diff options
Diffstat (limited to '')
-rwxr-xr-x | debian/tests/roundtrip | 134 |
1 files changed, 134 insertions, 0 deletions
diff --git a/debian/tests/roundtrip b/debian/tests/roundtrip new file mode 100755 index 0000000..81c4074 --- /dev/null +++ b/debian/tests/roundtrip @@ -0,0 +1,134 @@ +#!/bin/bash + +# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +# 2018-08-30 +# License: GPLv3+ + +# error on exit +set -e +# for handling jobspecs: +set -m + +if [ -z "$AUTOPKGTEST_ARTIFACTS" ]; then + d="$(mktemp -d)" + remove="$d" +else + d="$AUTOPKGTEST_ARTIFACTS" +fi +ip="${TESTIP:-127.$(( $RANDOM % 256 )).$(( $RANDOM % 256 )).$(( $RANDOM % 256 ))}" +kresd="${KRESD:-/usr/sbin/kresd}" +kdig="${KDIG:-$(which kdig)}" + +declare -a kresd_args=(--addr="$ip@8053" --tls="$ip@8853" --noninteractive --config="$d/kresd.conf" --verbose --verbose --verbose) +if [ -n "$MODULE_DIR" ]; then + kresd_args+=(-m "$MODULE_DIR") +fi + +printf "%s + %s roundtrip tests\n------------\n workdir: %s\n IP addr: %s\n kresd args: %s\n" "$kresd" "$kdig" "$d" "$ip" "${kresd_args[*]}" + +section() { + printf "\n%s\n" "$1" + sed 's/./-/g' <<<"$1" +} + +cleanup () { + section "cleaning up" + find "$d" -ls + tail -n +1 -v "$d"/*.err + ctrl_socket=/run/knot-resolver/control/1 + if [ -S "$ctrl_socket" ]; then + echo 'quit()' | socat STDIO "UNIX-CONNECT:$ctrl_socket" + wait %1 + else + pkill -KILL kresd ; true + fi + + if [ "$remove" ]; then + printf "\ncleaning up working directory %s\n" "$remove" + rm -rf "$remove" + fi +} +trap cleanup EXIT + +section "make Certificate Authority key and certificate" +cat > "$d/ca.template" <<EOF +cn = "testing certificate authority (NOT FOR PRODUCTION)" +expiration_days = 12 +ca +path_len = 1 +nc_permit_dns = example +cert_signing_key +EOF +certtool --stdout-info --generate-privkey --outfile "$d/ca-key.pem" +certtool --stdout-info --generate-self-signed --template "$d/ca.template" --load-privkey "$d/ca-key.pem" --outfile "$d/ca-cert.pem" + +section "make Bogus Certificate Authority key and certificate" +certtool --stdout-info --generate-privkey --outfile "$d/bogus-key.pem" +certtool --stdout-info --generate-self-signed --template "$d/ca.template" --load-privkey "$d/bogus-key.pem" --outfile "$d/bogus-cert.pem" + +section "make End Entity key and certificate" +cat > "$d/ee.template" <<EOF +cn = "test.example" +dns_name = test.example +expiration_days = 10 +signing_key +tls_www_server +EOF +certtool --stdout-info --generate-privkey --outfile "$d/ee-key.pem" +certtool --stdout-info --pubkey-info --load-privkey "$d/ee-key.pem" --outfile "$d/ee-pubkey.pem" +certtool --stdout-info --generate-certificate --load-ca-privkey "$d/ca-key.pem" --load-ca-certificate "$d/ca-cert.pem" --template "$d/ee.template" --load-pubkey "$d/ee-pubkey.pem" --outfile "$d/ee-cert.pem" + +section "set up kresd daemon on $ip on ports 8053 (UDP, TCP) and 8853 (TLS)" +cat > "$d/kresd.conf" <<EOF +verbose(true) +modules = { 'hints > iterate' } +net.tls("$d/ee-cert.pem", "$d/ee-key.pem") +hints["monkeys.example"] = "127.15.23.5" + +local path = '/run/knot-resolver/control/1' +local ok, err = pcall(net.listen, path, nil, { kind = 'control' }) +if not ok then + warn('bind to '..path..' failed '..err) +end +EOF +"$kresd" "${kresd_args[@]}" "$d" 2> "$d/kresd.err" & + +sleep 1 + +section "test UDP with kdig" +x=$("$kdig" +short +time=2 +retry=0 @"$ip:8053" monkeys.example) +[ "$x" = "127.15.23.5" ] +echo "successful UDP request to $ip on port 8053" + +section "test TCP with kdig" +x=$("$kdig" +short +tcp @"$ip:8053" monkeys.example) +[ "$x" = "127.15.23.5" ] +echo "successful TCP request to $ip on port 8053" + +section "test opportunistic DNS-over-TLS with kdig" +x=$("$kdig" +short +tls @"$ip:8853" monkeys.example) +[ "$x" = "127.15.23.5" ] +echo "successful opportunistic DNS-over-TLS request to $ip on port 8853" + +section "test strict DNS-over-TLS with kdig" +x=$("$kdig" +short +tls +tls-ca="$d/ca-cert.pem" +tls-hostname=test.example @"$ip:8853" monkeys.example) +[ "$x" = "127.15.23.5" ] +echo "successful strict DNS-over-TLS request to $ip on port 8853" + +section "test invalid name with strict DNS-over-TLS with kdig" +# Kdig returns non-zero code if error since version 2.7.5 +x=$("$kdig" +tls +tls-ca="$d/ca-cert.pem" +tls-hostname=notright.example @"$ip:8853" monkeys.example 2>"$d/badname.err" || true) +if [ "$x" ]; then + printf >&2 "got: %s\nShould not have succeeded since name did not match!" "$x" + false +fi +echo "successful strict DNS-over-TLS request failure when name mismatch to $ip on port 8853" + +section "test bad authority with strict DNS-over-TLS with kdig" +# Kdig returns non-zero code if error since version 2.7.5 +x=$("$kdig" +tls-ca="$d/bogus-cert.pem" +tls-hostname=test.example @"$ip:8853" monkeys.example 2>"$d/badca.err" || true) +if [ "$x" ]; then + printf >&2 "got: %s\nShould not have succeeded since authority was wrong!" "$x" + false +fi +echo "successful strict DNS-over-TLS request failure to $ip on port 8853" |