diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2017-05-07 17:40:41 +0100 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2017-05-07 18:39:05 +0100 |
commit | ce889807c90746896f1310e9f4957215f46f7836 (patch) | |
tree | 1ec45758956dcc38985d2bcf8fe31fff71d16044 | |
parent | b7e4352c99fe3dee2af93f06ef0ac74ee355d5ea (diff) |
Testsuite: add DANE cases for DNS secure no-TLSA lookups
-rw-r--r-- | test/dnszones-src/db.test.ex | 12 | ||||
-rw-r--r-- | test/log/5840 | 12 | ||||
-rw-r--r-- | test/scripts/5840-DANE-OpenSSL/5840 | 15 | ||||
-rw-r--r-- | test/src/fakens.c | 16 | ||||
-rw-r--r-- | test/stderr/5840 | 4 | ||||
-rw-r--r-- | test/stdout/5840 | 4 |
6 files changed, 53 insertions, 10 deletions
diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex index 50bd6b073..f7c9e313b 100644 --- a/test/dnszones-src/db.test.ex +++ b/test/dnszones-src/db.test.ex @@ -461,7 +461,8 @@ DNSSEC danelazy2 A 127.0.0.1 DNSSEC _1225._tcp.danelazy CNAME test.again.dns. DNSSEC _1225._tcp.danelazy2 CNAME test.again.dns. -; hosts with no TLSA +; hosts with no TLSA (just missing here, hence the TLSA NXDMAIN is _insecure_; a broken dane config) +; 1 for dane-required, 2 for merely requested DNSSEC dane.no.1 A HOSTIPV4 DNSSEC dane.no.2 A 127.0.0.1 @@ -469,6 +470,15 @@ DNSSEC dane.no.2 A 127.0.0.1 DNSSEC danebroken1 A 127.0.0.1 _1225._tcp.danebroken1 CNAME test.fail.dns. +; a good dns config saying there is no dane support, by securely returning NOXDOMAIN for TLSA lookups +; 3 for dane-required, 4 for merely requested +; the TLSA data here is dummy; ignored +DNSSEC dane.no.3 A HOSTIPV4 +DNSSEC dane.no.4 A 127.0.0.1 + +DNSSEC NXDOMAIN _1225._tcp.dane.no.3 TLSA 2 0 1 eec923139018c540a344c5191660ecba1ac3708525a98bfc338e17f31d3fa741 +DNSSEC NXDOMAIN _1225._tcp.dane.no.4 TLSA 2 0 1 eec923139018c540a344c5191660ecba1ac3708525a98bfc338e17f31d3fa741 + ; ------- Testing delays ------------ DELAY=500 delay500 A HOSTIPV4 diff --git a/test/log/5840 b/test/log/5840 index d02a4c7d7..b2f949009 100644 --- a/test/log/5840 +++ b/test/log/5840 @@ -27,6 +27,8 @@ 1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.1.test.ex 1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.2.test.ex 1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken1.test.ex +1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.3.test.ex +1999-03-02 09:44:33 10HmbM-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.4.test.ex 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy.test.ex [ip4.ip4.ip4.ip4]: DANE error: tlsa lookup DEFER 1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER @@ -38,6 +40,13 @@ 1999-03-02 09:44:33 10HmbJ-0005vi-00 == CALLER@dane.no.2.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER 1999-03-02 09:44:33 10HmbK-0005vi-00 H=danebroken1.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER 1999-03-02 09:44:33 10HmbK-0005vi-00 == CALLER@danebroken1.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 10HmbL-0005vi-00 ** CALLER@dane.no.3.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL +1999-03-02 09:44:33 10HmbL-0005vi-00 CALLER@dane.no.3.test.ex: error ignored +1999-03-02 09:44:33 10HmbL-0005vi-00 Completed +1999-03-02 09:44:33 10HmbM-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmbM-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="dane.no.4.test.ex" +1999-03-02 09:44:33 10HmbM-0005vi-00 => CALLER@dane.no.4.test.ex R=client T=send_to_server H=dane.no.4.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbN-0005vi-00" +1999-03-02 09:44:33 10HmbM-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** @@ -61,3 +70,6 @@ 1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: <CALLER@thishost.test.ex> R=server 1999-03-02 09:44:33 10HmbG-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmbN-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbM-0005vi-00@myhost.test.ex for CALLER@dane.no.4.test.ex +1999-03-02 09:44:33 10HmbN-0005vi-00 => :blackhole: <CALLER@dane.no.4.test.ex> R=server +1999-03-02 09:44:33 10HmbN-0005vi-00 Completed diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840 index fdff36119..142a25ad4 100644 --- a/test/scripts/5840-DANE-OpenSSL/5840 +++ b/test/scripts/5840-DANE-OpenSSL/5840 @@ -73,13 +73,14 @@ Testing exim -odq CALLER@danebroken1.test.ex Testing **** -# ### A server securely saying "no TLSA records here", dane required (should fail) -# exim -odq CALLER@dane.no.3.test.ex -# Testing -# ### A server securely saying "no TLSA records here", dane requested only (should transmit) -# exim -odq CALLER@dane.no.4.test.ex -# Testing -# **** +### A server securely saying "no TLSA records here", dane required (should fail) +exim -odq CALLER@dane.no.3.test.ex +Testing +**** +### A server securely saying "no TLSA records here", dane requested only (should transmit) +exim -odq CALLER@dane.no.4.test.ex +Testing +**** exim -qf **** killdaemon diff --git a/test/src/fakens.c b/test/src/fakens.c index 34f5ea670..583b01282 100644 --- a/test/src/fakens.c +++ b/test/src/fakens.c @@ -53,11 +53,15 @@ HOST_NOT_FOUND. Any DNS record line in a zone file can be prefixed with "DELAY=" and a number of milliseconds (followed by one space). -Any DNS record line in a zone file can be prefixed with "DNSSEC "; +Any DNS record line can be prefixed with "DNSSEC "; if all the records found by a lookup are marked as such then the response will have the "AD" bit set. -Any DNS record line in a zone file can be prefixed with "AA " +Any DNS record line can be prefixed with "NXDOMAIN "; +The record will be ignored (but the prefix set still applied); +This lets us return a DNSSEC NXDOMAIN. + +Any DNS record line can be prefixed with "AA " if all the records found by a lookup are marked as such then the response will have the "AA" bit set. @@ -354,6 +358,7 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL) int qtlen = qtypelen; BOOL rr_sec = FALSE; BOOL rr_aa = FALSE; + BOOL rr_ignore = FALSE; int delay = 0; uint ttl = DEFAULT_TTL; @@ -379,6 +384,11 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL) rr_sec = TRUE; p += 7; } + if (Ustrncmp(p, US"NXDOMAIN ", 9) == 0) /* ignore record content */ + { + rr_ignore = TRUE; + p += 9; + } else if (Ustrncmp(p, US"AA ", 3) == 0) /* tagged as authoritative */ { rr_aa = TRUE; @@ -464,6 +474,8 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL) if (aa && !rr_aa) *aa = FALSE; /* cancel AA return */ + if (rr_ignore) continue; + yield = 0; *countptr = *countptr + 1; diff --git a/test/stderr/5840 b/test/stderr/5840 index 75f938ab4..5ccf7cda0 100644 --- a/test/stderr/5840 +++ b/test/stderr/5840 @@ -73,6 +73,8 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] ### A server lacking a TLSA, dane required (should fail) ### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) ### A server where the A is dnssec and the TLSA _fails_ +### A server securely saying "no TLSA records here", dane required (should fail) +### A server securely saying "no TLSA records here", dane requested only (should transmit) ******** SERVER ******** ### TLSA (3 1 1) @@ -85,3 +87,5 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] ### A server lacking a TLSA, dane required (should fail) ### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) ### A server where the A is dnssec and the TLSA _fails_ +### A server securely saying "no TLSA records here", dane required (should fail) +### A server securely saying "no TLSA records here", dane requested only (should transmit) diff --git a/test/stdout/5840 b/test/stdout/5840 index 5071e7de5..32425d2e2 100644 --- a/test/stdout/5840 +++ b/test/stdout/5840 @@ -17,6 +17,8 @@ ### A server lacking a TLSA, dane required (should fail) ### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) ### A server where the A is dnssec and the TLSA _fails_ +### A server securely saying "no TLSA records here", dane required (should fail) +### A server securely saying "no TLSA records here", dane requested only (should transmit) ******** SERVER ******** ### TLSA (3 1 1) @@ -29,3 +31,5 @@ ### A server lacking a TLSA, dane required (should fail) ### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) ### A server where the A is dnssec and the TLSA _fails_ +### A server securely saying "no TLSA records here", dane required (should fail) +### A server securely saying "no TLSA records here", dane requested only (should transmit) |