blob: f6fac07309574d81dab2407c7d45b27763572f5b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
#!/bin/bash
# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
# 2018-08-30
# License: GPLv3+
# error on exit
set -e
# for handling jobspecs:
set -m
if [ -z "$AUTOPKGTEST_ARTIFACTS" ]; then
d="$(mktemp -d)"
remove="$d"
else
d="$AUTOPKGTEST_ARTIFACTS"
fi
ip="${TESTIP:-127.$(( $RANDOM % 256 )).$(( $RANDOM % 256 )).$(( $RANDOM % 256 ))}"
kresd="${KRESD:-/usr/sbin/kresd}"
kdig="${KDIG:-$(which kdig)}"
declare -a kresd_args=(--addr="$ip@8053" --tls="$ip@8853" --forks=1 --config="$d/kresd.conf" --verbose --verbose --verbose)
if [ -n "$MODULE_DIR" ]; then
kresd_args+=(-m "$MODULE_DIR")
fi
printf "%s + %s roundtrip tests\n------------\n workdir: %s\n IP addr: %s\n kresd args: %s\n" "$kresd" "$kdig" "$d" "$ip" "${kresd_args[*]}"
section() {
printf "\n%s\n" "$1"
sed 's/./-/g' <<<"$1"
}
cleanup () {
section "cleaning up"
find "$d" -ls
tail -n +1 -v "$d"/*.err
echo 'quit()' | socat STDIO "UNIX-CONNECT:$(echo "$d/tty/"*)"
wait %1
if [ "$remove" ]; then
printf "\ncleaning up working directory %s\n" "$remove"
rm -rf "$remove"
fi
}
trap cleanup EXIT
section "make Certificate Authority key and certificate"
cat > "$d/ca.template" <<EOF
cn = "testing certificate authority (NOT FOR PRODUCTION)"
expiration_days = 12
ca
path_len = 1
nc_permit_dns = example
cert_signing_key
EOF
certtool --stdout-info --generate-privkey --outfile "$d/ca-key.pem"
certtool --stdout-info --generate-self-signed --template "$d/ca.template" --load-privkey "$d/ca-key.pem" --outfile "$d/ca-cert.pem"
section "make Bogus Certificate Authority key and certificate"
certtool --stdout-info --generate-privkey --outfile "$d/bogus-key.pem"
certtool --stdout-info --generate-self-signed --template "$d/ca.template" --load-privkey "$d/bogus-key.pem" --outfile "$d/bogus-cert.pem"
section "make End Entity key and certificate"
cat > "$d/ee.template" <<EOF
cn = "test.example"
dns_name = test.example
expiration_days = 10
signing_key
tls_www_server
EOF
certtool --stdout-info --generate-privkey --outfile "$d/ee-key.pem"
certtool --stdout-info --pubkey-info --load-privkey "$d/ee-key.pem" --outfile "$d/ee-pubkey.pem"
certtool --stdout-info --generate-certificate --load-ca-privkey "$d/ca-key.pem" --load-ca-certificate "$d/ca-cert.pem" --template "$d/ee.template" --load-pubkey "$d/ee-pubkey.pem" --outfile "$d/ee-cert.pem"
section "set up kresd daemon on $ip on ports 8053 (UDP, TCP) and 8853 (TLS)"
cat > "$d/kresd.conf" <<EOF
verbose(true)
modules = { 'hints > iterate' }
net.tls("$d/ee-cert.pem", "$d/ee-key.pem")
hints["monkeys.example"] = "127.15.23.5"
EOF
"$kresd" "${kresd_args[@]}" "$d" 2> "$d/kresd.err" &
sleep 1
section "test UDP with kdig"
x=$("$kdig" +short +time=2 +retry=0 @"$ip:8053" monkeys.example)
[ "$x" = "127.15.23.5" ]
echo "successful UDP request to $ip on port 8053"
section "test TCP with kdig"
x=$("$kdig" +short +tcp @"$ip:8053" monkeys.example)
[ "$x" = "127.15.23.5" ]
echo "successful TCP request to $ip on port 8053"
section "test opportunistic DNS-over-TLS with kdig"
x=$("$kdig" +short +tls @"$ip:8853" monkeys.example)
[ "$x" = "127.15.23.5" ]
echo "successful opportunistic DNS-over-TLS request to $ip on port 8853"
section "test strict DNS-over-TLS with kdig"
x=$("$kdig" +short +tls +tls-ca="$d/ca-cert.pem" +tls-hostname=test.example @"$ip:8853" monkeys.example)
[ "$x" = "127.15.23.5" ]
echo "successful strict DNS-over-TLS request to $ip on port 8853"
section "test invalid name with strict DNS-over-TLS with kdig"
# Kdig returns non-zero code if error since version 2.7.5
x=$("$kdig" +tls +tls-ca="$d/ca-cert.pem" +tls-hostname=notright.example @"$ip:8853" monkeys.example 2>"$d/badname.err" || true)
if [ "$x" ]; then
printf >&2 "got: %s\nShould not have succeeded since name did not match!" "$x"
false
fi
echo "successful strict DNS-over-TLS request failure when name mismatch to $ip on port 8853"
section "test bad authority with strict DNS-over-TLS with kdig"
# Kdig returns non-zero code if error since version 2.7.5
x=$("$kdig" +tls-ca="$d/bogus-cert.pem" +tls-hostname=test.example @"$ip:8853" monkeys.example 2>"$d/badca.err" || true)
if [ "$x" ]; then
printf >&2 "got: %s\nShould not have succeeded since authority was wrong!" "$x"
false
fi
echo "successful strict DNS-over-TLS request failure to $ip on port 8853"
|
