/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#include <config.h>
#if HAVE_CMOCKA
#include <stdarg.h>
#include <stddef.h>
#include <setjmp.h>
#include <sched.h> /* IWYU pragma: keep */
#include <stdbool.h>
#include <stdlib.h>
#include <unistd.h>
#define UNIT_TESTING
#include <cmocka.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/util.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/tsig.h>
#include "dnstest.h"
#define TEST_ORIGIN "test"
static int
_setup(void **state) {
isc_result_t result;
UNUSED(state);
result = dns_test_begin(NULL, false);
assert_int_equal(result, ISC_R_SUCCESS);
return (0);
}
static int
_teardown(void **state) {
UNUSED(state);
dns_test_end();
return (0);
}
static int debug = 0;
static isc_result_t
add_mac(dst_context_t *tsigctx, isc_buffer_t *buf) {
dns_rdata_any_tsig_t tsig;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_buffer_t databuf;
isc_region_t r;
isc_result_t result;
unsigned char tsigbuf[1024];
isc_buffer_usedregion(buf, &r);
dns_rdata_fromregion(&rdata, dns_rdataclass_any,
dns_rdatatype_tsig, &r);
isc_buffer_init(&databuf, tsigbuf, sizeof(tsigbuf));
CHECK(dns_rdata_tostruct(&rdata, &tsig, NULL));
isc_buffer_putuint16(&databuf, tsig.siglen);
isc_buffer_putmem(&databuf, tsig.signature, tsig.siglen);
isc_buffer_usedregion(&databuf, &r);
result = dst_context_adddata(tsigctx, &r);
dns_rdata_freestruct(&tsig);
cleanup:
return (result);
}
static isc_result_t
add_tsig(dst_context_t *tsigctx, dns_tsigkey_t *key, isc_buffer_t *target) {
dns_compress_t cctx;
dns_rdata_any_tsig_t tsig;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdatalist_t rdatalist;
dns_rdataset_t rdataset;
isc_buffer_t *dynbuf = NULL;
isc_buffer_t databuf;
isc_buffer_t sigbuf;
isc_region_t r;
isc_result_t result = ISC_R_SUCCESS;
isc_stdtime_t now;
unsigned char tsigbuf[1024];
unsigned int count;
unsigned int sigsize = 0;
bool invalidate_ctx = false;
memset(&tsig, 0, sizeof(tsig));
CHECK(dns_compress_init(&cctx, -1, mctx));
invalidate_ctx = true;
tsig.common.rdclass = dns_rdataclass_any;
tsig.common.rdtype = dns_rdatatype_tsig;
ISC_LINK_INIT(&tsig.common, link);
dns_name_init(&tsig.algorithm, NULL);
dns_name_clone(key->algorithm, &tsig.algorithm);
isc_stdtime_get(&now);
tsig.timesigned = now;
tsig.fudge = DNS_TSIG_FUDGE;
tsig.originalid = 50;
tsig.error = dns_rcode_noerror;
tsig.otherlen = 0;
tsig.other = NULL;
isc_buffer_init(&databuf, tsigbuf, sizeof(tsigbuf));
isc_buffer_putuint48(&databuf, tsig.timesigned);
isc_buffer_putuint16(&databuf, tsig.fudge);
isc_buffer_usedregion(&databuf, &r);
CHECK(dst_context_adddata(tsigctx, &r));
CHECK(dst_key_sigsize(key->key, &sigsize));
tsig.signature = (unsigned char *) isc_mem_get(mctx, sigsize);
if (tsig.signature == NULL) {
CHECK(ISC_R_NOMEMORY);
}
isc_buffer_init(&sigbuf, tsig.signature, sigsize);
CHECK(dst_context_sign(tsigctx, &sigbuf));
tsig.siglen = isc_buffer_usedlength(&sigbuf);
assert_int_equal(sigsize, tsig.siglen);
CHECK(isc_buffer_allocate(mctx, &dynbuf, 512));
CHECK(dns_rdata_fromstruct(&rdata, dns_rdataclass_any,
dns_rdatatype_tsig, &tsig, dynbuf));
dns_rdatalist_init(&rdatalist);
rdatalist.rdclass = dns_rdataclass_any;
rdatalist.type = dns_rdatatype_tsig;
ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
dns_rdataset_init(&rdataset);
CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
CHECK(dns_rdataset_towire(&rdataset, &key->name, &cctx,
target, 0, &count));
/*
* Fixup additional record count.
*/
((unsigned char*)target->base)[11]++;
if (((unsigned char*)target->base)[11] == 0) {
((unsigned char*)target->base)[10]++;
}
cleanup:
if (tsig.signature != NULL) {
isc_mem_put(mctx, tsig.signature, sigsize);
}
if (dynbuf != NULL) {
isc_buffer_free(&dynbuf);
}
if (invalidate_ctx) {
dns_compress_invalidate(&cctx);
}
return (result);
}
static void
printmessage(dns_message_t *msg) {
isc_buffer_t b;
char *buf = NULL;
int len = 1024;
isc_result_t result = ISC_R_SUCCESS;
if (!debug) {
return;
}
do {
buf = isc_mem_get(mctx, len);
isc_buffer_init(&b, buf, len);
result = dns_message_totext(msg, &dns_master_style_debug,
0, &b);
if (result == ISC_R_NOSPACE) {
isc_mem_put(mctx, buf, len);
len *= 2;
} else if (result == ISC_R_SUCCESS) {
printf("%.*s\n", (int) isc_buffer_usedlength(&b), buf);
}
} while (result == ISC_R_NOSPACE);
if (buf != NULL) {
isc_mem_put(mctx, buf, len);
}
}
static void
render(isc_buffer_t *buf, unsigned flags, dns_tsigkey_t *key,
isc_buffer_t **tsigin, isc_buffer_t **tsigout,
dst_context_t *tsigctx)
{
dns_message_t *msg = NULL;
dns_compress_t cctx;
isc_result_t result;
result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &msg);
assert_int_equal(result, ISC_R_SUCCESS);
assert_non_null(msg);
msg->id = 50;
msg->rcode = dns_rcode_noerror;
msg->flags = flags;
/*
* XXXMPA: this hack needs to be replaced with use of
* dns_message_reply() at some point.
*/
if ((flags & DNS_MESSAGEFLAG_QR) != 0) {
msg->verified_sig = 1;
}
if (tsigin == tsigout) {
msg->tcp_continuation = 1;
}
if (tsigctx == NULL) {
result = dns_message_settsigkey(msg, key);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_message_setquerytsig(msg, *tsigin);
assert_int_equal(result, ISC_R_SUCCESS);
}
result = dns_compress_init(&cctx, -1, mctx);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_message_renderbegin(msg, &cctx, buf);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_message_renderend(msg);
assert_int_equal(result, ISC_R_SUCCESS);
if (tsigctx != NULL) {
isc_region_t r;
isc_buffer_usedregion(buf, &r);
result = dst_context_adddata(tsigctx, &r);
assert_int_equal(result, ISC_R_SUCCESS);
} else {
if (tsigin == tsigout && *tsigin != NULL) {
isc_buffer_free(tsigin);
}
result = dns_message_getquerytsig(msg, mctx, tsigout);
assert_int_equal(result, ISC_R_SUCCESS);
}
dns_compress_invalidate(&cctx);
dns_message_detach(&msg);
}
/*
* Test tsig tcp-continuation validation:
* Check that a simulated three message TCP sequence where the first
* and last messages contain TSIGs but the intermediate message doesn't
* correctly verifies.
*/
static void
tsig_tcp_test(void **state) {
dns_name_t *tsigowner = NULL;
dns_fixedname_t fkeyname;
dns_message_t *msg = NULL;
dns_name_t *keyname;
dns_tsig_keyring_t *ring = NULL;
dns_tsigkey_t *key = NULL;
isc_buffer_t *buf = NULL;
isc_buffer_t *querytsig = NULL;
isc_buffer_t *tsigin = NULL;
isc_buffer_t *tsigout = NULL;
isc_result_t result;
unsigned char secret[16] = { 0 };
dst_context_t *tsigctx = NULL;
dst_context_t *outctx = NULL;
UNUSED(state);
/* isc_log_setdebuglevel(lctx, 99); */
keyname = dns_fixedname_initname(&fkeyname);
result = dns_name_fromstring(keyname, "test", 0, NULL);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_tsigkeyring_create(mctx, &ring);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_tsigkey_create(keyname, dns_tsig_hmacsha256_name,
secret, sizeof(secret), false,
NULL, 0, 0, mctx, ring, &key);
assert_int_equal(result, ISC_R_SUCCESS);
assert_non_null(key);
/*
* Create request.
*/
result = isc_buffer_allocate(mctx, &buf, 65535);
assert_int_equal(result, ISC_R_SUCCESS);
render(buf, 0, key, &tsigout, &querytsig, NULL);
isc_buffer_free(&buf);
/*
* Create response message 1.
*/
result = isc_buffer_allocate(mctx, &buf, 65535);
assert_int_equal(result, ISC_R_SUCCESS);
render(buf, DNS_MESSAGEFLAG_QR, key, &querytsig, &tsigout, NULL);
assert_non_null(tsigout);
/*
* Process response message 1.
*/
result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
assert_int_equal(result, ISC_R_SUCCESS);
assert_non_null(msg);
result = dns_message_settsigkey(msg, key);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_message_parse(msg, buf, 0);
assert_int_equal(result, ISC_R_SUCCESS);
printmessage(msg);
result = dns_message_setquerytsig(msg, querytsig);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_tsig_verify(buf, msg, NULL, NULL);
assert_int_equal(result, ISC_R_SUCCESS);
assert_int_equal(msg->verified_sig, 1);
assert_int_equal(msg->tsigstatus, dns_rcode_noerror);
/*
* Check that we have a TSIG in the first message.
*/
assert_non_null(dns_message_gettsig(msg, &tsigowner));
result = dns_message_getquerytsig(msg, mctx, &tsigin);
assert_int_equal(result, ISC_R_SUCCESS);
tsigctx = msg->tsigctx;
msg->tsigctx = NULL;
isc_buffer_free(&buf);
dns_message_detach(&msg);
result = dst_context_create3(key->key, mctx, DNS_LOGCATEGORY_DNSSEC,
false, &outctx);
assert_int_equal(result, ISC_R_SUCCESS);
assert_non_null(outctx);
/*
* Start digesting.
*/
result = add_mac(outctx, tsigout);
assert_int_equal(result, ISC_R_SUCCESS);
/*
* Create response message 2.
*/
result = isc_buffer_allocate(mctx, &buf, 65535);
assert_int_equal(result, ISC_R_SUCCESS);
assert_int_equal(result, ISC_R_SUCCESS);
render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx);
/*
* Process response message 2.
*/
result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
assert_int_equal(result, ISC_R_SUCCESS);
assert_non_null(msg);
msg->tcp_continuation = 1;
msg->tsigctx = tsigctx;
tsigctx = NULL;
result = dns_message_settsigkey(msg, key);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_message_parse(msg, buf, 0);
assert_int_equal(result, ISC_R_SUCCESS);
printmessage(msg);
result = dns_message_setquerytsig(msg, tsigin);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_tsig_verify(buf, msg, NULL, NULL);
assert_int_equal(result, ISC_R_SUCCESS);
assert_int_equal(msg->verified_sig, 0);
assert_int_equal(msg->tsigstatus, dns_rcode_noerror);
/*
* Check that we don't have a TSIG in the second message.
*/
tsigowner = NULL;
assert_true(dns_message_gettsig(msg, &tsigowner) == NULL);
tsigctx = msg->tsigctx;
msg->tsigctx = NULL;
isc_buffer_free(&buf);
dns_message_detach(&msg);
/*
* Create response message 3.
*/
result = isc_buffer_allocate(mctx, &buf, 65535);
assert_int_equal(result, ISC_R_SUCCESS);
render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx);
result = add_tsig(outctx, key, buf);
assert_int_equal(result, ISC_R_SUCCESS);
/*
* Process response message 3.
*/
result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
assert_int_equal(result, ISC_R_SUCCESS);
assert_non_null(msg);
msg->tcp_continuation = 1;
msg->tsigctx = tsigctx;
tsigctx = NULL;
result = dns_message_settsigkey(msg, key);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_message_parse(msg, buf, 0);
assert_int_equal(result, ISC_R_SUCCESS);
printmessage(msg);
/*
* Check that we had a TSIG in the third message.
*/
assert_non_null(dns_message_gettsig(msg, &tsigowner));
result = dns_message_setquerytsig(msg, tsigin);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_tsig_verify(buf, msg, NULL, NULL);
assert_int_equal(result, ISC_R_SUCCESS);
assert_int_equal(msg->verified_sig, 1);
assert_int_equal(msg->tsigstatus, dns_rcode_noerror);
if (tsigin != NULL) {
isc_buffer_free(&tsigin);
}
result = dns_message_getquerytsig(msg, mctx, &tsigin);
assert_int_equal(result, ISC_R_SUCCESS);
isc_buffer_free(&buf);
dns_message_detach(&msg);
if (outctx != NULL) {
dst_context_destroy(&outctx);
}
if (querytsig != NULL) {
isc_buffer_free(&querytsig);
}
if (tsigin != NULL) {
isc_buffer_free(&tsigin);
}
if (tsigout != NULL) {
isc_buffer_free(&tsigout);
}
dns_tsigkey_detach(&key);
if (ring != NULL) {
dns_tsigkeyring_detach(&ring);
}
}
int
main(void) {
const struct CMUnitTest tests[] = {
cmocka_unit_test_setup_teardown(tsig_tcp_test,
_setup, _teardown),
};
return (cmocka_run_group_tests(tests, dns_test_init, dns_test_final));
}
#else /* HAVE_CMOCKA */
#include <stdio.h>
int
main(void) {
printf("1..0 # Skipped: cmocka not available\n");
return (0);
}
#endif