blob: 42c75196b2015667c6bb8f82e5bd73605f8fb39d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
#!/bin/bash
# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
# 2018-08-30
# License: GPLv3+
# error on exit
set -e
# for handling jobspecs:
set -m
if [ -z "$AUTOPKGTEST_ARTIFACTS" ]; then
d="$(mktemp -d)"
remove="$d"
else
d="$AUTOPKGTEST_ARTIFACTS"
fi
ip="${TESTIP:-127.$(( $RANDOM % 256 )).$(( $RANDOM % 256 )).$(( $RANDOM % 256 ))}"
kresd="${KRESD:-/usr/sbin/kresd}"
kdig="${KDIG:-$(command -v kdig)}"
declare -a kresd_args=(--addr="$ip@8053" --tls="$ip@8853" --noninteractive --config="$d/kresd.conf" --verbose --verbose --verbose)
if [ -n "$MODULE_DIR" ]; then
kresd_args+=(-m "$MODULE_DIR")
fi
printf "%s + %s roundtrip tests\n------------\n workdir: %s\n IP addr: %s\n kresd args: %s\n" "$kresd" "$kdig" "$d" "$ip" "${kresd_args[*]}"
section() {
printf "\n%s\n" "$1"
sed 's/./-/g' <<<"$1"
}
cleanup () {
section "cleaning up"
find "$d" -ls
tail -n +1 -v "$d"/*.err
ctrl_socket=/run/knot-resolver/control/1
if [ -S "$ctrl_socket" ]; then
echo 'quit()' | socat STDIO "UNIX-CONNECT:$ctrl_socket"
wait %1
else
pkill -KILL kresd ; true
fi
if [ "$remove" ]; then
printf "\ncleaning up working directory %s\n" "$remove"
rm -rf "$remove"
fi
}
trap cleanup EXIT
section "make Certificate Authority key and certificate"
cat > "$d/ca.template" <<EOF
cn = "testing certificate authority (NOT FOR PRODUCTION)"
expiration_days = 12
ca
path_len = 1
nc_permit_dns = example
cert_signing_key
EOF
certtool --stdout-info --generate-privkey --outfile "$d/ca-key.pem"
certtool --stdout-info --generate-self-signed --template "$d/ca.template" --load-privkey "$d/ca-key.pem" --outfile "$d/ca-cert.pem"
section "make Bogus Certificate Authority key and certificate"
certtool --stdout-info --generate-privkey --outfile "$d/bogus-key.pem"
certtool --stdout-info --generate-self-signed --template "$d/ca.template" --load-privkey "$d/bogus-key.pem" --outfile "$d/bogus-cert.pem"
section "make End Entity key and certificate"
cat > "$d/ee.template" <<EOF
cn = "test.example"
dns_name = test.example
expiration_days = 10
signing_key
tls_www_server
EOF
certtool --stdout-info --generate-privkey --outfile "$d/ee-key.pem"
certtool --stdout-info --pubkey-info --load-privkey "$d/ee-key.pem" --outfile "$d/ee-pubkey.pem"
certtool --stdout-info --generate-certificate --load-ca-privkey "$d/ca-key.pem" --load-ca-certificate "$d/ca-cert.pem" --template "$d/ee.template" --load-pubkey "$d/ee-pubkey.pem" --outfile "$d/ee-cert.pem"
section "set up kresd daemon on $ip on ports 8053 (UDP, TCP) and 8853 (TLS)"
cat > "$d/kresd.conf" <<EOF
verbose(true)
modules = { 'hints > iterate' }
net.tls("$d/ee-cert.pem", "$d/ee-key.pem")
hints["monkeys.example"] = "127.15.23.5"
local path = '/run/knot-resolver/control/1'
local ok, err = pcall(net.listen, path, nil, { kind = 'control' })
if not ok then
warn('bind to '..path..' failed '..err)
end
EOF
"$kresd" "${kresd_args[@]}" "$d" 2> "$d/kresd.err" &
sleep 1
section "test UDP with kdig"
x=$("$kdig" +short +time=2 +retry=0 @"$ip:8053" monkeys.example)
[ "$x" = "127.15.23.5" ]
echo "successful UDP request to $ip on port 8053"
section "test TCP with kdig"
x=$("$kdig" +short +tcp @"$ip:8053" monkeys.example)
[ "$x" = "127.15.23.5" ]
echo "successful TCP request to $ip on port 8053"
section "test opportunistic DNS-over-TLS with kdig"
x=$("$kdig" +short +tls @"$ip:8853" monkeys.example)
[ "$x" = "127.15.23.5" ]
echo "successful opportunistic DNS-over-TLS request to $ip on port 8853"
section "test strict DNS-over-TLS with kdig"
x=$("$kdig" +short +tls +tls-ca="$d/ca-cert.pem" +tls-hostname=test.example @"$ip:8853" monkeys.example)
[ "$x" = "127.15.23.5" ]
echo "successful strict DNS-over-TLS request to $ip on port 8853"
section "test invalid name with strict DNS-over-TLS with kdig"
# Kdig returns non-zero code if error since version 2.7.5
x=$("$kdig" +tls +tls-ca="$d/ca-cert.pem" +tls-hostname=notright.example @"$ip:8853" monkeys.example 2>"$d/badname.err" || true)
if [ "$x" ]; then
printf >&2 "got: %s\nShould not have succeeded since name did not match!" "$x"
false
fi
echo "successful strict DNS-over-TLS request failure when name mismatch to $ip on port 8853"
section "test bad authority with strict DNS-over-TLS with kdig"
# Kdig returns non-zero code if error since version 2.7.5
x=$("$kdig" +tls-ca="$d/bogus-cert.pem" +tls-hostname=test.example @"$ip:8853" monkeys.example 2>"$d/badca.err" || true)
if [ "$x" ]; then
printf >&2 "got: %s\nShould not have succeeded since authority was wrong!" "$x"
false
fi
echo "successful strict DNS-over-TLS request failure to $ip on port 8853"
|