From 5af3a46ac008899ff9b7851c92acbfaa64f124e2 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 3 Feb 2021 10:35:46 +0100 Subject: [PATCH 1/4] Fix testcrypto.sh Testing Ed448 was actually testing Ed25519. (cherry picked from commit 572d7ec3b7d177eea5cfa0baff3571b382318c03) --- bin/tests/system/testcrypto.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh index d09f2feb2e..8cdceafc37 100644 --- a/bin/tests/system/testcrypto.sh +++ b/bin/tests/system/testcrypto.sh @@ -50,7 +50,7 @@ while test "$#" -gt 0; do msg="EDDSA cryptography" ;; ed448|ED448) - alg="-a ED25519" + alg="-a ED448" msg="EDDSA cryptography" ;; *) From 4538d8ddf25ed60bd72d9806aec239d2bf57bd1f Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 3 Feb 2021 10:36:30 +0100 Subject: [PATCH 2/4] Refactor eddsa system test Test for Ed25519 and Ed448. If both algorithms are not supported, skip test. If only one algorithm is supported, run test, skip the unsupported algorithm. If both are supported, run test normally. Create new ns3. This will test Ed448 specifically, while now ns2 only tests Ed25519. This moves some files from ns2/ to ns3/. (cherry picked from commit 8bf31d05926960516e2756272ee43f801143ddd4) --- bin/tests/system/eddsa/clean.sh | 14 ++- .../eddsa/ns1/{named.conf => named.conf.in} | 2 +- bin/tests/system/eddsa/ns1/sign.sh | 40 ++++++-- bin/tests/system/eddsa/ns2/example.com.db.in | 20 ++++ .../eddsa/ns2/{named.conf => named.conf.in} | 2 +- bin/tests/system/eddsa/ns2/sign.sh | 21 ++-- .../{ns2 => ns3}/Xexample.com.+016+09713.key | 0 .../Xexample.com.+016+09713.private | 0 .../{ns2 => ns3}/Xexample.com.+016+38353.key | 0 .../Xexample.com.+016+38353.private | 0 .../example.com.db => ns3/example.com.db.in} | 19 ++-- bin/tests/system/eddsa/ns3/named.conf.in | 34 +++++++ bin/tests/system/eddsa/ns3/sign.sh | 35 +++++++ bin/tests/system/eddsa/prereq.sh | 10 +- bin/tests/system/eddsa/setup.sh | 25 ++++- bin/tests/system/eddsa/tests.sh | 99 +++++++++++-------- 16 files changed, 243 insertions(+), 78 deletions(-) rename bin/tests/system/eddsa/ns1/{named.conf => named.conf.in} (98%) create mode 100644 bin/tests/system/eddsa/ns2/example.com.db.in rename bin/tests/system/eddsa/ns2/{named.conf => named.conf.in} (98%) rename bin/tests/system/eddsa/{ns2 => ns3}/Xexample.com.+016+09713.key (100%) rename bin/tests/system/eddsa/{ns2 => ns3}/Xexample.com.+016+09713.private (100%) rename bin/tests/system/eddsa/{ns2 => ns3}/Xexample.com.+016+38353.key (100%) rename bin/tests/system/eddsa/{ns2 => ns3}/Xexample.com.+016+38353.private (100%) rename bin/tests/system/eddsa/{ns2/example.com.db => ns3/example.com.db.in} (55%) create mode 100644 bin/tests/system/eddsa/ns3/named.conf.in create mode 100644 bin/tests/system/eddsa/ns3/sign.sh diff --git a/bin/tests/system/eddsa/clean.sh b/bin/tests/system/eddsa/clean.sh index 364b755ed3..9accedc949 100644 --- a/bin/tests/system/eddsa/clean.sh +++ b/bin/tests/system/eddsa/clean.sh @@ -9,11 +9,15 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -rm -f */K* */dsset-* */*.signed */trusted.conf -rm -f ns1/root.db -rm -f ns*/signer.err +rm -f */K* */dsset-* */*.signed rm -f dig.out* -rm -f */named.run -rm -f */named.memstats +rm -f ns*/root.db +rm -f ns*/signer.err +rm -f ns*/named.run +rm -f ns*/named.memstats rm -f ns*/named.lock rm -f ns*/managed-keys.bind* +rm -f ns*/trusted.conf +rm -f ns*/example.com.db +rm -f ns*/named.conf +rm -f *-supported.file diff --git a/bin/tests/system/eddsa/ns1/named.conf b/bin/tests/system/eddsa/ns1/named.conf.in similarity index 98% rename from bin/tests/system/eddsa/ns1/named.conf rename to bin/tests/system/eddsa/ns1/named.conf.in index f58ca7e754..a68caf9d96 100644 --- a/bin/tests/system/eddsa/ns1/named.conf +++ b/bin/tests/system/eddsa/ns1/named.conf.in @@ -17,7 +17,7 @@ options { query-source address 10.53.0.1; notify-source 10.53.0.1; transfer-source 10.53.0.1; - port 5300; + port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.1; }; listen-on-v6 { none; }; diff --git a/bin/tests/system/eddsa/ns1/sign.sh b/bin/tests/system/eddsa/ns1/sign.sh index db7464b385..ed7fe0a62b 100644 --- a/bin/tests/system/eddsa/ns1/sign.sh +++ b/bin/tests/system/eddsa/ns1/sign.sh @@ -16,17 +16,39 @@ zone=. infile=root.db.in zonefile=root.db -key1=`$KEYGEN -q -a ED25519 -n zone $zone` -key2=`$KEYGEN -q -a ED25519 -n zone -f KSK $zone` -#key2=`$KEYGEN -q -a ED448 -n zone -f KSK $zone` -$DSFROMKEY -a sha-256 $key2.key > dsset-256 +echo_i "ns1/sign.sh" -cat $infile $key1.key $key2.key > $zonefile +cp $infile $zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err +if [ -f ../ed25519-supported.file ]; then + zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone") + ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone") + cat "$ksk25519.key" "$zsk25519.key" >> "$zonefile" + $DSFROMKEY -a sha-256 "$ksk25519.key" >> dsset-256 +fi + +if [ -f ../ed448-supported.file ]; then + zsk448=$($KEYGEN -q -a ED448 -n zone "$zone") + ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone") + cat "$ksk448.key" "$zsk448.key" >> "$zonefile" + $DSFROMKEY -a sha-256 "$ksk448.key" >> dsset-256 +fi # Configure the resolving server with a static key. -keyfile_to_static_ds $key1 > trusted.conf -cp trusted.conf ../ns2/trusted.conf +if [ -f ../ed25519-supported.file ]; then + keyfile_to_static_ds $ksk25519 > trusted.conf + cp trusted.conf ../ns2/trusted.conf +else + keyfile_to_static_ds $ksk448 > trusted.conf + cp trusted.conf ../ns2/trusted.conf +fi -cd ../ns2 && $SHELL sign.sh +if [ -f ../ed448-supported.file ]; then + keyfile_to_static_ds $ksk448 > trusted.conf + cp trusted.conf ../ns3/trusted.conf +else + keyfile_to_static_ds $ksk25519 > trusted.conf + cp trusted.conf ../ns3/trusted.conf +fi + +$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/ns2/example.com.db.in b/bin/tests/system/eddsa/ns2/example.com.db.in new file mode 100644 index 0000000000..c50a7875c7 --- /dev/null +++ b/bin/tests/system/eddsa/ns2/example.com.db.in @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ IN SOA fdupont.isc.org. ns.example.com. ( + 2012040600 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 3600 ; minimum + ) + MX 10 mail.example.com. + NS ns.example.com. +ns.example.com. A 10.53.0.2 diff --git a/bin/tests/system/eddsa/ns2/named.conf b/bin/tests/system/eddsa/ns2/named.conf.in similarity index 98% rename from bin/tests/system/eddsa/ns2/named.conf rename to bin/tests/system/eddsa/ns2/named.conf.in index 420073fc05..198cdbbcec 100644 --- a/bin/tests/system/eddsa/ns2/named.conf +++ b/bin/tests/system/eddsa/ns2/named.conf.in @@ -17,7 +17,7 @@ options { query-source address 10.53.0.2; notify-source 10.53.0.2; transfer-source 10.53.0.2; - port 5300; + port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.2; }; listen-on-v6 { none; }; diff --git a/bin/tests/system/eddsa/ns2/sign.sh b/bin/tests/system/eddsa/ns2/sign.sh index 8af7e292b6..0417922330 100644 --- a/bin/tests/system/eddsa/ns2/sign.sh +++ b/bin/tests/system/eddsa/ns2/sign.sh @@ -13,16 +13,23 @@ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh zone=example.com. +infile=example.com.db.in zonefile=example.com.db starttime=20150729220000 endtime=20150819220000 -for i in Xexample.com.+015+03613.key Xexample.com.+015+03613.private \ - Xexample.com.+015+35217.key Xexample.com.+015+35217.private \ - Xexample.com.+016+09713.key Xexample.com.+016+09713.private \ - Xexample.com.+016+38353.key Xexample.com.+016+38353.private -do - cp $i `echo $i | sed s/X/K/` -done +echo_i "ns2/sign.sh" + +cp $infile $zonefile + +if [ -f ../ed25519-supported.file ]; then + + for i in Xexample.com.+015+03613 Xexample.com.+015+35217 + do + cp "$i.key" "$(echo $i.key | sed s/X/K/)" + cp "$i.private" "$(echo $i.private | sed s/X/K/)" + cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile" + done +fi $SIGNER -P -z -s $starttime -e $endtime -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.key b/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.key similarity index 100% rename from bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.key rename to bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.key diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.private b/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.private similarity index 100% rename from bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.private rename to bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.private diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.key b/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.key similarity index 100% rename from bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.key rename to bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.key diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.private b/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.private similarity index 100% rename from bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.private rename to bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.private diff --git a/bin/tests/system/eddsa/ns2/example.com.db b/bin/tests/system/eddsa/ns3/example.com.db.in similarity index 55% rename from bin/tests/system/eddsa/ns2/example.com.db rename to bin/tests/system/eddsa/ns3/example.com.db.in index 306a156979..5616fbdcb7 100644 --- a/bin/tests/system/eddsa/ns2/example.com.db +++ b/bin/tests/system/eddsa/ns3/example.com.db.in @@ -8,18 +8,13 @@ ; information regarding copyright ownership. $TTL 3600 -@ IN SOA fdupont.isc.org. ns.example.com. ( - 2012040600 ; serial - 600 ; refresh - 600 ; retry - 1200 ; expire - 3600 ; minimum +@ IN SOA fdupont.isc.org. ns.example.com. ( + 2012040600 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 3600 ; minimum ) - MX 10 mail.example.com. + MX 10 mail.example.com. NS ns.example.com. ns.example.com. A 10.53.0.3 -; -$INCLUDE Kexample.com.+015+03613.key -$INCLUDE Kexample.com.+015+35217.key -$INCLUDE Kexample.com.+016+09713.key -$INCLUDE Kexample.com.+016+38353.key diff --git a/bin/tests/system/eddsa/ns3/named.conf.in b/bin/tests/system/eddsa/ns3/named.conf.in new file mode 100644 index 0000000000..32d8c77d8f --- /dev/null +++ b/bin/tests/system/eddsa/ns3/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/eddsa/ns3/sign.sh b/bin/tests/system/eddsa/ns3/sign.sh new file mode 100644 index 0000000000..b36869df41 --- /dev/null +++ b/bin/tests/system/eddsa/ns3/sign.sh @@ -0,0 +1,35 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +. ../../conf.sh + +zone=example.com. +infile=example.com.db.in +zonefile=example.com.db +starttime=20150729220000 +endtime=20150819220000 + +echo_i "ns3/sign.sh" + +cp $infile $zonefile + +if [ -f ../ed448-supported.file ]; then + for i in Xexample.com.+016+09713 Xexample.com.+016+38353 + do + cp "$i.key" "$(echo $i.key | sed s/X/K/)" + cp "$i.private" "$(echo $i.private | sed s/X/K/)" + cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile" + done +fi + +$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/prereq.sh b/bin/tests/system/eddsa/prereq.sh index 96133e4ef6..2eb9fd4db5 100644 --- a/bin/tests/system/eddsa/prereq.sh +++ b/bin/tests/system/eddsa/prereq.sh @@ -12,4 +12,12 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh -exec $SHELL ../testcrypto.sh eddsa +supported=0 +if $SHELL ../testcrypto.sh ed25519; then + supported=1 +fi +if $SHELL ../testcrypto.sh ed448; then + supported=1 +fi + +[ "$supported" -eq 1 ] || exit 1 diff --git a/bin/tests/system/eddsa/setup.sh b/bin/tests/system/eddsa/setup.sh index fea8a3822e..dfb070bff7 100644 --- a/bin/tests/system/eddsa/setup.sh +++ b/bin/tests/system/eddsa/setup.sh @@ -12,4 +12,27 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh -cd ns1 && $SHELL sign.sh +if $SHELL ../testcrypto.sh ed25519; then + echo "yes" > ed25519-supported.file +fi + +if $SHELL ../testcrypto.sh ed448; then + echo "yes" > ed448-supported.file +fi + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf + +( + cd ns1 + $SHELL sign.sh +) +( + cd ns2 + $SHELL sign.sh +) +( + cd ns3 + $SHELL sign.sh +) diff --git a/bin/tests/system/eddsa/tests.sh b/bin/tests/system/eddsa/tests.sh index 8efb030da5..4fcfc1293e 100644 --- a/bin/tests/system/eddsa/tests.sh +++ b/bin/tests/system/eddsa/tests.sh @@ -13,53 +13,70 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh status=0 -n=1 +n=0 -rm -f dig.out.* +dig_with_opts() { + "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" +} -DIGOPTS="+tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p 5300" +if [ -f ed25519-supported.file ]; then + # Check the example. domain + n=$((n+1)) + echo_i "checking that Ed25519 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) -# Check the example. domain + # Check test vectors (RFC 8080 + errata) + n=$((n+1)) + echo_i "checking that Ed25519 test vectors match ($n)" + ret=0 + grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1 + grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1 + grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1 + grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "algorithm Ed25519 not supported, skipping vectors match test" +fi -echo_i "checking that positive validation works ($n)" -ret=0 -$DIG $DIGOPTS . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 -$DIG $DIGOPTS . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 -$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +if [ -f ed448-supported.file ]; then + # Check the example. domain + n=$((n+1)) + echo_i "checking that Ed448 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) -# Check test vectors (RFC 8080 + errata) + # Check test vectors (RFC 8080 + errata) + n=$((n+1)) + echo_i "checking that Ed448 test vectors match ($n)" + ret=0 + grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'WKsJlwEA' ns3/example.com.db.signed > /dev/null || ret=1 -echo_i "checking that Ed25519 test vectors match ($n)" -ret=0 -grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1 -n=$((n+1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - -echo_i "checking that Ed448 test vectors match ($n)" -ret=0 -grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'WKsJlwEA' ns2/example.com.db.signed > /dev/null || ret=1 - -grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns2/example.com.db.signed > /dev/null || ret=1 -grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'ZmQ0YQUA' ns2/example.com.db.signed > /dev/null || ret=1 - -n=$((n+1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) + grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed > /dev/null || ret=1 + grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'ZmQ0YQUA' ns3/example.com.db.signed > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "algorithm Ed448 not supported, skipping vectors match test" +fi echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 From 40e56b0dcc3d8bfcde5cbac908ba012138d8f9e2 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 3 Feb 2021 11:52:30 +0100 Subject: [PATCH 3/4] Refactor ecdsa system test Similar to eddsa system test. (cherry picked from commit 650b0d4691d95ebfc9a535bf82f7f6656c8e6b9c) --- bin/tests/system/ecdsa/clean.sh | 13 +++--- .../ecdsa/ns1/{named.conf => named.conf.in} | 2 +- bin/tests/system/ecdsa/ns1/sign.sh | 39 ++++++++++++++---- .../ecdsa/ns2/{named.conf => named.conf.in} | 2 +- bin/tests/system/ecdsa/ns3/named.conf.in | 34 +++++++++++++++ bin/tests/system/ecdsa/setup.sh | 18 +++++++- bin/tests/system/ecdsa/tests.sh | 41 +++++++++++++------ 7 files changed, 122 insertions(+), 27 deletions(-) rename bin/tests/system/ecdsa/ns1/{named.conf => named.conf.in} (98%) rename bin/tests/system/ecdsa/ns2/{named.conf => named.conf.in} (98%) create mode 100644 bin/tests/system/ecdsa/ns3/named.conf.in diff --git a/bin/tests/system/ecdsa/clean.sh b/bin/tests/system/ecdsa/clean.sh index 153364839e..6dd137dd7d 100644 --- a/bin/tests/system/ecdsa/clean.sh +++ b/bin/tests/system/ecdsa/clean.sh @@ -9,11 +9,14 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -rm -f */K* */dsset-* */*.signed */trusted.conf -rm -f ns1/root.db -rm -f ns1/signer.err +rm -f */K* */dsset-* */*.signed rm -f dig.out* -rm -f */named.run -rm -f */named.memstats +rm -f ns*/named.run +rm -f ns*/named.memstats rm -f ns*/named.lock +rm -f ns*/named.conf rm -f ns*/managed-keys.bind* +rm -f ns*/root.db +rm -f ns*/signer.err +rm -f ns*/trusted.conf +rm -f *-supported.file diff --git a/bin/tests/system/ecdsa/ns1/named.conf b/bin/tests/system/ecdsa/ns1/named.conf.in similarity index 98% rename from bin/tests/system/ecdsa/ns1/named.conf rename to bin/tests/system/ecdsa/ns1/named.conf.in index f58ca7e754..a68caf9d96 100644 --- a/bin/tests/system/ecdsa/ns1/named.conf +++ b/bin/tests/system/ecdsa/ns1/named.conf.in @@ -17,7 +17,7 @@ options { query-source address 10.53.0.1; notify-source 10.53.0.1; transfer-source 10.53.0.1; - port 5300; + port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.1; }; listen-on-v6 { none; }; diff --git a/bin/tests/system/ecdsa/ns1/sign.sh b/bin/tests/system/ecdsa/ns1/sign.sh index a763ec86fd..3038b6b9a4 100644 --- a/bin/tests/system/ecdsa/ns1/sign.sh +++ b/bin/tests/system/ecdsa/ns1/sign.sh @@ -16,14 +16,39 @@ zone=. infile=root.db.in zonefile=root.db -key1=`$KEYGEN -q -a ECDSAP256SHA256 -n zone $zone` -key2=`$KEYGEN -q -a ECDSAP384SHA384 -n zone -f KSK $zone` -$DSFROMKEY -a sha-384 $key2.key > dsset-384 +echo_i "ns1/sign.sh" -cat $infile $key1.key $key2.key > $zonefile +cp $infile $zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err +if [ -f ../ecdsa256-supported.file ]; then + zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone") + ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone") + cat "$ksk256.key" "$zsk256.key" >> "$zonefile" + $DSFROMKEY -a sha-256 "$ksk256.key" >> dsset-256 +fi + +if [ -f ../ecdsa384-supported.file ]; then + zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone") + ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone") + cat "$ksk384.key" "$zsk384.key" >> "$zonefile" + $DSFROMKEY -a sha-256 "$ksk384.key" >> dsset-256 +fi # Configure the resolving server with a static key. -keyfile_to_static_ds $key1 > trusted.conf -cp trusted.conf ../ns2/trusted.conf +if [ -f ../ecdsa256-supported.file ]; then + keyfile_to_static_ds $ksk256 > trusted.conf + cp trusted.conf ../ns2/trusted.conf +else + keyfile_to_static_ds $ksk384 > trusted.conf + cp trusted.conf ../ns2/trusted.conf +fi + +if [ -f ../ecdsa384-supported.file ]; then + keyfile_to_static_ds $ksk384 > trusted.conf + cp trusted.conf ../ns3/trusted.conf +else + keyfile_to_static_ds $ksk256 > trusted.conf + cp trusted.conf ../ns3/trusted.conf +fi + +$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err diff --git a/bin/tests/system/ecdsa/ns2/named.conf b/bin/tests/system/ecdsa/ns2/named.conf.in similarity index 98% rename from bin/tests/system/ecdsa/ns2/named.conf rename to bin/tests/system/ecdsa/ns2/named.conf.in index 420073fc05..198cdbbcec 100644 --- a/bin/tests/system/ecdsa/ns2/named.conf +++ b/bin/tests/system/ecdsa/ns2/named.conf.in @@ -17,7 +17,7 @@ options { query-source address 10.53.0.2; notify-source 10.53.0.2; transfer-source 10.53.0.2; - port 5300; + port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.2; }; listen-on-v6 { none; }; diff --git a/bin/tests/system/ecdsa/ns3/named.conf.in b/bin/tests/system/ecdsa/ns3/named.conf.in new file mode 100644 index 0000000000..32d8c77d8f --- /dev/null +++ b/bin/tests/system/ecdsa/ns3/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/ecdsa/setup.sh b/bin/tests/system/ecdsa/setup.sh index fea8a3822e..a31d77dbd5 100644 --- a/bin/tests/system/ecdsa/setup.sh +++ b/bin/tests/system/ecdsa/setup.sh @@ -12,4 +12,20 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh -cd ns1 && $SHELL sign.sh +set -e + +if $SHELL ../testcrypto.sh ecdsap384sha384; then + echo "yes" > ecdsa256-supported.file +fi + +if $SHELL ../testcrypto.sh ecdsap384sha384; then + echo "yes" > ecdsa384-supported.file +fi + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +( + cd ns1 + $SHELL sign.sh +) diff --git a/bin/tests/system/ecdsa/tests.sh b/bin/tests/system/ecdsa/tests.sh index 8f8c6974a2..072463263b 100644 --- a/bin/tests/system/ecdsa/tests.sh +++ b/bin/tests/system/ecdsa/tests.sh @@ -15,20 +15,37 @@ SYSTEMTESTTOP=.. status=0 n=0 -rm -f dig.out.* +dig_with_opts() { + "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" +} -DIGOPTS="+tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p 5300" +if [ -f ecdsa256-supported.file ]; then + n=$((n+1)) + echo_i "checking that ECDSA256 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "algorithm ECDSA256 not supported, skipping test" +fi -# Check the example. domain -echo_i "checking that positive validation works ($n)" -ret=0 -$DIG $DIGOPTS . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 -$DIG $DIGOPTS . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 -$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +if [ -f ecdsa384-supported.file ]; then + n=$((n+1)) + echo_i "checking that ECDSA384 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "algorithm ECDSA384 not supported, skipping test" +fi echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 From 1a32cf543bc891e3d7df36fee34e478260ca9a6b Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 3 Feb 2021 12:05:18 +0100 Subject: [PATCH 4/4] Update copyrights for [#1810] (cherry picked from commit 51827ddcd3f5c1baf588ca1fe688cf109d3dab3c) --- util/copyrights | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/util/copyrights b/util/copyrights index 3a018c4a91..54b4af1c29 100644 --- a/util/copyrights +++ b/util/copyrights @@ -550,11 +550,12 @@ ./bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.private X 2017,2018,2019,2020,2021 ./bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.key X 2017,2018,2019,2020,2021 ./bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.private X 2017,2018,2019,2020,2021 -./bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.key X 2019,2020,2021 -./bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.private X 2019,2020,2021 -./bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.key X 2019,2020,2021 -./bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.private X 2019,2020,2021 ./bin/tests/system/eddsa/ns2/sign.sh SH 2017,2018,2019,2020,2021 +./bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.key X 2021 +./bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.private X 2021 +./bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.key X 2021 +./bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.private X 2021 +./bin/tests/system/eddsa/ns3/sign.sh SH 2021 ./bin/tests/system/eddsa/prereq.sh SH 2017,2018,2019,2020,2021 ./bin/tests/system/eddsa/setup.sh SH 2017,2018,2019,2020,2021 ./bin/tests/system/eddsa/tests.sh SH 2017,2018,2019,2020,2021