lib » dns » tests

keytable_test.c

Go to the documentation of this file.
00001 /*
00002  * Copyright (C) 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
00003  *
00004  * Permission to use, copy, modify, and/or distribute this software for any
00005  * purpose with or without fee is hereby granted, provided that the above
00006  * copyright notice and this permission notice appear in all copies.
00007  *
00008  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
00009  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
00010  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
00011  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
00012  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
00013  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
00014  * PERFORMANCE OF THIS SOFTWARE.
00015  */
00016 
00017 /*! \file */
00018 
00019 #include <config.h>
00020 
00021 #include <atf-c.h>
00022 
00023 #include <unistd.h>
00024 #include <stdio.h>
00025 
00026 #if defined(OPENSSL) || defined(PKCS11CRYPTO)
00027 
00028 #include <isc/base64.h>
00029 #include <isc/buffer.h>
00030 #include <isc/util.h>
00031 
00032 #include <dns/name.h>
00033 #include <dns/fixedname.h>
00034 #include <dns/keytable.h>
00035 #include <dns/nta.h>
00036 #include <dns/rdataclass.h>
00037 #include <dns/rdatastruct.h>
00038 #include <dns/rootns.h>
00039 #include <dns/view.h>
00040 
00041 #include <dst/dst.h>
00042 
00043 #include "dnstest.h"
00044 
00045 dns_keytable_t *keytable = NULL;
00046 dns_ntatable_t *ntatable = NULL;
00047 
00048 static const char *keystr1 = "BQEAAAABok+vaUC9neRv8yeT/FEGgN7svR8s7VBUVSBd8NsAiV8AlaAg O5FHar3JQd95i/puZos6Vi6at9/JBbN8qVmO2AuiXxVqfxMKxIcy+LEB 0Vw4NaSJ3N3uaVREso6aTSs98H/25MjcwLOr7SFfXA7bGhZatLtYY/xu kp6Km5hMfkE=";
00049 static const dns_keytag_t keytag1 = 30591;
00050 
00051 static const char *keystr2 = "BQEAAAABwuHz9Cem0BJ0JQTO7C/a3McR6hMaufljs1dfG/inaJpYv7vH XTrAOm/MeKp+/x6eT4QLru0KoZkvZJnqTI8JyaFTw2OM/ItBfh/hL2lm Cft2O7n3MfeqYtvjPnY7dWghYW4sVfH7VVEGm958o9nfi79532Qeklxh x8pXWdeAaRU=";
00052 
00053 static dns_view_t *view = NULL;
00054 
00055 /*
00056  * Test utilities.  In general, these assume input parameters are valid
00057  * (checking with ATF_REQUIRE_EQ, thus aborting if not) and unlikely run time
00058  * errors (such as memory allocation failure) won't happen.  This helps keep
00059  * the test code concise.
00060  */
00061 
00062 /*
00063  * Utility to convert C-string to dns_name_t.  Return a pointer to
00064  * static data, and so is not thread safe.
00065  */
00066 static dns_name_t *
00067 str2name(const char *namestr) {
00068         static dns_fixedname_t fname;
00069         static dns_name_t *name;
00070         static isc_buffer_t namebuf;
00071         void *deconst_namestr;
00072 
00073         dns_fixedname_init(&fname);
00074         name = dns_fixedname_name(&fname);
00075         DE_CONST(namestr, deconst_namestr); /* OK, since we don't modify it */
00076         isc_buffer_init(&namebuf, deconst_namestr, strlen(deconst_namestr));
00077         isc_buffer_add(&namebuf, strlen(namestr));
00078         ATF_REQUIRE_EQ(dns_name_fromtext(name, &namebuf, dns_rootname, 0,
00079                                          NULL), ISC_R_SUCCESS);
00080 
00081         return (name);
00082 }
00083 
00084 static void
00085 create_key(isc_uint16_t flags, isc_uint8_t proto, isc_uint8_t alg,
00086            const char *keynamestr, const char *keystr, dst_key_t **target)
00087 {
00088         dns_rdata_dnskey_t keystruct;
00089         unsigned char keydata[4096];
00090         isc_buffer_t keydatabuf;
00091         unsigned char rrdata[4096];
00092         isc_buffer_t rrdatabuf;
00093         isc_region_t r;
00094         const dns_rdataclass_t rdclass = dns_rdataclass_in; /* for brevity */
00095 
00096         keystruct.common.rdclass = rdclass;
00097         keystruct.common.rdtype = dns_rdatatype_dnskey;
00098         keystruct.mctx = NULL;
00099         ISC_LINK_INIT(&keystruct.common, link);
00100         keystruct.flags = flags;
00101         keystruct.protocol = proto;
00102         keystruct.algorithm = alg;
00103 
00104         isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
00105         isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
00106         ATF_REQUIRE_EQ(isc_base64_decodestring(keystr, &keydatabuf),
00107                        ISC_R_SUCCESS);
00108         isc_buffer_usedregion(&keydatabuf, &r);
00109         keystruct.datalen = r.length;
00110         keystruct.data = r.base;
00111         ATF_REQUIRE_EQ(dns_rdata_fromstruct(NULL, keystruct.common.rdclass,
00112                                             keystruct.common.rdtype,
00113                                             &keystruct, &rrdatabuf),
00114                        ISC_R_SUCCESS);
00115 
00116         ATF_REQUIRE_EQ(dst_key_fromdns(str2name(keynamestr), rdclass,
00117                                        &rrdatabuf, mctx, target),
00118                        ISC_R_SUCCESS);
00119 }
00120 
00121 /* Common setup: create a keytable and ntatable to test with a few keys */
00122 static void
00123 create_tables() {
00124         isc_result_t result;
00125         dst_key_t *key = NULL;
00126         isc_stdtime_t now;
00127 
00128         result = dns_test_makeview("view", &view);
00129         ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
00130 
00131         ATF_REQUIRE_EQ(dns_keytable_create(mctx, &keytable), ISC_R_SUCCESS);
00132         ATF_REQUIRE_EQ(dns_ntatable_create(view, taskmgr, timermgr,
00133                                            &ntatable), ISC_R_SUCCESS);
00134 
00135         /* Add a normal key */
00136         create_key(257, 3, 5, "example.com", keystr1, &key);
00137         ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key),
00138                        ISC_R_SUCCESS);
00139 
00140         /* Add a null key */
00141         ATF_REQUIRE_EQ(dns_keytable_marksecure(keytable,
00142                                                str2name("null.example")),
00143                        ISC_R_SUCCESS);
00144 
00145         /* Add a negative trust anchor, duration 1 hour */
00146         isc_stdtime_get(&now);
00147         ATF_REQUIRE_EQ(dns_ntatable_add(ntatable,
00148                                         str2name("insecure.example"),
00149                                         ISC_FALSE, now, 3600),
00150                        ISC_R_SUCCESS);
00151 }
00152 
00153 static void
00154 destroy_tables() {
00155         if (ntatable != NULL)
00156                 dns_ntatable_detach(&ntatable);
00157         if (keytable != NULL)
00158                 dns_keytable_detach(&keytable);
00159 
00160         dns_view_detach(&view);
00161 }
00162 
00163 /*
00164  * Individual unit tests
00165  */
00166 
00167 ATF_TC(add);
00168 ATF_TC_HEAD(add, tc) {
00169         atf_tc_set_md_var(tc, "descr", "add keys to the keytable");
00170 }
00171 ATF_TC_BODY(add, tc) {
00172         dst_key_t *key = NULL;
00173         dns_keynode_t *keynode = NULL;
00174         dns_keynode_t *next_keynode = NULL;
00175         dns_keynode_t *null_keynode = NULL;
00176 
00177         UNUSED(tc);
00178 
00179         ATF_REQUIRE_EQ(dns_test_begin(NULL, ISC_TRUE), ISC_R_SUCCESS);
00180         create_tables();
00181 
00182         /*
00183          * Get the keynode for the example.com key.  There's no other key for
00184          * the name, so nextkeynode() should return NOTFOUND.
00185          */
00186         ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("example.com"),
00187                                          &keynode), ISC_R_SUCCESS);
00188         ATF_REQUIRE_EQ(dns_keytable_nextkeynode(keytable, keynode,
00189                                                 &next_keynode), ISC_R_NOTFOUND);
00190 
00191         /*
00192          * Try to add the same key.  This should have no effect, so
00193          * nextkeynode() should still return NOTFOUND.
00194          */
00195         create_key(257, 3, 5, "example.com", keystr1, &key);
00196         ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key),
00197                        ISC_R_SUCCESS);
00198         ATF_REQUIRE_EQ(dns_keytable_nextkeynode(keytable, keynode,
00199                                                 &next_keynode), ISC_R_NOTFOUND);
00200 
00201         /* Add another key (different keydata) */
00202         dns_keytable_detachkeynode(keytable, &keynode);
00203         create_key(257, 3, 5, "example.com", keystr2, &key);
00204         ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key),
00205                        ISC_R_SUCCESS);
00206         ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("example.com"),
00207                                          &keynode), ISC_R_SUCCESS);
00208         ATF_REQUIRE_EQ(dns_keytable_nextkeynode(keytable, keynode,
00209                                                 &next_keynode), ISC_R_SUCCESS);
00210         dns_keytable_detachkeynode(keytable, &next_keynode);
00211 
00212         /*
00213          * Add a normal key to a name that has a null key.  The null key node
00214          * will be updated with the normal key.
00215          */
00216         dns_keytable_detachkeynode(keytable, &keynode);
00217         ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("null.example"),
00218                                          &null_keynode), ISC_R_SUCCESS);
00219         create_key(257, 3, 5, "null.example", keystr2, &key);
00220         ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key),
00221                        ISC_R_SUCCESS);
00222         ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("null.example"),
00223                                          &keynode), ISC_R_SUCCESS);
00224         ATF_REQUIRE_EQ(keynode, null_keynode); /* should be the same node */
00225         ATF_REQUIRE(dns_keynode_key(keynode) != NULL); /* now have a key */
00226         dns_keytable_detachkeynode(keytable, &null_keynode);
00227 
00228         /*
00229          * Try to add a null key to a name that already has a key.  It's
00230          * effectively no-op, so the same key node is still there, with no
00231          * no next node.
00232          * (Note: this and above checks confirm that if a name has a null key
00233          * that's the only key for the name).
00234          */
00235         ATF_REQUIRE_EQ(dns_keytable_marksecure(keytable,
00236                                                str2name("null.example")),
00237                        ISC_R_SUCCESS);
00238         ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("null.example"),
00239                                          &null_keynode), ISC_R_SUCCESS);
00240         ATF_REQUIRE_EQ(keynode, null_keynode);
00241         ATF_REQUIRE(dns_keynode_key(keynode) != NULL);
00242         ATF_REQUIRE_EQ(dns_keytable_nextkeynode(keytable, keynode,
00243                                                 &next_keynode), ISC_R_NOTFOUND);
00244         dns_keytable_detachkeynode(keytable, &null_keynode);
00245 
00246         dns_keytable_detachkeynode(keytable, &keynode);
00247         destroy_tables();
00248         dns_test_end();
00249 }
00250 
00251 ATF_TC(delete);
00252 ATF_TC_HEAD(delete, tc) {
00253         atf_tc_set_md_var(tc, "descr", "delete keys from the keytable");
00254 }
00255 ATF_TC_BODY(delete, tc) {
00256         UNUSED(tc);
00257 
00258         ATF_REQUIRE_EQ(dns_test_begin(NULL, ISC_TRUE), ISC_R_SUCCESS);
00259         create_tables();
00260 
00261         /* dns_keytable_delete requires exact match */
00262         ATF_REQUIRE_EQ(dns_keytable_delete(keytable, str2name("example.org")),
00263                        ISC_R_NOTFOUND);
00264         ATF_REQUIRE_EQ(dns_keytable_delete(keytable, str2name("s.example.com")),
00265                        ISC_R_NOTFOUND);
00266         ATF_REQUIRE_EQ(dns_keytable_delete(keytable, str2name("example.com")),
00267                        ISC_R_SUCCESS);
00268 
00269         /* works also for nodes with a null key */
00270         ATF_REQUIRE_EQ(dns_keytable_delete(keytable, str2name("null.example")),
00271                        ISC_R_SUCCESS);
00272 
00273         /* or a negative trust anchor */
00274         ATF_REQUIRE_EQ(dns_ntatable_delete(ntatable,
00275                                            str2name("insecure.example")),
00276                        ISC_R_SUCCESS);
00277 
00278         destroy_tables();
00279         dns_test_end();
00280 }
00281 
00282 ATF_TC(deletekeynode);
00283 ATF_TC_HEAD(deletekeynode, tc) {
00284         atf_tc_set_md_var(tc, "descr", "delete key nodes from the keytable");
00285 }
00286 ATF_TC_BODY(deletekeynode, tc) {
00287         dst_key_t *key = NULL;
00288 
00289         UNUSED(tc);
00290 
00291         ATF_REQUIRE_EQ(dns_test_begin(NULL, ISC_TRUE), ISC_R_SUCCESS);
00292         create_tables();
00293 
00294         /* key name doesn't match */
00295         create_key(257, 3, 5, "example.org", keystr1, &key);
00296         ATF_REQUIRE_EQ(dns_keytable_deletekeynode(keytable, key),
00297                        ISC_R_NOTFOUND);
00298         dst_key_free(&key);
00299 
00300         /* subdomain match is the same as no match */
00301         create_key(257, 3, 5, "sub.example.com", keystr1, &key);
00302         ATF_REQUIRE_EQ(dns_keytable_deletekeynode(keytable, key),
00303                        ISC_R_NOTFOUND);
00304         dst_key_free(&key);
00305 
00306         /* name matches but key doesn't match (resulting in PARTIALMATCH) */
00307         create_key(257, 3, 5, "example.com", keystr2, &key);
00308         ATF_REQUIRE_EQ(dns_keytable_deletekeynode(keytable, key),
00309                        DNS_R_PARTIALMATCH);
00310         dst_key_free(&key);
00311 
00312         /*
00313          * exact match.  after deleting the node the internal rbt node will be
00314          * empty, and any delete or deletekeynode attempt should result in
00315          * NOTFOUND.
00316          */
00317         create_key(257, 3, 5, "example.com", keystr1, &key);
00318         ATF_REQUIRE_EQ(dns_keytable_deletekeynode(keytable, key),
00319                        ISC_R_SUCCESS);
00320         ATF_REQUIRE_EQ(dns_keytable_deletekeynode(keytable, key),
00321                        ISC_R_NOTFOUND);
00322         ATF_REQUIRE_EQ(dns_keytable_delete(keytable, str2name("example.com")),
00323                        ISC_R_NOTFOUND);
00324         dst_key_free(&key);
00325 
00326         /*
00327          * A null key node for a name is not deleted when searched by key;
00328          * it must be deleted by dns_keytable_delete()
00329          */
00330         create_key(257, 3, 5, "null.example", keystr1, &key);
00331         ATF_REQUIRE_EQ(dns_keytable_deletekeynode(keytable, key),
00332                        DNS_R_PARTIALMATCH);
00333         ATF_REQUIRE_EQ(dns_keytable_delete(keytable, dst_key_name(key)),
00334                        ISC_R_SUCCESS);
00335         dst_key_free(&key);
00336 
00337         destroy_tables();
00338         dns_test_end();
00339 }
00340 
00341 ATF_TC(find);
00342 ATF_TC_HEAD(find, tc) {
00343         atf_tc_set_md_var(tc, "descr", "check find-variant operations");
00344 }
00345 ATF_TC_BODY(find, tc) {
00346         dns_keynode_t *keynode = NULL;
00347         dns_fixedname_t fname;
00348         dns_name_t *name;
00349 
00350         UNUSED(tc);
00351 
00352         ATF_REQUIRE_EQ(dns_test_begin(NULL, ISC_TRUE), ISC_R_SUCCESS);
00353         create_tables();
00354 
00355         /*
00356          * dns_keytable_find() requires exact name match.  It matches node
00357          * that has a null key, too.  But it doesn't match a negative trust
00358          * anchor.
00359          */
00360         ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("example.org"),
00361                                          &keynode), ISC_R_NOTFOUND);
00362         ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("sub.example.com"),
00363                                          &keynode), ISC_R_NOTFOUND);
00364         ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("example.com"),
00365                                          &keynode), ISC_R_SUCCESS);
00366         dns_keytable_detachkeynode(keytable, &keynode);
00367         ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("null.example"),
00368                                          &keynode), ISC_R_SUCCESS);
00369         ATF_REQUIRE_EQ(dns_keynode_key(keynode), NULL);
00370         dns_keytable_detachkeynode(keytable, &keynode);
00371         ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("insecure.example"),
00372                                          &keynode), ISC_R_NOTFOUND);
00373 
00374         /*
00375          * dns_keytable_finddeepestmatch() allows partial match.  Also match
00376          * nodes with a null key or a negative trust anchor.
00377          */
00378         dns_fixedname_init(&fname);
00379         name = dns_fixedname_name(&fname);
00380         ATF_REQUIRE_EQ(dns_keytable_finddeepestmatch(keytable,
00381                                                      str2name("example.com"),
00382                                                      name), ISC_R_SUCCESS);
00383         ATF_REQUIRE_EQ(dns_name_equal(name, str2name("example.com")), ISC_TRUE);
00384         ATF_REQUIRE_EQ(dns_keytable_finddeepestmatch(keytable,
00385                                                      str2name("s.example.com"),
00386                                                      name), ISC_R_SUCCESS);
00387         ATF_REQUIRE_EQ(dns_name_equal(name, str2name("example.com")), ISC_TRUE);
00388         ATF_REQUIRE_EQ(dns_keytable_finddeepestmatch(keytable,
00389                                                      str2name("example.org"),
00390                                                      name), ISC_R_NOTFOUND);
00391         ATF_REQUIRE_EQ(dns_keytable_finddeepestmatch(keytable,
00392                                                      str2name("null.example"),
00393                                                      name), ISC_R_SUCCESS);
00394         ATF_REQUIRE_EQ(dns_name_equal(name, str2name("null.example")),
00395                        ISC_TRUE);
00396 
00397         /*
00398          * dns_keytable_findkeynode() requires exact name, algorithm, keytag
00399          * match.  If algorithm or keytag doesn't match, should result in
00400          * PARTIALMATCH.  Same for a node with a null key or a negative trust
00401          * anchor.
00402          */
00403         ATF_REQUIRE_EQ(dns_keytable_findkeynode(keytable,
00404                                                 str2name("example.org"),
00405                                                 5, keytag1, &keynode),
00406                        ISC_R_NOTFOUND);
00407         ATF_REQUIRE_EQ(dns_keytable_findkeynode(keytable,
00408                                                 str2name("sub.example.com"),
00409                                                 5, keytag1, &keynode),
00410                        ISC_R_NOTFOUND);
00411         ATF_REQUIRE_EQ(dns_keytable_findkeynode(keytable,
00412                                                 str2name("example.com"),
00413                                                 4, keytag1, &keynode),
00414                        DNS_R_PARTIALMATCH); /* different algorithm */
00415         ATF_REQUIRE_EQ(dns_keytable_findkeynode(keytable,
00416                                                 str2name("example.com"),
00417                                                 5, keytag1 + 1, &keynode),
00418                        DNS_R_PARTIALMATCH); /* different keytag */
00419         ATF_REQUIRE_EQ(dns_keytable_findkeynode(keytable,
00420                                                 str2name("null.example"),
00421                                                 5, 0, &keynode),
00422                        DNS_R_PARTIALMATCH); /* null key */
00423         ATF_REQUIRE_EQ(dns_keytable_findkeynode(keytable,
00424                                                 str2name("example.com"),
00425                                                 5, keytag1, &keynode),
00426                        ISC_R_SUCCESS); /* complete match */
00427         dns_keytable_detachkeynode(keytable, &keynode);
00428 
00429         destroy_tables();
00430         dns_test_end();
00431 }
00432 
00433 ATF_TC(issecuredomain);
00434 ATF_TC_HEAD(issecuredomain, tc) {
00435         atf_tc_set_md_var(tc, "descr", "check issecuredomain()");
00436 }
00437 ATF_TC_BODY(issecuredomain, tc) {
00438         isc_boolean_t issecure;
00439         const char **n;
00440         const char *names[] = {"example.com", "sub.example.com",
00441                                "null.example", "sub.null.example", NULL};
00442 
00443         UNUSED(tc);
00444         ATF_REQUIRE_EQ(dns_test_begin(NULL, ISC_TRUE), ISC_R_SUCCESS);
00445         create_tables();
00446 
00447         /*
00448          * Domains that are an exact or partial match of a key name are
00449          * considered secure.  It's the case even if the key is null
00450          * (validation will then fail, but that's actually the intended effect
00451          * of installing a null key).
00452          */
00453         for (n = names; *n != NULL; n++) {
00454                 ATF_REQUIRE_EQ(dns_keytable_issecuredomain(keytable,
00455                                                            str2name(*n),
00456                                                            NULL,
00457                                                            &issecure),
00458                                ISC_R_SUCCESS);
00459                 ATF_REQUIRE_EQ(issecure, ISC_TRUE);
00460         }
00461 
00462         /*
00463          * Domains that are an exact or partial match of a negative trust
00464          * anchor are considered insecure.
00465          */
00466         ATF_REQUIRE_EQ(dns_keytable_issecuredomain(keytable,
00467                                                    str2name("insecure.example"),
00468                                                    NULL,
00469                                                    &issecure),
00470                        ISC_R_SUCCESS);
00471         ATF_REQUIRE_EQ(issecure, ISC_FALSE);
00472         ATF_REQUIRE_EQ(dns_keytable_issecuredomain(
00473                                keytable, str2name("sub.insecure.example"),
00474                                NULL, &issecure), ISC_R_SUCCESS);
00475         ATF_REQUIRE_EQ(issecure, ISC_FALSE);
00476 
00477         destroy_tables();
00478         dns_test_end();
00479 }
00480 
00481 ATF_TC(dump);
00482 ATF_TC_HEAD(dump, tc) {
00483         atf_tc_set_md_var(tc, "descr", "check dns_keytable_dump()");
00484 }
00485 ATF_TC_BODY(dump, tc) {
00486         UNUSED(tc);
00487 
00488         ATF_REQUIRE_EQ(dns_test_begin(NULL, ISC_TRUE), ISC_R_SUCCESS);
00489         create_tables();
00490 
00491         /*
00492          * Right now, we only confirm the dump attempt doesn't cause disruption
00493          * (so we don't check the dump content).
00494          */
00495         ATF_REQUIRE_EQ(dns_keytable_dump(keytable, stdout), ISC_R_SUCCESS);
00496 
00497         destroy_tables();
00498         dns_test_end();
00499 }
00500 
00501 ATF_TC(nta);
00502 ATF_TC_HEAD(nta, tc) {
00503         atf_tc_set_md_var(tc, "descr", "check negative trust anchors");
00504 }
00505 ATF_TC_BODY(nta, tc) {
00506         isc_result_t result;
00507         dst_key_t *key = NULL;
00508         isc_boolean_t issecure, covered;
00509         dns_view_t *myview = NULL;
00510         isc_stdtime_t now;
00511 
00512         UNUSED(tc);
00513 
00514         result = dns_test_begin(NULL, ISC_TRUE);
00515         ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
00516 
00517         result = dns_test_makeview("view", &myview);
00518         ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
00519 
00520         result = isc_task_create(taskmgr, 0, &myview->task);
00521         ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
00522 
00523         result = dns_view_initsecroots(myview, mctx);
00524         ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
00525         result = dns_view_getsecroots(myview, &keytable);
00526         ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
00527 
00528         result = dns_view_initntatable(myview, taskmgr, timermgr);
00529         ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
00530         result = dns_view_getntatable(myview, &ntatable);
00531         ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
00532 
00533         create_key(257, 3, 5, "example", keystr1, &key);
00534         result = dns_keytable_add(keytable, ISC_FALSE, &key);
00535         ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
00536 
00537         isc_stdtime_get(&now);
00538         result = dns_ntatable_add(ntatable,
00539                                   str2name("insecure.example"),
00540                                   ISC_FALSE, now, 1);
00541         ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
00542 
00543         /* Should be secure */
00544         result = dns_view_issecuredomain(myview,
00545                                          str2name("test.secure.example"),
00546                                          now, ISC_TRUE, &issecure);
00547         ATF_CHECK_EQ(result, ISC_R_SUCCESS);
00548         ATF_CHECK(issecure);
00549 
00550         /* Should not be secure */
00551         result = dns_view_issecuredomain(myview,
00552                                          str2name("test.insecure.example"),
00553                                          now, ISC_TRUE, &issecure);
00554         ATF_CHECK_EQ(result, ISC_R_SUCCESS);
00555         ATF_CHECK(!issecure);
00556 
00557         /* NTA covered */
00558         covered = dns_view_ntacovers(myview, now, str2name("insecure.example"),
00559                                      dns_rootname);
00560         ATF_CHECK(covered);
00561 
00562         /* Not NTA covered */
00563         covered = dns_view_ntacovers(myview, now, str2name("secure.example"),
00564                                      dns_rootname);
00565         ATF_CHECK(!covered);
00566 
00567         /* As of now + 2, the NTA should be clear */
00568         result = dns_view_issecuredomain(myview,
00569                                          str2name("test.insecure.example"),
00570                                          now + 2, ISC_TRUE, &issecure);
00571         ATF_CHECK_EQ(result, ISC_R_SUCCESS);
00572         ATF_CHECK(issecure);
00573 
00574         /* Now check deletion */
00575         result = dns_ntatable_add(ntatable, str2name("new.example"),
00576                                   ISC_FALSE, now, 3600);
00577         ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
00578 
00579         result = dns_view_issecuredomain(myview, str2name("test.new.example"),
00580                                          now, ISC_TRUE, &issecure);
00581         ATF_CHECK_EQ(result, ISC_R_SUCCESS);
00582         ATF_CHECK(!issecure);
00583 
00584         result = dns_ntatable_delete(ntatable, str2name("new.example"));
00585         ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
00586 
00587         result = dns_view_issecuredomain(myview, str2name("test.new.example"),
00588                                          now, ISC_TRUE, &issecure);
00589         ATF_CHECK_EQ(result, ISC_R_SUCCESS);
00590         ATF_CHECK(issecure);
00591 
00592         /* Clean up */
00593         dns_ntatable_detach(&ntatable);
00594         dns_keytable_detach(&keytable);
00595         dns_view_detach(&myview);
00596 
00597         dns_test_end();
00598 }
00599 
00600 #else
00601 #include <isc/util.h>
00602 
00603 ATF_TC(untested);
00604 ATF_TC_HEAD(untested, tc) {
00605         atf_tc_set_md_var(tc, "descr", "skipping keytable test");
00606 }
00607 ATF_TC_BODY(untested, tc) {
00608         UNUSED(tc);
00609         atf_tc_skip("DNSSEC not available");
00610 }
00611 #endif
00612 
00613 /*
00614  * Main
00615  */
00616 ATF_TP_ADD_TCS(tp) {
00617 #if defined(OPENSSL) || defined(PKCS11CRYPTO)
00618         ATF_TP_ADD_TC(tp, add);
00619         ATF_TP_ADD_TC(tp, delete);
00620         ATF_TP_ADD_TC(tp, deletekeynode);
00621         ATF_TP_ADD_TC(tp, find);
00622         ATF_TP_ADD_TC(tp, issecuredomain);
00623         ATF_TP_ADD_TC(tp, dump);
00624         ATF_TP_ADD_TC(tp, nta);
00625 #else
00626         ATF_TP_ADD_TC(tp, untested);
00627 #endif
00628 
00629         return (atf_no_error());
00630 }
Generated on Tue Apr 28 17:41:01 2015 by Doxygen 1.5.4 for BIND9 Internals 9.11.0pre-alpha