tests/dns/nsec3param_test.c

*bcda20f6Schristos/*	$NetBSD: nsec3param_test.c,v 1.3 2025/01/26 16:25:47 christos Exp $	*/
8aaca124Schristos
8aaca124Schristos/*
8aaca124Schristos * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
8aaca124Schristos *
8aaca124Schristos * SPDX-License-Identifier: MPL-2.0
8aaca124Schristos *
8aaca124Schristos * This Source Code Form is subject to the terms of the Mozilla Public
8aaca124Schristos * License, v. 2.0. If a copy of the MPL was not distributed with this
8aaca124Schristos * file, you can obtain one at https://mozilla.org/MPL/2.0/.
8aaca124Schristos *
8aaca124Schristos * See the COPYRIGHT file distributed with this work for additional
8aaca124Schristos * information regarding copyright ownership.
8aaca124Schristos */
8aaca124Schristos
8aaca124Schristos#include <inttypes.h>
8aaca124Schristos#include <sched.h> /* IWYU pragma: keep */
8aaca124Schristos#include <setjmp.h>
8aaca124Schristos#include <stdarg.h>
8aaca124Schristos#include <stddef.h>
8aaca124Schristos#include <stdlib.h>
8aaca124Schristos#include <string.h>
8aaca124Schristos#include <unistd.h>
8aaca124Schristos
8aaca124Schristos#define UNIT_TESTING
8aaca124Schristos#include <cmocka.h>
8aaca124Schristos
8aaca124Schristos#include <isc/hex.h>
8aaca124Schristos#include <isc/result.h>
8aaca124Schristos#include <isc/string.h>
8aaca124Schristos#include <isc/util.h>
8aaca124Schristos
8aaca124Schristos#include <dns/db.h>
8aaca124Schristos#include <dns/nsec3.h>
8aaca124Schristos
8aaca124Schristos#include "zone_p.h"
8aaca124Schristos
8aaca124Schristos#include <tests/dns.h>
8aaca124Schristos
8aaca124Schristos#define HASH	1
8aaca124Schristos#define FLAGS	0
8aaca124Schristos#define ITER	5
8aaca124Schristos#define SALTLEN 4
8aaca124Schristos#define SALT	"FEDCBA98"
8aaca124Schristos
8aaca124Schristos/*%
8aaca124Schristos * Structures containing parameters for nsec3param_salttotext_test().
8aaca124Schristos */
8aaca124Schristostypedef struct {
8aaca124Schristos	dns_hash_t hash;
8aaca124Schristos	unsigned char flags;
8aaca124Schristos	dns_iterations_t iterations;
8aaca124Schristos	unsigned char salt_length;
8aaca124Schristos	const char *salt;
8aaca124Schristos} nsec3param_rdata_test_params_t;
8aaca124Schristos
8aaca124Schristostypedef struct {
8aaca124Schristos	nsec3param_rdata_test_params_t lookup;
8aaca124Schristos	nsec3param_rdata_test_params_t expect;
8aaca124Schristos	bool resalt;
8aaca124Schristos	isc_result_t expected_result;
8aaca124Schristos} nsec3param_change_test_params_t;
8aaca124Schristos
8aaca124Schristosstatic void
8aaca124Schristosdecode_salt(const char *string, unsigned char *salt, size_t saltlen) {
8aaca124Schristos	isc_buffer_t buf;
8aaca124Schristos	isc_result_t result;
8aaca124Schristos
8aaca124Schristos	isc_buffer_init(&buf, salt, saltlen);
8aaca124Schristos	result = isc_hex_decodestring(string, &buf);
8aaca124Schristos	assert_int_equal(result, ISC_R_SUCCESS);
8aaca124Schristos}
8aaca124Schristos
8aaca124Schristosstatic void
8aaca124Schristoscopy_params(nsec3param_rdata_test_params_t from, dns_rdata_nsec3param_t *to,
8aaca124Schristos	    unsigned char *saltbuf, size_t saltlen) {
8aaca124Schristos	to->hash = from.hash;
8aaca124Schristos	to->flags = from.flags;
8aaca124Schristos	to->iterations = from.iterations;
8aaca124Schristos	to->salt_length = from.salt_length;
8aaca124Schristos	if (from.salt == NULL) {
8aaca124Schristos		to->salt = NULL;
8aaca124Schristos	} else if (strcmp(from.salt, "-") == 0) {
*bcda20f6Schristos		to->salt = (unsigned char *)"-";
8aaca124Schristos	} else {
8aaca124Schristos		decode_salt(from.salt, saltbuf, saltlen);
8aaca124Schristos		to->salt = saltbuf;
8aaca124Schristos	}
8aaca124Schristos}
8aaca124Schristos
8aaca124Schristosstatic nsec3param_rdata_test_params_t
8aaca124Schristosrdata_fromparams(uint8_t hash, uint8_t flags, uint16_t iter, uint8_t saltlen,
8aaca124Schristos		 const char *salt) {
8aaca124Schristos	nsec3param_rdata_test_params_t nsec3param;
8aaca124Schristos	nsec3param.hash = hash;
8aaca124Schristos	nsec3param.flags = flags;
8aaca124Schristos	nsec3param.iterations = iter;
8aaca124Schristos	nsec3param.salt_length = saltlen;
8aaca124Schristos	nsec3param.salt = salt;
*bcda20f6Schristos	return nsec3param;
8aaca124Schristos}
8aaca124Schristos
8aaca124Schristos/*%
8aaca124Schristos * Check whether zone_lookup_nsec3param() finds the correct NSEC3PARAM
8aaca124Schristos * and sets the correct parameters to use in dns_zone_setnsec3param().
8aaca124Schristos */
8aaca124Schristosstatic void
8aaca124Schristosnsec3param_change_test(const nsec3param_change_test_params_t *test) {
8aaca124Schristos	dns_zone_t *zone = NULL;
8aaca124Schristos	dns_rdata_nsec3param_t param, lookup, expect;
8aaca124Schristos	isc_result_t result;
8aaca124Schristos	unsigned char lookupsalt[255];
8aaca124Schristos	unsigned char expectsalt[255];
8aaca124Schristos	unsigned char saltbuf[255];
8aaca124Schristos
8aaca124Schristos	/*
8aaca124Schristos	 * Prepare a zone along with its signing keys.
8aaca124Schristos	 */
8aaca124Schristos	result = dns_test_makezone("nsec3", &zone, NULL, false);
8aaca124Schristos	assert_int_equal(result, ISC_R_SUCCESS);
8aaca124Schristos
8aaca124Schristos	result = dns_zone_setfile(
8aaca124Schristos		zone, TESTS_DIR "/testdata/nsec3param/nsec3.db.signed",
8aaca124Schristos		dns_masterformat_text, &dns_master_style_default);
8aaca124Schristos	assert_int_equal(result, ISC_R_SUCCESS);
8aaca124Schristos
8aaca124Schristos	result = dns_zone_load(zone, false);
8aaca124Schristos	assert_int_equal(result, ISC_R_SUCCESS);
8aaca124Schristos
8aaca124Schristos	/*
8aaca124Schristos	 * Copy parameters.
8aaca124Schristos	 */
8aaca124Schristos	copy_params(test->lookup, &lookup, lookupsalt, sizeof(lookupsalt));
8aaca124Schristos	copy_params(test->expect, &expect, expectsalt, sizeof(expectsalt));
8aaca124Schristos
8aaca124Schristos	/*
8aaca124Schristos	 * Test dns__zone_lookup_nsec3param().
8aaca124Schristos	 */
8aaca124Schristos	result = dns__zone_lookup_nsec3param(zone, &lookup, &param, saltbuf,
8aaca124Schristos					     test->resalt);
8aaca124Schristos	assert_int_equal(result, test->expected_result);
8aaca124Schristos	assert_int_equal(param.hash, expect.hash);
8aaca124Schristos	assert_int_equal(param.flags, expect.flags);
8aaca124Schristos	assert_int_equal(param.iterations, expect.iterations);
8aaca124Schristos	assert_int_equal(param.salt_length, expect.salt_length);
8aaca124Schristos	assert_non_null(param.salt);
8aaca124Schristos	if (expect.salt != NULL) {
8aaca124Schristos		int ret = memcmp(param.salt, expect.salt, expect.salt_length);
8aaca124Schristos		assert_true(ret == 0);
8aaca124Schristos	} else {
8aaca124Schristos		/*
8aaca124Schristos		 * We don't know what the new salt is, but we can compare it
8aaca124Schristos		 * to the previous salt and test that it has changed.
8aaca124Schristos		 */
8aaca124Schristos		unsigned char salt[SALTLEN];
8aaca124Schristos		int ret;
8aaca124Schristos		decode_salt(SALT, salt, SALTLEN);
8aaca124Schristos		ret = memcmp(param.salt, salt, SALTLEN);
8aaca124Schristos		assert_false(ret == 0);
8aaca124Schristos	}
8aaca124Schristos
8aaca124Schristos	/*
8aaca124Schristos	 * Detach.
8aaca124Schristos	 */
8aaca124Schristos	dns_zone_detach(&zone);
8aaca124Schristos}
8aaca124Schristos
8aaca124SchristosISC_RUN_TEST_IMPL(nsec3param_change) {
8aaca124Schristos	size_t i;
8aaca124Schristos
8aaca124Schristos	/*
8aaca124Schristos	 * Define tests.
8aaca124Schristos	 */
8aaca124Schristos	const nsec3param_change_test_params_t tests[] = {
8aaca124Schristos		/*
8aaca124Schristos		 * 1. Change nothing (don't care about salt).
8aaca124Schristos		 * This should return ISC_R_SUCCESS because we are already
8aaca124Schristos		 * using these NSEC3 parameters.
8aaca124Schristos		 */
8aaca124Schristos		{ rdata_fromparams(HASH, FLAGS, ITER, SALTLEN, NULL),
8aaca124Schristos		  rdata_fromparams(HASH, FLAGS, ITER, SALTLEN, SALT), false,
8aaca124Schristos		  ISC_R_SUCCESS },
8aaca124Schristos		/*
8aaca124Schristos		 * 2. Change nothing, but force a resalt.
8aaca124Schristos		 * This should change the salt. Set 'expect.salt' to NULL to
8aaca124Schristos		 * test a new salt has been generated.
8aaca124Schristos		 */
8aaca124Schristos		{ rdata_fromparams(HASH, FLAGS, ITER, SALTLEN, NULL),
8aaca124Schristos		  rdata_fromparams(HASH, FLAGS, ITER, SALTLEN, NULL), true,
8aaca124Schristos		  DNS_R_NSEC3RESALT },
8aaca124Schristos		/*
8aaca124Schristos		 * 3. Change iterations.
8aaca124Schristos		 * The NSEC3 paarameters are not found, and there is no
8aaca124Schristos		 * need to resalt because an explicit salt has been set,
8aaca124Schristos		 * and resalt is not enforced.
8aaca124Schristos		 */
8aaca124Schristos		{ rdata_fromparams(HASH, FLAGS, 10, SALTLEN, SALT),
8aaca124Schristos		  rdata_fromparams(HASH, FLAGS, 10, SALTLEN, SALT), false,
8aaca124Schristos		  ISC_R_NOTFOUND },
8aaca124Schristos		/*
8aaca124Schristos		 * 4. Change iterations, don't care about the salt.
8aaca124Schristos		 * We don't care about the salt. Since we need to change the
8aaca124Schristos		 * NSEC3 parameters, we will also resalt.
8aaca124Schristos		 */
8aaca124Schristos		{ rdata_fromparams(HASH, FLAGS, 10, SALTLEN, NULL),
8aaca124Schristos		  rdata_fromparams(HASH, FLAGS, 10, SALTLEN, NULL), false,
8aaca124Schristos		  DNS_R_NSEC3RESALT },
8aaca124Schristos		/*
8aaca124Schristos		 * 5. Change salt length.
8aaca124Schristos		 * Changing salt length means we need to resalt.
8aaca124Schristos		 */
8aaca124Schristos		{ rdata_fromparams(HASH, FLAGS, ITER, 16, NULL),
8aaca124Schristos		  rdata_fromparams(HASH, FLAGS, ITER, 16, NULL), false,
8aaca124Schristos		  DNS_R_NSEC3RESALT },
8aaca124Schristos		/*
8aaca124Schristos		 * 6. Set explicit salt.
8aaca124Schristos		 * A different salt, so the NSEC3 parameters are not found.
8aaca124Schristos		 * No need to resalt because an explicit salt is available.
8aaca124Schristos		 */
8aaca124Schristos		{ rdata_fromparams(HASH, FLAGS, ITER, 4, "12345678"),
8aaca124Schristos		  rdata_fromparams(HASH, FLAGS, ITER, 4, "12345678"), false,
8aaca124Schristos		  ISC_R_NOTFOUND },
8aaca124Schristos		/*
8aaca124Schristos		 * 7. Same salt.
8aaca124Schristos		 * Nothing changed, so expect ISC_R_SUCCESS as a result.
8aaca124Schristos		 */
8aaca124Schristos		{ rdata_fromparams(HASH, FLAGS, ITER, SALTLEN, SALT),
8aaca124Schristos		  rdata_fromparams(HASH, FLAGS, ITER, SALTLEN, SALT), false,
8aaca124Schristos		  ISC_R_SUCCESS },
8aaca124Schristos		/*
8aaca124Schristos		 * 8. Same salt, and force resalt.
8aaca124Schristos		 * Nothing changed, but a resalt is enforced.
8aaca124Schristos		 */
8aaca124Schristos		{ rdata_fromparams(HASH, FLAGS, ITER, SALTLEN, SALT),
8aaca124Schristos		  rdata_fromparams(HASH, FLAGS, ITER, SALTLEN, NULL), true,
8aaca124Schristos		  DNS_R_NSEC3RESALT },
8aaca124Schristos		/*
8aaca124Schristos		 * 9. No salt.
8aaca124Schristos		 * Change parameters to use no salt. These parameters are
8aaca124Schristos		 * not found, and no new salt needs to be generated.
8aaca124Schristos		 */
8aaca124Schristos		{ rdata_fromparams(HASH, FLAGS, ITER, 0, NULL),
8aaca124Schristos		  rdata_fromparams(HASH, FLAGS, ITER, 0, "-"), true,
8aaca124Schristos		  ISC_R_NOTFOUND },
8aaca124Schristos		/*
8aaca124Schristos		 * 10. No salt, explicit.
8aaca124Schristos		 * Same as above, but set no salt explicitly.
8aaca124Schristos		 */
8aaca124Schristos		{ rdata_fromparams(HASH, FLAGS, ITER, 0, "-"),
8aaca124Schristos		  rdata_fromparams(HASH, FLAGS, ITER, 0, "-"), true,
8aaca124Schristos		  ISC_R_NOTFOUND },
8aaca124Schristos	};
8aaca124Schristos
8aaca124Schristos	UNUSED(state);
8aaca124Schristos
8aaca124Schristos	/*
8aaca124Schristos	 * Run tests.
8aaca124Schristos	 */
8aaca124Schristos	for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
8aaca124Schristos		nsec3param_change_test(&tests[i]);
8aaca124Schristos	}
8aaca124Schristos}
8aaca124Schristos
8aaca124SchristosISC_TEST_LIST_START
8aaca124SchristosISC_TEST_ENTRY(nsec3param_change)
8aaca124SchristosISC_TEST_LIST_END
8aaca124Schristos
8aaca124SchristosISC_TEST_MAIN