From: Wouter Wijngaards Date: Wed, 15 Aug 2007 13:18:32 +0000 (+0000) Subject: verify unit test. X-Git-Tag: release-0.5~119 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1d29f799744dac861ec426fa81864fb8e2f2df67;p=thirdparty%2Funbound.git verify unit test. git-svn-id: file:///svn/unbound/trunk@522 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/Makefile.in b/Makefile.in index 4e6348a6d..0f9209fe6 100644 --- a/Makefile.in +++ b/Makefile.in @@ -57,7 +57,8 @@ COMMON_SRC=$(wildcard services/*.c services/cache/*.c util/*.c \ util/configparser.c util/configlexer.c testcode/checklocks.c COMMON_OBJ=$(addprefix $(BUILD),$(COMMON_SRC:.c=.o)) COMPAT_OBJ=$(addprefix $(BUILD)compat/,$(LIBOBJS)) -UNITTEST_SRC=$(wildcard testcode/unit*.c) testcode/readhex.c $(COMMON_SRC) +UNITTEST_SRC=$(wildcard testcode/unit*.c) testcode/readhex.c \ + testcode/ldns-testpkts.c $(COMMON_SRC) UNITTEST_OBJ=$(addprefix $(BUILD),$(UNITTEST_SRC:.c=.o)) $(COMPAT_OBJ) DAEMON_SRC=$(wildcard daemon/*.c) $(COMMON_SRC) DAEMON_OBJ=$(addprefix $(BUILD),$(DAEMON_SRC:.c=.o)) $(COMPAT_OBJ) diff --git a/doc/Changelog b/doc/Changelog index d97837c02..7cec25ed2 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,6 @@ 15 August 2007: Wouter - crypto calls to verify signatures. + - unit test for rrsig verification. 14 August 2007: Wouter - default outgoing ports changed to avoid port 2049 by default. diff --git a/testcode/unitmain.c b/testcode/unitmain.c index 9cb1b5df4..5b2b766f7 100644 --- a/testcode/unitmain.c +++ b/testcode/unitmain.c @@ -213,6 +213,7 @@ main(int argc, char* argv[]) } printf("Start of %s unit test.\n", PACKAGE_STRING); checklock_start(); + verify_test(); net_test(); dname_test(); anchors_test(); diff --git a/testcode/unitmain.h b/testcode/unitmain.h index 96fe68ac4..f34d9f797 100644 --- a/testcode/unitmain.h +++ b/testcode/unitmain.h @@ -57,5 +57,7 @@ void msgparse_test(); void dname_test(); /** unit test trust anchor storage functions */ void anchors_test(); +/** unit test for verification functions */ +void verify_test(); #endif /* TESTCODE_UNITMAIN_H */ diff --git a/testcode/unitverify.c b/testcode/unitverify.c new file mode 100644 index 000000000..8087112b3 --- /dev/null +++ b/testcode/unitverify.c @@ -0,0 +1,232 @@ +/* + * testcode/unitverify.c - unit test for signature verification routines. + * + * Copyright (c) 2007, NLnet Labs. All rights reserved. + * + * This software is open source. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of the NLNET LABS nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + */ +/** + * \file + * Calls verification unit tests. Exits with code 1 on a failure. + */ + +#include "config.h" +#include "util/log.h" +#include "testcode/unitmain.h" +#include "validator/val_sigcrypt.h" +#include "validator/validator.h" +#include "testcode/ldns-testpkts.h" +#include "util/data/msgreply.h" +#include "util/data/msgparse.h" +#include "util/region-allocator.h" +#include "util/alloc.h" +#include "util/net_help.h" +#include "util/module.h" +#include "util/config_file.h" + +/** verbose signature test */ +static int vsig = 0; + +/** entry to packet buffer with wireformat */ +static void +entry_to_buf(struct entry* e, ldns_buffer* pkt) +{ + unit_assert(e->reply_list); + if(e->reply_list->reply_from_hex) { + ldns_buffer_copy(pkt, e->reply_list->reply_from_hex); + } else { + ldns_status status; + size_t answer_size; + uint8_t* ans = NULL; + status = ldns_pkt2wire(&ans, e->reply_list->reply, + &answer_size); + if(status != LDNS_STATUS_OK) { + log_err("could not create reply: %s", + ldns_get_errorstr_by_id(status)); + fatal_exit("error in test"); + } + ldns_buffer_clear(pkt); + ldns_buffer_write(pkt, ans, answer_size); + ldns_buffer_flip(pkt); + free(ans); + } +} + +/** entry to reply info conversion */ +static void +entry_to_repinfo(struct entry* e, struct alloc_cache* alloc, struct region* + region, ldns_buffer* pkt, struct query_info* qi, + struct reply_info** rep) +{ + int ret; + struct edns_data edns; + entry_to_buf(e, pkt); + ret = reply_info_parse(pkt, alloc, qi, rep, region, &edns); + region_free_all(region); + if(ret != 0) { + printf("parse code %d: %s\n", ret, + ldns_lookup_by_id(ldns_rcodes, ret)->name); + unit_assert(ret != 0); + } +} + +/** extract DNSKEY rrset from answer and convert it */ +static struct ub_packed_rrset_key* +extract_keys(struct entry* e, struct alloc_cache* alloc, struct region* + region, ldns_buffer* pkt) +{ + struct ub_packed_rrset_key* dnskey = NULL; + struct query_info qinfo; + struct reply_info* rep = NULL; + size_t i; + + entry_to_repinfo(e, alloc, region, pkt, &qinfo, &rep); + for(i=0; ian_numrrsets; i++) { + if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DNSKEY) { + dnskey = rep->rrsets[i]; + rep->rrsets[i] = NULL; + break; + } + } + unit_assert(dnskey); + + reply_info_parsedelete(rep, alloc); + query_info_clear(&qinfo); + return dnskey; +} + +/** return true if answer should be bogus */ +static int +should_be_bogus(struct ub_packed_rrset_key* rrset) +{ + struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> + entry.data; + if(d->rrsig_count == 0) + return 1; + return 0; +} + +/** verify and test one rrset against the key rrset */ +static void +verifytest_rrset(struct module_env* env, struct val_env* ve, + struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey) +{ + enum sec_status sec; + if(vsig) { + log_nametypeclass(VERB_DETAIL, "verify of rrset", + rrset->rk.dname, ntohs(rrset->rk.type), + ntohs(rrset->rk.rrset_class)); + } + sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey); + if(vsig) { + printf("verify outcome is: %s\n", sec_status_to_string(sec)); + } + if(should_be_bogus(rrset)) { + unit_assert(sec == sec_status_bogus); + } else { + unit_assert(sec == sec_status_secure); + } +} + +/** verify and test an entry - every rr in the message */ +static void +verifytest_entry(struct entry* e, struct alloc_cache* alloc, struct region* + region, ldns_buffer* pkt, struct ub_packed_rrset_key* dnskey, + struct module_env* env, struct val_env* ve) +{ + struct query_info qinfo; + struct reply_info* rep = NULL; + size_t i; + + region_free_all(region); + if(vsig) { + printf("verifying pkt:\n"); + ldns_pkt_print(stdout, e->reply_list->reply); + printf("\n"); + } + entry_to_repinfo(e, alloc, region, pkt, &qinfo, &rep); + + for(i=0; irrset_count; i++) { + verifytest_rrset(env, ve, rep->rrsets[i], dnskey); + } + + reply_info_parsedelete(rep, alloc); + query_info_clear(&qinfo); +} + +/** verify from a file */ +static void +verifytest_file(const char* fname, const char* at_date) +{ + /* + * The file contains a list of ldns-testpkts entries. + * The first entry must be a query for DNSKEY. + * The answer rrset is the keyset that will be used for verification + */ + struct ub_packed_rrset_key* dnskey; + struct region* region = region_create(malloc, free); + struct alloc_cache alloc; + ldns_buffer* buf = ldns_buffer_new(65535); + struct entry* e; + struct entry* list = read_datafile(fname); + struct module_env env; + struct val_env ve; + + if(!list) + fatal_exit("could not read %s: %s", fname, strerror(errno)); + alloc_init(&alloc, NULL, 1); + memset(&env, 0, sizeof(env)); + memset(&ve, 0, sizeof(ve)); + env.scratch = region; + env.scratch_buffer = buf; + ve.date_override = cfg_convert_timeval(at_date); + unit_assert(region && buf); + dnskey = extract_keys(list, &alloc, region, buf); + if(vsig) log_nametypeclass(VERB_DETAIL, "test dnskey", + dnskey->rk.dname, ntohs(dnskey->rk.type), + ntohs(dnskey->rk.rrset_class)); + /* ready to go! */ + for(e = list->next; e; e = e->next) { + verifytest_entry(e, &alloc, region, buf, dnskey, &env, &ve); + } + + delete_entry(list); + region_destroy(region); + alloc_clear(&alloc); + ldns_buffer_free(buf); +} + +void +verify_test() +{ + printf("verify test\n"); + verifytest_file("testdata/test_signatures.1", "20070818005004"); +} diff --git a/testdata/test_signatures.1 b/testdata/test_signatures.1 new file mode 100644 index 000000000..9bb79ce12 --- /dev/null +++ b/testdata/test_signatures.1 @@ -0,0 +1,81 @@ +; Signature test file + +; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification. +; later entries are verified with it. + + +; DNSKEY used for testing, from august 2007. +ENTRY_BEGIN +SECTION QUESTION +nlnetlabs.nl. IN DNSKEY +SECTION ANSWER +nlnetlabs.nl. 3600 IN DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ== +nlnetlabs.nl. 3600 IN DNSKEY 256 3 5 AQOpbYrUNahQAV5/wTCJ9/wbSM/eV+N+jYZAMmIKn6QF3Z57B6upgcjV HEOyFkA3YcIt5Fz+WqodCrABn4qShd6qJYR8iP3S6fjN6PVpljMjrhsp /6yVc30C6c7P2b/mgWZi5iYC56lkegDs0VGfAW5HmosKjQVoYMjOtNo3 F+MGQw== +nlnetlabs.nl. 3600 IN DNSKEY 257 3 5 AQO6TtiOq7uZa8wHrQNUGT3ZXudaGjnbduUnyLw9WwiDEd8Vy1Ao4FVK 7xqEAFo4F5gOkdGr6Y7Xz0F+Z5e1AaQlvhBhjujvIhPZ5EIuNGkGUbRT YLhVX5OJUHMYdrXpGPdyG+V1TBTmxJ/+OmUdkWiT2J6w5XUpSYRB+p0k YwGf7uxPO/cDNp67fILtx1+dduS30B7QygOK+f7PeAZDcdBo2qsy5rnB sPsLhbEpdpWFs2WPTVo0IGYAER3nG6WZptiq8OYAb1K22K8i+j8+hDwv NRDMjWeVMebBZXbNQGkwsGgJsIsaoGfVOT3WdeJxDu9GqODM//mwZxTv O7StbOht +ENTRY_END + +; first entry; the www site +ENTRY_BEGIN +SECTION QUESTION +www.nlnetlabs.nl. IN A +SECTION ANSWER +www.nlnetlabs.nl. 600 IN A 213.154.224.1 +www.nlnetlabs.nl. 600 IN RRSIG A 5 3 600 20070912005003 20070815005003 18182 nlnetlabs.nl. hAF6ZARy1QIdBuPF5FbRqktIrSZO1z6WcTXvxJ8FhpPnk17ytkD+gus/ 7Ae7pA/Lpr2KyQveSHyjfyYlnFZ82lasF3hPGrmeE/+stl3dEnuBz3Vo f8+s9lwQ6eXf7UM4e0md5KFPMdre0F9hrom/+P4/AU2yteLmuXVP6drC tFM= +SECTION AUTHORITY +nlnetlabs.nl. 86400 IN NS open.nlnetlabs.nl. +nlnetlabs.nl. 86400 IN NS omval.tednet.nl. +nlnetlabs.nl. 86400 IN NS ns7.domain-registry.nl. +nlnetlabs.nl. 86400 IN RRSIG NS 5 2 86400 20070912005004 20070815005004 18182 nlnetlabs.nl. XHtgh1xXm5rLRLW5eGsjMzoQdCP/GsL6Yqg6/Th5WHgwwbWQicdr7VFH Jhx4hssPtQZxc2Z34kERHTQndJ1mhefmI4qatDzZpGEmAuBTvWXC1JvR MprptlhncaqeV4jaK4P6OSd23lFIeoLl31glmcwl7a77IihaE6O57YRj WGo= +SECTION ADDITIONAL +ns7.domain-registry.nl. 17717 IN A 62.4.86.230 +open.nlnetlabs.nl. 600 IN A 213.154.224.1 +open.nlnetlabs.nl. 600 IN AAAA 2001:7b8:206:1::1 +open.nlnetlabs.nl. 600 IN AAAA 2001:7b8:206:1::53 +omval.tednet.nl. 28800 IN A 213.154.224.17 +omval.tednet.nl. 28800 IN AAAA 2001:7b8:206:1:200:39ff:fe59:b187 +open.nlnetlabs.nl. 600 IN RRSIG A 5 3 600 20070912005004 20070815005004 18182 nlnetlabs.nl. mit7SKO8i2b7rQ9E0chqJ25Lv4SYOfR6pdBGdtDrer6PLpASo72yaAlI wA232BS8Y1z8Mfrpo03li9c6FWB3tpUd8oRZyntcWRwvEwm6Q3mvpKN3 Ppsolcg+2fLDqSDyFqSw2jIPjrr2vlZfomRANwCce1N9UdD6aBgGpFQ+ DPE= +open.nlnetlabs.nl. 600 IN RRSIG AAAA 5 3 600 20070912005004 20070815005004 18182 nlnetlabs.nl. gGE8aCQHfLEDjJ5myimVH4ho+LzXBEa8K/BVAVJbwlfvh83XEFujjeEx rifIwxqWAG0gylCywcJdZdFhB0UHn+X9AVne9TaP9QMvvzoCLGu6h/UI Uy15K/wD4ezPjvaxG/7o6fs6m+QUUU8ZYK2HRYxf90XCkL/BlkBWcLLy Fjc= +ENTRY_END + + +; big zone apex +ENTRY_BEGIN +SECTION QUESTION +nlnetlabs.nl. IN ANY +SECTION ANSWER +nlnetlabs.nl. 18000 IN NSEC _sip._udp.nlnetlabs.nl. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY +nlnetlabs.nl. 18000 IN RRSIG NSEC 5 2 18000 20070912005004 20070815005004 18182 nlnetlabs.nl. fiCZX4X46rActlXXx8UrNwilCU6F+GiN6iVNmsAROoOcFVsV6EMbfQpR Z47XI2WHf0lmEjFcAQJbbIUlPPoMwSFeRHU9caSBkLPY7Da3rwTRDpQy nf28WwA90ZG8CxMyr0p2yIy4rd3qo7WItFvhaeFrZtovQDOx9gg92pAf SfM= +nlnetlabs.nl. 86400 IN A 213.154.224.1 +nlnetlabs.nl. 86400 IN RRSIG A 5 2 86400 20070912005004 20070815005004 18182 nlnetlabs.nl. ZpLGyN5EUfMVOIgoLvy7axjk6fgdejFaElKiScNOx452GXwyvKRonU2K DBS+1cyxQg6nsEiq0PhIk+iOW5UdlBqyqVrNOzwItuWiQLqTFFVHjN16 DqiZGLvy7EiaTecbuq4oAQDkCYe/fy1d7if6q6POurYDjN2auRfOlo9Q JLw= +nlnetlabs.nl. 86400 IN NS ns7.domain-registry.nl. +nlnetlabs.nl. 86400 IN NS open.nlnetlabs.nl. +nlnetlabs.nl. 86400 IN NS omval.tednet.nl. +nlnetlabs.nl. 86400 IN RRSIG NS 5 2 86400 20070912005004 20070815005004 18182 nlnetlabs.nl. XHtgh1xXm5rLRLW5eGsjMzoQdCP/GsL6Yqg6/Th5WHgwwbWQicdr7VFH Jhx4hssPtQZxc2Z34kERHTQndJ1mhefmI4qatDzZpGEmAuBTvWXC1JvR MprptlhncaqeV4jaK4P6OSd23lFIeoLl31glmcwl7a77IihaE6O57YRj WGo= +nlnetlabs.nl. 86400 IN RRSIG SOA 5 2 86400 20070912005004 20070815005004 18182 nlnetlabs.nl. LkiJYh+EV9vtH2a5Qzai1foMe60J+J5aioEvYwMrwAgi8OFPW/eiOhhC kDWXeCRXmmFaaImyzZQ2R1dA9Kz0Caar54fOEHQ63waYeODN+LAsewLx KLQBInTxFlH/eByFAOZmlO9+jutCLGBi2Tv/LL5T2XAfDMmcpzxgXDry ExQ= +nlnetlabs.nl. 86400 IN MX 50 open.nlnetlabs.nl. +nlnetlabs.nl. 86400 IN MX 100 omval.tednet.nl. +nlnetlabs.nl. 86400 IN RRSIG MX 5 2 86400 20070912005004 20070815005004 18182 nlnetlabs.nl. CdrpaduVD2QNfY2ifjKTN+t6tUDJgfUZZRzmf3LcwwtBlwfC4tRT44WD 2537dqDVnf5h6+Ejp3qJef44lwPzYaUI+/IHsGkmg6v063fHygHQf1Qz v+oBL3d4vRm7IZz0U8JzHMKwYt/D88Dw5ojr9w6NyYr7eiKXbFRD5R7x YT0= +nlnetlabs.nl. 86400 IN TXT "Stichting NLnet Labs zone" +nlnetlabs.nl. 86400 IN RRSIG TXT 5 2 86400 20070912005004 20070815005004 18182 nlnetlabs.nl. Ray47yu7XIgwdCRvC5Ik/0S10m8reHMuV4d0OGh/q7J5bLN8PsONLzuX ncFihPZW9ziLKCFfJu5zKCjYh/RDNwpztAAeGNmfV7e1+ZWvolFU9DIY oHYbINYKKTqhNaU/UMXDTjmnHujo+7llgfQH6muc5R5ftvBnMcPHHQBg ydw= +nlnetlabs.nl. 86400 IN AAAA 2001:7b8:206:1::1 +nlnetlabs.nl. 86400 IN RRSIG AAAA 5 2 86400 20070912005004 20070815005004 18182 nlnetlabs.nl. Pw+xxoPe7UkfOML40UkSOmWFyRS4mSPcx6P37E6xLaJ4V9uYl5MldzRh NCBGtOYH7tPZUEIEqVCQU/G2jvP6643fLs7OwGMTFFZ/jSqo7ATdUzbk AMd1ewVAtMdpDRKqOPorsMFOsU6C7YB+pkvHTizfSMLsz23RI9kJqvXQ AgQ= +nlnetlabs.nl. 600 IN NAPTR 20 0 "s" "SIP+D2U" "" _sip._udp.nlnetlabs.nl. +nlnetlabs.nl. 600 IN RRSIG NAPTR 5 2 600 20070912005004 20070815005004 18182 nlnetlabs.nl. jhGLCeaBRFOiRMWtNgAW6tcU4x/2NQG3cnbedaCUE+vxMGFwLKQ7Y8HH sio7PAIbwl3WDzXcBnSoVXtpFQyHvyVA9PdWujq16HN2tRn3+FFRZmvz +eywRXlSQCdj4GmamjVb1MGA3deV19t/YGBetshcwQBxeT4/7p/yN0/T Zro= +nlnetlabs.nl. 3600 IN DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ== +nlnetlabs.nl. 3600 IN DNSKEY 256 3 5 AQOpbYrUNahQAV5/wTCJ9/wbSM/eV+N+jYZAMmIKn6QF3Z57B6upgcjV HEOyFkA3YcIt5Fz+WqodCrABn4qShd6qJYR8iP3S6fjN6PVpljMjrhsp /6yVc30C6c7P2b/mgWZi5iYC56lkegDs0VGfAW5HmosKjQVoYMjOtNo3 F+MGQw== +nlnetlabs.nl. 3600 IN DNSKEY 257 3 5 AQO6TtiOq7uZa8wHrQNUGT3ZXudaGjnbduUnyLw9WwiDEd8Vy1Ao4FVK 7xqEAFo4F5gOkdGr6Y7Xz0F+Z5e1AaQlvhBhjujvIhPZ5EIuNGkGUbRT YLhVX5OJUHMYdrXpGPdyG+V1TBTmxJ/+OmUdkWiT2J6w5XUpSYRB+p0k YwGf7uxPO/cDNp67fILtx1+dduS30B7QygOK+f7PeAZDcdBo2qsy5rnB sPsLhbEpdpWFs2WPTVo0IGYAER3nG6WZptiq8OYAb1K22K8i+j8+hDwv NRDMjWeVMebBZXbNQGkwsGgJsIsaoGfVOT3WdeJxDu9GqODM//mwZxTv O7StbOht +nlnetlabs.nl. 3600 IN RRSIG DNSKEY 5 2 3600 20070912005004 20070815005004 18182 nlnetlabs.nl. ZBI75wWBme2zbhXevr6AMojVcLg5rSYb8osh6dxKKu92Gy2qJoOzYvjy YIn2NADmh5lMgPH836byoYlLnQ/SwAIkDgn+h7i8fTWA8mWynjl/sbK/ ojIMEKpvvLvp+o7vw09hjQfq8XAupj4oPE8Cbx7nQ9sSDPw1gED6x+si n6U= +nlnetlabs.nl. 3600 IN RRSIG DNSKEY 5 2 3600 20070912005004 20070815005004 36867 nlnetlabs.nl. JYLaHp/ORxrDE2wu/gsq8t5SDmwXudnTxXPg4+IHxvg0MiVBSPYeDtEr oZgHSE5sL+AgJ0PLpL8U/CKaMuv2xTbYJ1+tABZUpE1yxmjdF3p4VJuQ P+r2qkAbnr9b0w4Bt/gzlP5hmZcUA+E9g6uZdp2pjni0OD3mgB5EhilD GaVnVUi2P0d3MCPDkGsVgNl76JY4098bL1LXmn6oqV2MbAaim7z4nb67 /S0qLIxz8Dw605dFRMDd8tfjK/FD9PGxXc424GPRWeycd5fuuifu6aig hCcG3qtNHYCtMqHaMfw6C/LiyQFvQ7zrKzq6rqGbt5PWID76j/cd1OqV QKtuYA== +nlnetlabs.nl. 3600 IN RRSIG DNSKEY 5 2 3600 20070912005004 20070815005004 43791 nlnetlabs.nl. cNIuHTM6VpXpvpCjTaDLOVrzGQoNVXwJ2vcLbeNcuELeNMubpJ2hiLTG VorQbKM04t1HiJApf0BzkR5ke+9Mtoktm0/MvS1gW0lU2rqV5+7BhwTB Q6Q3QSYcgF/LUJp4neKjAKYNM4pwz4Tkg5AaurulCKfk5UZDE4JxCeCu zpI= +nlnetlabs.nl. 86400 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2007081500 28800 7200 604800 18000 +SECTION ADDITIONAL +open.nlnetlabs.nl. 600 IN A 213.154.224.1 +open.nlnetlabs.nl. 600 IN AAAA 2001:7b8:206:1::1 +open.nlnetlabs.nl. 600 IN AAAA 2001:7b8:206:1::53 +johnny.nlnetlabs.nl. 600 IN A 213.154.224.44 +open.nlnetlabs.nl. 600 IN RRSIG A 5 3 600 20070912005004 20070815005004 18182 nlnetlabs.nl. mit7SKO8i2b7rQ9E0chqJ25Lv4SYOfR6pdBGdtDrer6PLpASo72yaAlI wA232BS8Y1z8Mfrpo03li9c6FWB3tpUd8oRZyntcWRwvEwm6Q3mvpKN3 Ppsolcg+2fLDqSDyFqSw2jIPjrr2vlZfomRANwCce1N9UdD6aBgGpFQ+ DPE= +open.nlnetlabs.nl. 600 IN RRSIG AAAA 5 3 600 20070912005004 20070815005004 18182 nlnetlabs.nl. gGE8aCQHfLEDjJ5myimVH4ho+LzXBEa8K/BVAVJbwlfvh83XEFujjeEx rifIwxqWAG0gylCywcJdZdFhB0UHn+X9AVne9TaP9QMvvzoCLGu6h/UI Uy15K/wD4ezPjvaxG/7o6fs6m+QUUU8ZYK2HRYxf90XCkL/BlkBWcLLy Fjc= +_sip._udp.nlnetlabs.nl. 600 IN RRSIG SRV 5 4 600 20070912005004 20070815005004 18182 nlnetlabs.nl. EY2l3CzYpfRBAKw76ztFvEiSWHVLjmcqpTHJ7vc5FgF1+ryV7Y0Z2Hdj LZYse2e6DZvll5aGmtpG9TWtOf3aBx53YIpDS6j3j438lrAgThJZ+heU 1Jfp7i0nHcfj3V86uo8q/2S4/y8fKNgmhgJeJLm5Il7/WARANVpnYeFS 9Ko= +johnny.nlnetlabs.nl. 600 IN RRSIG A 5 3 600 20070912005004 20070815005004 18182 nlnetlabs.nl. DY30CLeeKAif9SSFRvC8hHpYrLa2FEtspL4ay0pHfujyLkebvOko6BBL pjfr7VWL+0MGAIOGtCOq37ouWKMmCEbONyPCwj2eC6P/Dlr+llqTwgW8 5430Yhww2K8GTFnMtBZhqIlITtfIRgK4d8CQOJtIqwJ2qrc9iavun1JK IWc= +_sip._udp.nlnetlabs.nl. 600 IN SRV 0 0 5060 johnny.nlnetlabs.nl. +ENTRY_END diff --git a/util/net_help.h b/util/net_help.h index 4847a55f8..6c7eff6ef 100644 --- a/util/net_help.h +++ b/util/net_help.h @@ -73,9 +73,9 @@ #define INET6_SIZE 16 /** DNSKEY zone sign key flag */ -#define DNSKEY_BIT_ZSK 0x10 +#define DNSKEY_BIT_ZSK 0x0100 /** DNSKEY secure entry point, KSK flag */ -#define DNSKEY_BIT_SEP 0x01 +#define DNSKEY_BIT_SEP 0x0001 /** * See if string is ip4 or ip6. diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c index 740362e95..ab115ec77 100644 --- a/validator/val_sigcrypt.c +++ b/validator/val_sigcrypt.c @@ -90,7 +90,7 @@ rrset_get_sig_keytag(struct ub_packed_rrset_key* k, size_t sig_idx) if(d->rr_len[d->count + sig_idx] < 2+18) return 0; memmove(&t, d->rr_data[d->count + sig_idx]+2+16, 2); - return t; + return ntohs(t); } /** @@ -671,6 +671,9 @@ canonical_compare(struct ub_packed_rrset_key* rrset, size_t i, size_t j) if(i==j) return 0; + c = memcmp(d->rr_data[i], d->rr_data[j], 2); + if(c != 0) + return c; switch(type) { /* These RR types have only a name as RDATA. @@ -967,7 +970,8 @@ rrset_canonical(struct region* region, ldns_buffer* buf, ldns_buffer_clear(buf); ldns_buffer_write(buf, sig, siglen); - query_dname_tolower(sig+18); /* canonicalize signer name */ + /* canonicalize signer name */ + query_dname_tolower(ldns_buffer_begin(buf)+18); RBTREE_FOR(walk, struct canon_rr*, &sortree) { /* determine canonical owner name */ if(can_owner) @@ -1291,18 +1295,18 @@ dnskey_verify_rrset_sig(struct module_env* env, struct val_env* ve, return sec_status_bogus; } /* verify keytag and sig algo (possibly again) */ - if((int)sig[2] != dnskey_get_algo(dnskey, dnskey_idx)) { + if((int)sig[2+2] != dnskey_get_algo(dnskey, dnskey_idx)) { verbose(VERB_ALGO, "verify: wrong algorithm"); return sec_status_bogus; } - ktag = dnskey_calc_keytag(dnskey, dnskey_idx); - if(memcmp(sig+16, &ktag, 2) != 0) { + ktag = htons(dnskey_calc_keytag(dnskey, dnskey_idx)); + if(memcmp(sig+2+16, &ktag, 2) != 0) { verbose(VERB_ALGO, "verify: wrong keytag"); return sec_status_bogus; } /* verify labels is in a valid range */ - if((int)sig[3] > dname_signame_label_count(rrset->rk.dname)) { + if((int)sig[2+3] > dname_signame_label_count(rrset->rk.dname)) { verbose(VERB_ALGO, "verify: labelcount out of range"); return sec_status_bogus; } @@ -1310,7 +1314,7 @@ dnskey_verify_rrset_sig(struct module_env* env, struct val_env* ve, /* original ttl, always ok */ /* verify inception, expiration dates */ - if(!check_dates(ve, sig+8, sig+12)) { + if(!check_dates(ve, sig+2+8, sig+2+12)) { return sec_status_bogus; } @@ -1329,6 +1333,6 @@ dnskey_verify_rrset_sig(struct module_env* env, struct val_env* ve, } /* verify */ - return verify_canonrrset(env->scratch_buffer, (int)sig[2], + return verify_canonrrset(env->scratch_buffer, (int)sig[2+2], sigblock, sigblock_len, key, keylen); }