|
Packit |
e6c8bb |
# $Id: 22-TSIG-verify.t 1474 2016-04-12 13:21:25Z willem $ -*-perl-*-
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
use strict;
|
|
Packit |
e6c8bb |
use Test::More;
|
|
Packit |
e6c8bb |
use Net::DNS;
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my @prerequisite = qw(
|
|
Packit |
e6c8bb |
Digest::HMAC
|
|
Packit |
e6c8bb |
Digest::MD5
|
|
Packit |
e6c8bb |
Digest::SHA
|
|
Packit |
e6c8bb |
MIME::Base64
|
|
Packit |
e6c8bb |
);
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
foreach my $package (@prerequisite) {
|
|
Packit |
e6c8bb |
next if eval "require $package";
|
|
Packit |
e6c8bb |
plan skip_all => "$package not installed";
|
|
Packit |
e6c8bb |
exit;
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
plan tests => 28;
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $tsig = new Net::DNS::RR( type => 'TSIG' );
|
|
Packit |
e6c8bb |
my $class = ref($tsig);
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $privatekey = 'Khmac-sha1.example.+161+39562.private';
|
|
Packit |
e6c8bb |
END { unlink($privatekey) if defined $privatekey; }
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
open( KEY, ">$privatekey" ) or die "$privatekey $!";
|
|
Packit |
e6c8bb |
print KEY <<'END';
|
|
Packit |
e6c8bb |
Private-key-format: v1.2
|
|
Packit |
e6c8bb |
Algorithm: 161 (HMAC_SHA1)
|
|
Packit |
e6c8bb |
Key: xdX9m8UtQNbJUzUgQ4xDtUNZAmU=
|
|
Packit |
e6c8bb |
END
|
|
Packit |
e6c8bb |
close KEY;
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $publickey = 'Khmac-md5.example.+157+53335.key';
|
|
Packit |
e6c8bb |
END { unlink($publickey) if defined $publickey; }
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
open( KEY, ">$publickey" ) or die "$publickey $!";
|
|
Packit |
e6c8bb |
print KEY <<'END';
|
|
Packit |
e6c8bb |
HMAC-MD5.example. IN KEY 512 3 157 ARDJZgtuTDzAWeSGYPAu9uJUkX0=
|
|
Packit |
e6c8bb |
END
|
|
Packit |
e6c8bb |
close KEY;
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $packet = new Net::DNS::Packet('query.example');
|
|
Packit |
e6c8bb |
$packet->sign_tsig($privatekey);
|
|
Packit |
e6c8bb |
$packet->data;
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $verified = $packet->verify();
|
|
Packit |
e6c8bb |
ok( $verified, 'verify signed packet' );
|
|
Packit |
e6c8bb |
is( ref($verified), $class, 'packet->verify returns TSIG' );
|
|
Packit |
e6c8bb |
is( $packet->verifyerr, 'NOERROR', 'observe packet->verifyerr' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $packet = new Net::DNS::Packet('query.example');
|
|
Packit |
e6c8bb |
$packet->sign_tsig($privatekey);
|
|
Packit |
e6c8bb |
$packet->data;
|
|
Packit |
e6c8bb |
$packet->push( update => rr_add( type => 'NULL' ) );
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $verified = $packet->verify();
|
|
Packit |
e6c8bb |
ok( !$verified, 'unverifiable signed packet' );
|
|
Packit |
e6c8bb |
is( $verified, undef, 'failed packet->verify returns undef' );
|
|
Packit |
e6c8bb |
is( $packet->verifyerr, 'BADSIG', 'observe packet->verifyerr' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $query = new Net::DNS::Packet('query.example');
|
|
Packit |
e6c8bb |
$query->sign_tsig($privatekey);
|
|
Packit |
e6c8bb |
$query->data;
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $reply = $query->reply;
|
|
Packit |
e6c8bb |
$reply->sign_tsig($query);
|
|
Packit |
e6c8bb |
$reply->data;
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $verified = $reply->verify($query);
|
|
Packit |
e6c8bb |
ok( $verified, 'verify reply packet' );
|
|
Packit |
e6c8bb |
is( $reply->verifyerr, 'NOERROR', 'observe packet->verifyerr' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my @packet = map { new Net::DNS::Packet($_) } 0 .. 3;
|
|
Packit |
e6c8bb |
my $signed = $privatekey;
|
|
Packit |
e6c8bb |
foreach my $packet (@packet) {
|
|
Packit |
e6c8bb |
$signed = $packet->sign_tsig($signed);
|
|
Packit |
e6c8bb |
$packet->data;
|
|
Packit |
e6c8bb |
is( ref($signed), $class, 'sign multi-packet' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my @verified;
|
|
Packit |
e6c8bb |
foreach my $packet (@packet) {
|
|
Packit |
e6c8bb |
my ($verified) = $packet->verify(@verified);
|
|
Packit |
e6c8bb |
@verified = ($verified);
|
|
Packit |
e6c8bb |
ok( $verified, 'verify multi-packet' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my @state;
|
|
Packit |
e6c8bb |
$packet[2]->sigrr->fudge(0);
|
|
Packit |
e6c8bb |
foreach my $packet (@packet) {
|
|
Packit |
e6c8bb |
my $tsig = $packet->verify(@state);
|
|
Packit |
e6c8bb |
@state = ($tsig);
|
|
Packit |
e6c8bb |
my $result = $packet->verifyerr;
|
|
Packit |
e6c8bb |
ok( $result, "unverifiable multi-packet: $result" );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $packet = new Net::DNS::Packet('query.example');
|
|
Packit |
e6c8bb |
$packet->sign_tsig( $privatekey, fudge => 0 );
|
|
Packit |
e6c8bb |
my $encoded = $packet->data;
|
|
Packit |
e6c8bb |
sleep 1;
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $query = new Net::DNS::Packet( \$encoded );
|
|
Packit |
e6c8bb |
my $verified = $query->verify();
|
|
Packit |
e6c8bb |
is( $query->verifyerr, 'BADTIME', 'unverifiable query packet: BADTIME' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $packet = new Net::DNS::Packet();
|
|
Packit |
e6c8bb |
$packet->sign_tsig($privatekey);
|
|
Packit |
e6c8bb |
$packet->sigrr->error('BADTIME');
|
|
Packit |
e6c8bb |
my $encoded = $packet->data;
|
|
Packit |
e6c8bb |
my $decoded = new Net::DNS::Packet( \$encoded );
|
|
Packit |
e6c8bb |
ok( $decoded->sigrr->other, 'time appended to BADTIME response' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $query = new Net::DNS::Packet('query.example');
|
|
Packit |
e6c8bb |
$query->sign_tsig($privatekey);
|
|
Packit |
e6c8bb |
$query->data;
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $reply = $query->reply;
|
|
Packit |
e6c8bb |
$reply->sign_tsig($publickey);
|
|
Packit |
e6c8bb |
$reply->data;
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $verified = $reply->verify($query);
|
|
Packit |
e6c8bb |
is( $reply->verifyerr, 'BADKEY', 'unverifiable reply packet: BADKEY' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $packet0 = new Net::DNS::Packet();
|
|
Packit |
e6c8bb |
my $chain = $packet0->sign_tsig($privatekey);
|
|
Packit |
e6c8bb |
$packet0->data;
|
|
Packit |
e6c8bb |
my $packet1 = new Net::DNS::Packet();
|
|
Packit |
e6c8bb |
$packet1->sign_tsig($chain);
|
|
Packit |
e6c8bb |
$packet1->data;
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $packetx = new Net::DNS::Packet();
|
|
Packit |
e6c8bb |
$packetx->sign_tsig($publickey);
|
|
Packit |
e6c8bb |
$packetx->data;
|
|
Packit |
e6c8bb |
my $tsig = $packetx->verify();
|
|
Packit |
e6c8bb |
my $verified = $packet1->verify($tsig);
|
|
Packit |
e6c8bb |
is( $packet1->verifyerr, 'BADKEY', 'unverifiable multi-packet: BADKEY' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $packet = new Net::DNS::Packet();
|
|
Packit |
e6c8bb |
$packet->sign_tsig($publickey);
|
|
Packit |
e6c8bb |
$packet->data;
|
|
Packit |
e6c8bb |
$packet->sigrr->macbin( substr $packet->sigrr->macbin, 0, 9 );
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
$packet->verify();
|
|
Packit |
e6c8bb |
is( $packet->verifyerr, 'FORMERR', 'signature too short: FORMERR' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $packet = new Net::DNS::Packet();
|
|
Packit |
e6c8bb |
$packet->sign_tsig($publickey);
|
|
Packit |
e6c8bb |
$packet->data;
|
|
Packit |
e6c8bb |
my $macbin = $packet->sigrr->macbin;
|
|
Packit |
e6c8bb |
$packet->sigrr->macbin( join '', $packet->sigrr->macbin, 'x' );
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
$packet->verify();
|
|
Packit |
e6c8bb |
is( $packet->verifyerr, 'FORMERR', 'signature too long: FORMERR' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $packet = new Net::DNS::Packet();
|
|
Packit |
e6c8bb |
$packet->sign_tsig($privatekey);
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $null = new Net::DNS::RR( type => 'NULL' );
|
|
Packit |
e6c8bb |
eval { $packet->sigrr->verify($null); };
|
|
Packit |
e6c8bb |
my $exception = $1 if $@ =~ /^(.+)\n/;
|
|
Packit |
e6c8bb |
ok( $exception ||= '', "unexpected argument\t[$exception]" );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $packet = new Net::DNS::Packet();
|
|
Packit |
e6c8bb |
$packet->sign_tsig($privatekey);
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $null = new Net::DNS::RR( type => 'NULL' );
|
|
Packit |
e6c8bb |
eval { $packet->sigrr->verify( $packet, $null ); };
|
|
Packit |
e6c8bb |
my $exception = $1 if $@ =~ /^(.+)\n/;
|
|
Packit |
e6c8bb |
ok( $exception ||= '', "unexpected argument\t[$exception]" );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
__END__
|
|
Packit |
e6c8bb |
|