unitverify.c revision 1.1.1.2.2.1
1 /* 2 * testcode/unitverify.c - unit test for signature verification routines. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 * 35 */ 36 /** 37 * \file 38 * Calls verification unit tests. Exits with code 1 on a failure. 39 */ 40 41 #include "config.h" 42 #include "util/log.h" 43 #include "testcode/unitmain.h" 44 #include "validator/val_sigcrypt.h" 45 #include "validator/val_secalgo.h" 46 #include "validator/val_nsec.h" 47 #include "validator/val_nsec3.h" 48 #include "validator/validator.h" 49 #include "testcode/testpkts.h" 50 #include "util/data/msgreply.h" 51 #include "util/data/msgparse.h" 52 #include "util/data/dname.h" 53 #include "util/regional.h" 54 #include "util/alloc.h" 55 #include "util/rbtree.h" 56 #include "util/net_help.h" 57 #include "util/module.h" 58 #include "util/config_file.h" 59 #include "sldns/sbuffer.h" 60 #include "sldns/keyraw.h" 61 #include "sldns/str2wire.h" 62 #include "sldns/wire2str.h" 63 64 /** verbose signature test */ 65 static int vsig = 0; 66 67 /** entry to packet buffer with wireformat */ 68 static void 69 entry_to_buf(struct entry* e, sldns_buffer* pkt) 70 { 71 unit_assert(e->reply_list); 72 if(e->reply_list->reply_from_hex) { 73 sldns_buffer_copy(pkt, e->reply_list->reply_from_hex); 74 } else { 75 sldns_buffer_clear(pkt); 76 sldns_buffer_write(pkt, e->reply_list->reply_pkt, 77 e->reply_list->reply_len); 78 sldns_buffer_flip(pkt); 79 } 80 } 81 82 /** entry to reply info conversion */ 83 static void 84 entry_to_repinfo(struct entry* e, struct alloc_cache* alloc, 85 struct regional* region, sldns_buffer* pkt, struct query_info* qi, 86 struct reply_info** rep) 87 { 88 int ret; 89 struct edns_data edns; 90 entry_to_buf(e, pkt); 91 /* lock alloc lock to please lock checking software. 92 * alloc_special_obtain assumes it is talking to a ub-alloc, 93 * and does not need to perform locking. Here the alloc is 94 * the only one, so we lock it here */ 95 lock_quick_lock(&alloc->lock); 96 ret = reply_info_parse(pkt, alloc, qi, rep, region, &edns); 97 lock_quick_unlock(&alloc->lock); 98 if(ret != 0) { 99 char rcode[16]; 100 sldns_wire2str_rcode_buf(ret, rcode, sizeof(rcode)); 101 printf("parse code %d: %s\n", ret, rcode); 102 unit_assert(ret != 0); 103 } 104 } 105 106 /** extract DNSKEY rrset from answer and convert it */ 107 static struct ub_packed_rrset_key* 108 extract_keys(struct entry* e, struct alloc_cache* alloc, 109 struct regional* region, sldns_buffer* pkt) 110 { 111 struct ub_packed_rrset_key* dnskey = NULL; 112 struct query_info qinfo; 113 struct reply_info* rep = NULL; 114 size_t i; 115 116 entry_to_repinfo(e, alloc, region, pkt, &qinfo, &rep); 117 for(i=0; i<rep->an_numrrsets; i++) { 118 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DNSKEY) { 119 dnskey = rep->rrsets[i]; 120 rep->rrsets[i] = NULL; 121 break; 122 } 123 } 124 unit_assert(dnskey); 125 126 reply_info_parsedelete(rep, alloc); 127 query_info_clear(&qinfo); 128 return dnskey; 129 } 130 131 /** return true if answer should be bogus */ 132 static int 133 should_be_bogus(struct ub_packed_rrset_key* rrset, struct query_info* qinfo) 134 { 135 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> 136 entry.data; 137 if(d->rrsig_count == 0) 138 return 1; 139 /* name 'bogus' as first label signals bogus */ 140 if(rrset->rk.dname_len > 6 && memcmp(rrset->rk.dname+1, "bogus", 5)==0) 141 return 1; 142 if(qinfo->qname_len > 6 && memcmp(qinfo->qname+1, "bogus", 5)==0) 143 return 1; 144 return 0; 145 } 146 147 /** return number of rrs in an rrset */ 148 static size_t 149 rrset_get_count(struct ub_packed_rrset_key* rrset) 150 { 151 struct packed_rrset_data* d = (struct packed_rrset_data*) 152 rrset->entry.data; 153 if(!d) return 0; 154 return d->count; 155 } 156 157 /** setup sig alg list from dnskey */ 158 static void 159 setup_sigalg(struct ub_packed_rrset_key* dnskey, uint8_t* sigalg) 160 { 161 uint8_t a[ALGO_NEEDS_MAX]; 162 size_t i, n = 0; 163 memset(a, 0, sizeof(a)); 164 for(i=0; i<rrset_get_count(dnskey); i++) { 165 uint8_t algo = (uint8_t)dnskey_get_algo(dnskey, i); 166 if(a[algo] == 0) { 167 a[algo] = 1; 168 sigalg[n++] = algo; 169 } 170 } 171 sigalg[n] = 0; 172 } 173 174 /** verify and test one rrset against the key rrset */ 175 static void 176 verifytest_rrset(struct module_env* env, struct val_env* ve, 177 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, 178 struct query_info* qinfo) 179 { 180 enum sec_status sec; 181 char* reason = NULL; 182 uint8_t sigalg[ALGO_NEEDS_MAX+1]; 183 if(vsig) { 184 log_nametypeclass(VERB_QUERY, "verify of rrset", 185 rrset->rk.dname, ntohs(rrset->rk.type), 186 ntohs(rrset->rk.rrset_class)); 187 } 188 setup_sigalg(dnskey, sigalg); /* check all algorithms in the dnskey */ 189 /* ok to give null as qstate here, won't be used for answer section. */ 190 sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, &reason, 191 LDNS_SECTION_ANSWER, NULL); 192 if(vsig) { 193 printf("verify outcome is: %s %s\n", sec_status_to_string(sec), 194 reason?reason:""); 195 } 196 if(should_be_bogus(rrset, qinfo)) { 197 unit_assert(sec == sec_status_bogus); 198 } else { 199 unit_assert(sec == sec_status_secure); 200 } 201 } 202 203 /** verify and test an entry - every rr in the message */ 204 static void 205 verifytest_entry(struct entry* e, struct alloc_cache* alloc, 206 struct regional* region, sldns_buffer* pkt, 207 struct ub_packed_rrset_key* dnskey, struct module_env* env, 208 struct val_env* ve) 209 { 210 struct query_info qinfo; 211 struct reply_info* rep = NULL; 212 size_t i; 213 214 regional_free_all(region); 215 if(vsig) { 216 char* s = sldns_wire2str_pkt(e->reply_list->reply_pkt, 217 e->reply_list->reply_len); 218 printf("verifying pkt:\n%s\n", s?s:"outofmemory"); 219 free(s); 220 } 221 entry_to_repinfo(e, alloc, region, pkt, &qinfo, &rep); 222 223 for(i=0; i<rep->rrset_count; i++) { 224 verifytest_rrset(env, ve, rep->rrsets[i], dnskey, &qinfo); 225 } 226 227 reply_info_parsedelete(rep, alloc); 228 query_info_clear(&qinfo); 229 } 230 231 /** find RRset in reply by type */ 232 static struct ub_packed_rrset_key* 233 find_rrset_type(struct reply_info* rep, uint16_t type) 234 { 235 size_t i; 236 for(i=0; i<rep->rrset_count; i++) { 237 if(ntohs(rep->rrsets[i]->rk.type) == type) 238 return rep->rrsets[i]; 239 } 240 return NULL; 241 } 242 243 /** DS sig test an entry - get DNSKEY and DS in entry and verify */ 244 static void 245 dstest_entry(struct entry* e, struct alloc_cache* alloc, 246 struct regional* region, sldns_buffer* pkt, struct module_env* env) 247 { 248 struct query_info qinfo; 249 struct reply_info* rep = NULL; 250 struct ub_packed_rrset_key* ds, *dnskey; 251 int ret; 252 253 regional_free_all(region); 254 if(vsig) { 255 char* s = sldns_wire2str_pkt(e->reply_list->reply_pkt, 256 e->reply_list->reply_len); 257 printf("verifying DS-DNSKEY match:\n%s\n", s?s:"outofmemory"); 258 free(s); 259 } 260 entry_to_repinfo(e, alloc, region, pkt, &qinfo, &rep); 261 ds = find_rrset_type(rep, LDNS_RR_TYPE_DS); 262 dnskey = find_rrset_type(rep, LDNS_RR_TYPE_DNSKEY); 263 /* check test is OK */ 264 unit_assert(ds && dnskey); 265 266 ret = ds_digest_match_dnskey(env, dnskey, 0, ds, 0); 267 if(strncmp((char*)qinfo.qname, "\003yes", 4) == 0) { 268 if(vsig) { 269 printf("result(yes)= %s\n", ret?"yes":"no"); 270 } 271 unit_assert(ret); 272 } else if (strncmp((char*)qinfo.qname, "\002no", 3) == 0) { 273 if(vsig) { 274 printf("result(no)= %s\n", ret?"yes":"no"); 275 } 276 unit_assert(!ret); 277 verbose(VERB_QUERY, "DS fail: OK; matched unit test"); 278 } else { 279 fatal_exit("Bad qname in DS unit test, yes or no"); 280 } 281 282 reply_info_parsedelete(rep, alloc); 283 query_info_clear(&qinfo); 284 } 285 286 /** verify from a file */ 287 static void 288 verifytest_file(const char* fname, const char* at_date) 289 { 290 /* 291 * The file contains a list of ldns-testpkts entries. 292 * The first entry must be a query for DNSKEY. 293 * The answer rrset is the keyset that will be used for verification 294 */ 295 struct ub_packed_rrset_key* dnskey; 296 struct regional* region = regional_create(); 297 struct alloc_cache alloc; 298 sldns_buffer* buf = sldns_buffer_new(65535); 299 struct entry* e; 300 struct entry* list = read_datafile(fname, 1); 301 struct module_env env; 302 struct val_env ve; 303 time_t now = time(NULL); 304 unit_show_func("signature verify", fname); 305 306 if(!list) 307 fatal_exit("could not read %s: %s", fname, strerror(errno)); 308 alloc_init(&alloc, NULL, 1); 309 memset(&env, 0, sizeof(env)); 310 memset(&ve, 0, sizeof(ve)); 311 env.scratch = region; 312 env.scratch_buffer = buf; 313 env.now = &now; 314 ve.date_override = cfg_convert_timeval(at_date); 315 unit_assert(region && buf); 316 dnskey = extract_keys(list, &alloc, region, buf); 317 if(vsig) log_nametypeclass(VERB_QUERY, "test dnskey", 318 dnskey->rk.dname, ntohs(dnskey->rk.type), 319 ntohs(dnskey->rk.rrset_class)); 320 /* ready to go! */ 321 for(e = list->next; e; e = e->next) { 322 verifytest_entry(e, &alloc, region, buf, dnskey, &env, &ve); 323 } 324 325 ub_packed_rrset_parsedelete(dnskey, &alloc); 326 delete_entry(list); 327 regional_destroy(region); 328 alloc_clear(&alloc); 329 sldns_buffer_free(buf); 330 } 331 332 /** verify DS matches DNSKEY from a file */ 333 static void 334 dstest_file(const char* fname) 335 { 336 /* 337 * The file contains a list of ldns-testpkts entries. 338 * The first entry must be a query for DNSKEY. 339 * The answer rrset is the keyset that will be used for verification 340 */ 341 struct regional* region = regional_create(); 342 struct alloc_cache alloc; 343 sldns_buffer* buf = sldns_buffer_new(65535); 344 struct entry* e; 345 struct entry* list = read_datafile(fname, 1); 346 struct module_env env; 347 unit_show_func("DS verify", fname); 348 349 if(!list) 350 fatal_exit("could not read %s: %s", fname, strerror(errno)); 351 alloc_init(&alloc, NULL, 1); 352 memset(&env, 0, sizeof(env)); 353 env.scratch = region; 354 env.scratch_buffer = buf; 355 unit_assert(region && buf); 356 357 /* ready to go! */ 358 for(e = list; e; e = e->next) { 359 dstest_entry(e, &alloc, region, buf, &env); 360 } 361 362 delete_entry(list); 363 regional_destroy(region); 364 alloc_clear(&alloc); 365 sldns_buffer_free(buf); 366 } 367 368 /** helper for unittest of NSEC routines */ 369 static int 370 unitest_nsec_has_type_rdata(char* bitmap, size_t len, uint16_t type) 371 { 372 return nsecbitmap_has_type_rdata((uint8_t*)bitmap, len, type); 373 } 374 375 /** Test NSEC type bitmap routine */ 376 static void 377 nsectest(void) 378 { 379 /* bitmap starts at type bitmap rdata field */ 380 /* from rfc 4034 example */ 381 char* bitmap = "\000\006\100\001\000\000\000\003" 382 "\004\033\000\000\000\000\000\000" 383 "\000\000\000\000\000\000\000\000" 384 "\000\000\000\000\000\000\000\000" 385 "\000\000\000\000\040"; 386 size_t len = 37; 387 388 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 0)); 389 unit_assert(unitest_nsec_has_type_rdata(bitmap, len, LDNS_RR_TYPE_A)); 390 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 2)); 391 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 3)); 392 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 4)); 393 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 5)); 394 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 6)); 395 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 7)); 396 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 8)); 397 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 9)); 398 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 10)); 399 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 11)); 400 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 12)); 401 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 13)); 402 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 14)); 403 unit_assert(unitest_nsec_has_type_rdata(bitmap, len, LDNS_RR_TYPE_MX)); 404 unit_assert(unitest_nsec_has_type_rdata(bitmap, len, LDNS_RR_TYPE_RRSIG)); 405 unit_assert(unitest_nsec_has_type_rdata(bitmap, len, LDNS_RR_TYPE_NSEC)); 406 unit_assert(unitest_nsec_has_type_rdata(bitmap, len, 1234)); 407 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1233)); 408 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1235)); 409 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1236)); 410 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1237)); 411 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1238)); 412 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1239)); 413 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1240)); 414 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 2230)); 415 } 416 417 /** Test hash algo - NSEC3 hash it and compare result */ 418 static void 419 nsec3_hash_test_entry(struct entry* e, rbtree_type* ct, 420 struct alloc_cache* alloc, struct regional* region, 421 sldns_buffer* buf) 422 { 423 struct query_info qinfo; 424 struct reply_info* rep = NULL; 425 struct ub_packed_rrset_key* answer, *nsec3; 426 struct nsec3_cached_hash* hash = NULL; 427 int ret; 428 uint8_t* qname; 429 430 if(vsig) { 431 char* s = sldns_wire2str_pkt(e->reply_list->reply_pkt, 432 e->reply_list->reply_len); 433 printf("verifying NSEC3 hash:\n%s\n", s?s:"outofmemory"); 434 free(s); 435 } 436 entry_to_repinfo(e, alloc, region, buf, &qinfo, &rep); 437 nsec3 = find_rrset_type(rep, LDNS_RR_TYPE_NSEC3); 438 answer = find_rrset_type(rep, LDNS_RR_TYPE_AAAA); 439 qname = regional_alloc_init(region, qinfo.qname, qinfo.qname_len); 440 /* check test is OK */ 441 unit_assert(nsec3 && answer && qname); 442 443 ret = nsec3_hash_name(ct, region, buf, nsec3, 0, qname, 444 qinfo.qname_len, &hash); 445 if(ret != 1) { 446 printf("Bad nsec3_hash_name retcode %d\n", ret); 447 unit_assert(ret == 1); 448 } 449 unit_assert(hash->dname && hash->hash && hash->hash_len && 450 hash->b32 && hash->b32_len); 451 unit_assert(hash->b32_len == (size_t)answer->rk.dname[0]); 452 /* does not do lowercasing. */ 453 unit_assert(memcmp(hash->b32, answer->rk.dname+1, hash->b32_len) 454 == 0); 455 456 reply_info_parsedelete(rep, alloc); 457 query_info_clear(&qinfo); 458 } 459 460 461 /** Read file to test NSEC3 hash algo */ 462 static void 463 nsec3_hash_test(const char* fname) 464 { 465 /* 466 * The list contains a list of ldns-testpkts entries. 467 * Every entry is a test. 468 * The qname is hashed. 469 * The answer section AAAA RR name is the required result. 470 * The auth section NSEC3 is used to get hash parameters. 471 * The hash cache is maintained per file. 472 * 473 * The test does not perform canonicalization during the compare. 474 */ 475 rbtree_type ct; 476 struct regional* region = regional_create(); 477 struct alloc_cache alloc; 478 sldns_buffer* buf = sldns_buffer_new(65535); 479 struct entry* e; 480 struct entry* list = read_datafile(fname, 1); 481 unit_show_func("NSEC3 hash", fname); 482 483 if(!list) 484 fatal_exit("could not read %s: %s", fname, strerror(errno)); 485 rbtree_init(&ct, &nsec3_hash_cmp); 486 alloc_init(&alloc, NULL, 1); 487 unit_assert(region && buf); 488 489 /* ready to go! */ 490 for(e = list; e; e = e->next) { 491 nsec3_hash_test_entry(e, &ct, &alloc, region, buf); 492 } 493 494 delete_entry(list); 495 regional_destroy(region); 496 alloc_clear(&alloc); 497 sldns_buffer_free(buf); 498 } 499 500 void 501 verify_test(void) 502 { 503 unit_show_feature("signature verify"); 504 #ifdef USE_SHA1 505 verifytest_file("testdata/test_signatures.1", "20070818005004"); 506 #endif 507 #if defined(USE_DSA) && defined(USE_SHA1) 508 verifytest_file("testdata/test_signatures.2", "20080414005004"); 509 verifytest_file("testdata/test_signatures.3", "20080416005004"); 510 verifytest_file("testdata/test_signatures.4", "20080416005004"); 511 verifytest_file("testdata/test_signatures.5", "20080416005004"); 512 verifytest_file("testdata/test_signatures.6", "20080416005004"); 513 verifytest_file("testdata/test_signatures.7", "20070829144150"); 514 #endif /* USE_DSA */ 515 #ifdef USE_SHA1 516 verifytest_file("testdata/test_signatures.8", "20070829144150"); 517 #endif 518 #if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2) 519 verifytest_file("testdata/test_sigs.rsasha256", "20070829144150"); 520 # ifdef USE_SHA1 521 verifytest_file("testdata/test_sigs.sha1_and_256", "20070829144150"); 522 # endif 523 verifytest_file("testdata/test_sigs.rsasha256_draft", "20090101000000"); 524 #endif 525 #if (defined(HAVE_EVP_SHA512) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2) 526 verifytest_file("testdata/test_sigs.rsasha512_draft", "20070829144150"); 527 verifytest_file("testdata/test_signatures.9", "20171215000000"); 528 #endif 529 #ifdef USE_SHA1 530 verifytest_file("testdata/test_sigs.hinfo", "20090107100022"); 531 verifytest_file("testdata/test_sigs.revoked", "20080414005004"); 532 #endif 533 #ifdef USE_GOST 534 if(sldns_key_EVP_load_gost_id()) 535 verifytest_file("testdata/test_sigs.gost", "20090807060504"); 536 else printf("Warning: skipped GOST, openssl does not provide gost.\n"); 537 #endif 538 #ifdef USE_ECDSA 539 /* test for support in case we use libNSS and ECC is removed */ 540 if(dnskey_algo_id_is_supported(LDNS_ECDSAP256SHA256)) { 541 verifytest_file("testdata/test_sigs.ecdsa_p256", "20100908100439"); 542 verifytest_file("testdata/test_sigs.ecdsa_p384", "20100908100439"); 543 } 544 dstest_file("testdata/test_ds.sha384"); 545 #endif 546 #ifdef USE_ED25519 547 if(dnskey_algo_id_is_supported(LDNS_ED25519)) { 548 verifytest_file("testdata/test_sigs.ed25519", "20170530140439"); 549 } 550 #endif 551 #ifdef USE_ED448 552 if(dnskey_algo_id_is_supported(LDNS_ED448)) { 553 verifytest_file("testdata/test_sigs.ed448", "20180408143630"); 554 } 555 #endif 556 #ifdef USE_SHA1 557 dstest_file("testdata/test_ds.sha1"); 558 #endif 559 nsectest(); 560 nsec3_hash_test("testdata/test_nsec3_hash.1"); 561 } 562
Indexes created Mon Mar 02 05:31:46 UTC 2026