keytable_test.c revision 0c27b3fe77ac1d5094ba3521e8142d9e7973133f
/*
* Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/*! \file */
#include <config.h>
#include <atf-c.h>
#include <unistd.h>
#include <stdio.h>
#if defined(OPENSSL) || defined(PKCS11CRYPTO)
#include <dns/fixedname.h>
#include <dns/keytable.h>
#include <dns/rdataclass.h>
#include <dns/rdatastruct.h>
#include "dnstest.h"
static const char *keystr1 = "BQEAAAABok+vaUC9neRv8yeT/FEGgN7svR8s7VBUVSBd8NsAiV8AlaAg O5FHar3JQd95i/puZos6Vi6at9/JBbN8qVmO2AuiXxVqfxMKxIcy+LEB 0Vw4NaSJ3N3uaVREso6aTSs98H/25MjcwLOr7SFfXA7bGhZatLtYY/xu kp6Km5hMfkE=";
static const char *keystr2 = "BQEAAAABwuHz9Cem0BJ0JQTO7C/a3McR6hMaufljs1dfG/inaJpYv7vH XTrAOm/MeKp+/x6eT4QLru0KoZkvZJnqTI8JyaFTw2OM/ItBfh/hL2lm Cft2O7n3MfeqYtvjPnY7dWghYW4sVfH7VVEGm958o9nfi79532Qeklxh x8pXWdeAaRU=";
/*
* Test utilities. In general, these assume input parameters are valid
* (checking with ATF_REQUIRE_EQ, thus aborting if not) and unlikely run time
* errors (such as memory allocation failure) won't happen. This helps keep
* the test code concise.
*/
/*
* Utility to convert C-string to dns_name_t. Return a pointer to
* static data, and so is not thread safe.
*/
static dns_name_t *
static dns_fixedname_t fname;
static dns_name_t *name;
static isc_buffer_t namebuf;
void *deconst_namestr;
NULL), ISC_R_SUCCESS);
return (name);
}
static void
{
unsigned char keydata[4096];
unsigned char rrdata[4096];
isc_region_t r;
isc_buffer_usedregion(&keydatabuf, &r);
}
/* Common setup: create a keytable and ntatable to test with a few keys */
static void
create_tables() {
&ntatable), ISC_R_SUCCESS);
/* Add a normal key */
/* Add a null key */
str2name("null.example")),
/* Add a negative trust anchor, duration 1 hour */
str2name("insecure.example"),
}
static void
destroy_tables() {
}
/*
* Individual unit tests
*/
}
/*
* Get the keynode for the example.com key. There's no other key for
* the name, so nextkeynode() should return NOTFOUND.
*/
&keynode), ISC_R_SUCCESS);
/*
* Try to add the same key. This should have no effect, so
* nextkeynode() should still return NOTFOUND.
*/
/* Add another key (different keydata) */
&keynode), ISC_R_SUCCESS);
/*
* Add a normal key to a name that has a null key. The null key node
* will be updated with the normal key.
*/
&keynode), ISC_R_SUCCESS);
/*
* Try to add a null key to a name that already has a key. It's
* effectively no-op, so the same key node is still there, with no
* no next node.
* (Note: this and above checks confirm that if a name has a null key
* that's the only key for the name).
*/
str2name("null.example")),
dns_test_end();
}
}
/* dns_keytable_delete requires exact match */
/* works also for nodes with a null key */
/* or a negative trust anchor */
str2name("insecure.example")),
dns_test_end();
}
}
/* key name doesn't match */
dst_key_free(&key);
/* subdomain match is the same as no match */
dst_key_free(&key);
/* name matches but key doesn't match (resulting in PARTIALMATCH) */
dst_key_free(&key);
/*
* exact match. after deleting the node the internal rbt node will be
* empty, and any delete or deletekeynode attempt should result in
* NOTFOUND.
*/
dst_key_free(&key);
/*
* A null key node for a name is not deleted when searched by key;
* it must be deleted by dns_keytable_delete()
*/
dst_key_free(&key);
dns_test_end();
}
}
/*
* dns_keytable_find() requires exact name match. It matches node
* that has a null key, too. But it doesn't match a negative trust
* anchor.
*/
&keynode), ISC_R_NOTFOUND);
&keynode), ISC_R_NOTFOUND);
&keynode), ISC_R_SUCCESS);
&keynode), ISC_R_SUCCESS);
&keynode), ISC_R_NOTFOUND);
/*
* dns_keytable_finddeepestmatch() allows partial match. Also match
* nodes with a null key or a negative trust anchor.
*/
name), ISC_R_SUCCESS);
str2name("s.example.com"),
name), ISC_R_SUCCESS);
str2name("example.org"),
name), ISC_R_NOTFOUND);
str2name("null.example"),
name), ISC_R_SUCCESS);
ISC_TRUE);
/*
* dns_keytable_findkeynode() requires exact name, algorithm, keytag
* match. If algorithm or keytag doesn't match, should result in
* PARTIALMATCH. Same for a node with a null key or a negative trust
* anchor.
*/
str2name("example.org"),
str2name("sub.example.com"),
DNS_R_PARTIALMATCH); /* different algorithm */
DNS_R_PARTIALMATCH); /* different keytag */
str2name("null.example"),
5, 0, &keynode),
DNS_R_PARTIALMATCH); /* null key */
ISC_R_SUCCESS); /* complete match */
dns_test_end();
}
}
const char **n;
/*
* Domains that are an exact or partial match of a key name are
* considered secure. It's the case even if the key is null
* (validation will then fail, but that's actually the intended effect
* of installing a null key).
*/
str2name(*n),
NULL,
&issecure),
}
/*
* Domains that are an exact or partial match of a negative trust
* anchor are considered insecure.
*/
str2name("insecure.example"),
NULL,
&issecure),
dns_test_end();
}
}
/*
* Right now, we only confirm the dump attempt doesn't cause disruption
* (so we don't check the dump content).
*/
dns_test_end();
}
}
str2name("insecure.example"),
/* Should be secure */
/* Should not be secure */
str2name("test.insecure.example"),
/* NTA covered */
/* Not NTA covered */
/* As of now + 2, the NTA should be clear */
str2name("test.insecure.example"),
/* Now check deletion */
/* Clean up */
dns_test_end();
}
#else
}
atf_tc_skip("DNSSEC not available");
}
#endif
/*
* Main
*/
ATF_TP_ADD_TCS(tp) {
#if defined(OPENSSL) || defined(PKCS11CRYPTO)
#else
#endif
return (atf_no_error());
}