrsig.signature = memdup(signature_blob, rrsig->rrsig.signature_size);
269 assert_se(rrsig->rrsig.signature);
270
271 log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig)));
272
273 dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nASA.gOV");
274 assert_se(dnskey);
275
276 dnskey->dnskey.flags = 256;
277 dnskey->dnskey.protocol = 3;
278 dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
279 dnskey->dnskey.key_size = sizeof(dnskey_blob);
280 dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
281 assert_se(dnskey->dnskey.key);
282
283 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
284 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
285
286 assert_se(dnssec_key_match_rrsig(nsec->key, rrsig) > 0);
287 assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey, false) > 0);
288
289 answer = dns_answer_new(1);
290 assert_se(answer);
291 assert_se(dns_answer_add(answer, nsec, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
292
293 /* Validate the RR as it if was 2015-12-11 today */
294 assert_se(dnssec_verify_rrset(answer, nsec->key, rrsig, dnskey, 1449849318*USEC_PER_SEC, &result) >= 0);
295 assert_se(result == DNSSEC_VALIDATED);
296 }
297
298 static void test_dnssec_nsec3_hash(void) {
299 static const uint8_t salt[] = { 0xB0, 0x1D, 0xFA, 0xCE };
300 static const uint8_t next_hashed_name[] = { 0x84, 0x10, 0x26, 0x53, 0xc9, 0xfa, 0x4d, 0x85, 0x6c, 0x97, 0x82, 0xe2, 0x8f, 0xdf, 0x2d, 0x5e, 0x87, 0x69, 0xc4, 0x52 };
301 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
302 uint8_t h[DNSSEC_HASH_SIZE_MAX];
303 _cleanup_free_ char *b = NULL;
304 int k;
305
306 /* The NSEC3 RR for eurid.eu on 2015-12-14. */
307 rr = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_NSEC3, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM.eurid.eu.");
308 assert_se(rr);
309
310 rr->nsec3.algorithm = DNSSEC_DIGEST_SHA1;
311 rr->nsec3.flags = 1;
312 rr->nsec3.iterations = 1;
313 rr->nsec3.salt = memdup(salt, sizeof(salt));
314 assert_se(rr->nsec3.salt);
315 rr->nsec3.salt_size = sizeof(salt);
316 rr->nsec3.next_hashed_name = memdup(next_hashed_name, sizeof(next_hashed_name));
317 assert_se(rr->nsec3.next_hashed_name);
318 rr->nsec3.next_hashed_name_size = sizeof(next_hashed_name);
319
320 log_info("NSEC3: %s", strna(dns_resource_record_to_string(rr)));
321
322 k = dnssec_nsec3_hash(rr, "eurid.eu", &h);
323 assert_se(k >= 0);
324
325 b = base32hexmem(h, k, false);
326 assert_se(b);
327 assert_se(strcasecmp(b, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM") == 0);
328 }
329
330 #endif
331
332 int main(int argc, char*argv[]) {
333
334 test_dnssec_canonicalize();
335
336 #if HAVE_GCRYPT
337 test_dnssec_verify_dns_key();
338 test_dnssec_verify_rrset();
339 test_dnssec_verify_rrset2();
340 test_dnssec_nsec3_hash();
341 #endif
342
343 return 0;
344 }
Unnamed repository; edit this file 'description' to name the repository.