1 /*
2 * testcode/unitverify.c - unit test for signature verification routines.
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 *
35 */
36 /**
37 * \file
38 * Calls verification unit tests. Exits with code 1 on a failure.
39 */
40
41 #include "config.h"
42 #include "util/log.h"
43 #include "testcode/unitmain.h"
44 #include "validator/val_sigcrypt.h"
45 #include "validator/val_secalgo.h"
46 #include "validator/val_nsec.h"
47 #include "validator/val_nsec3.h"
48 #include "validator/validator.h"
49 #include "testcode/testpkts.h"
50 #include "util/data/msgreply.h"
51 #include "util/data/msgparse.h"
52 #include "util/data/dname.h"
53 #include "util/regional.h"
54 #include "util/alloc.h"
55 #include "util/rbtree.h"
56 #include "util/net_help.h"
57 #include "util/module.h"
58 #include "util/config_file.h"
59 #include "sldns/sbuffer.h"
60 #include "sldns/keyraw.h"
61 #include "sldns/str2wire.h"
62 #include "sldns/wire2str.h"
63
64 /** verbose signature test */
65 static int vsig = 0;
66
67 /** entry to packet buffer with wireformat */
68 static void
entry_to_buf(struct entry * e,sldns_buffer * pkt)69 entry_to_buf(struct entry* e, sldns_buffer* pkt)
70 {
71 unit_assert(e->reply_list);
72 if(e->reply_list->reply_from_hex) {
73 sldns_buffer_copy(pkt, e->reply_list->reply_from_hex);
74 } else {
75 sldns_buffer_clear(pkt);
76 sldns_buffer_write(pkt, e->reply_list->reply_pkt,
77 e->reply_list->reply_len);
78 sldns_buffer_flip(pkt);
79 }
80 }
81
82 /** entry to reply info conversion */
83 static void
entry_to_repinfo(struct entry * e,struct alloc_cache * alloc,struct regional * region,sldns_buffer * pkt,struct query_info * qi,struct reply_info ** rep)84 entry_to_repinfo(struct entry* e, struct alloc_cache* alloc,
85 struct regional* region, sldns_buffer* pkt, struct query_info* qi,
86 struct reply_info** rep)
87 {
88 int ret;
89 struct edns_data edns;
90 entry_to_buf(e, pkt);
91 /* lock alloc lock to please lock checking software.
92 * alloc_special_obtain assumes it is talking to a ub-alloc,
93 * and does not need to perform locking. Here the alloc is
94 * the only one, so we lock it here */
95 lock_quick_lock(&alloc->lock);
96 ret = reply_info_parse(pkt, alloc, qi, rep, region, &edns);
97 lock_quick_unlock(&alloc->lock);
98 if(ret != 0) {
99 char rcode[16];
100 sldns_wire2str_rcode_buf(ret, rcode, sizeof(rcode));
101 printf("parse code %d: %s\n", ret, rcode);
102 unit_assert(ret != 0);
103 }
104 }
105
106 /** extract DNSKEY rrset from answer and convert it */
107 static struct ub_packed_rrset_key*
extract_keys(struct entry * e,struct alloc_cache * alloc,struct regional * region,sldns_buffer * pkt)108 extract_keys(struct entry* e, struct alloc_cache* alloc,
109 struct regional* region, sldns_buffer* pkt)
110 {
111 struct ub_packed_rrset_key* dnskey = NULL;
112 struct query_info qinfo;
113 struct reply_info* rep = NULL;
114 size_t i;
115
116 entry_to_repinfo(e, alloc, region, pkt, &qinfo, &rep);
117 for(i=0; i<rep->an_numrrsets; i++) {
118 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DNSKEY) {
119 dnskey = rep->rrsets[i];
120 rep->rrsets[i] = NULL;
121 break;
122 }
123 }
124 unit_assert(dnskey);
125
126 reply_info_parsedelete(rep, alloc);
127 query_info_clear(&qinfo);
128 return dnskey;
129 }
130
131 /** return true if answer should be bogus */
132 static int
should_be_bogus(struct ub_packed_rrset_key * rrset,struct query_info * qinfo)133 should_be_bogus(struct ub_packed_rrset_key* rrset, struct query_info* qinfo)
134 {
135 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
136 entry.data;
137 if(d->rrsig_count == 0)
138 return 1;
139 /* name 'bogus' as first label signals bogus */
140 if(rrset->rk.dname_len > 6 && memcmp(rrset->rk.dname+1, "bogus", 5)==0)
141 return 1;
142 if(qinfo->qname_len > 6 && memcmp(qinfo->qname+1, "bogus", 5)==0)
143 return 1;
144 return 0;
145 }
146
147 /** return number of rrs in an rrset */
148 static size_t
rrset_get_count(struct ub_packed_rrset_key * rrset)149 rrset_get_count(struct ub_packed_rrset_key* rrset)
150 {
151 struct packed_rrset_data* d = (struct packed_rrset_data*)
152 rrset->entry.data;
153 if(!d) return 0;
154 return d->count;
155 }
156
157 /** setup sig alg list from dnskey */
158 static void
setup_sigalg(struct ub_packed_rrset_key * dnskey,uint8_t * sigalg)159 setup_sigalg(struct ub_packed_rrset_key* dnskey, uint8_t* sigalg)
160 {
161 uint8_t a[ALGO_NEEDS_MAX];
162 size_t i, n = 0;
163 memset(a, 0, sizeof(a));
164 for(i=0; i<rrset_get_count(dnskey); i++) {
165 uint8_t algo = (uint8_t)dnskey_get_algo(dnskey, i);
166 if(a[algo] == 0) {
167 a[algo] = 1;
168 sigalg[n++] = algo;
169 }
170 }
171 sigalg[n] = 0;
172 }
173
174 /** verify and test one rrset against the key rrset */
175 static void
verifytest_rrset(struct module_env * env,struct val_env * ve,struct ub_packed_rrset_key * rrset,struct ub_packed_rrset_key * dnskey,struct query_info * qinfo)176 verifytest_rrset(struct module_env* env, struct val_env* ve,
177 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
178 struct query_info* qinfo)
179 {
180 enum sec_status sec;
181 char reasonbuf[256];
182 char* reason = NULL;
183 uint8_t sigalg[ALGO_NEEDS_MAX+1];
184 int verified = 0;
185 if(vsig) {
186 log_nametypeclass(VERB_QUERY, "verify of rrset",
187 rrset->rk.dname, ntohs(rrset->rk.type),
188 ntohs(rrset->rk.rrset_class));
189 }
190 setup_sigalg(dnskey, sigalg); /* check all algorithms in the dnskey */
191 /* ok to give null as qstate here, won't be used for answer section. */
192 sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, &reason,
193 NULL, LDNS_SECTION_ANSWER, NULL, &verified, reasonbuf,
194 sizeof(reasonbuf));
195 if(vsig) {
196 printf("verify outcome is: %s %s\n", sec_status_to_string(sec),
197 reason?reason:"");
198 }
199 if(should_be_bogus(rrset, qinfo)) {
200 unit_assert(sec == sec_status_bogus);
201 } else {
202 unit_assert(sec == sec_status_secure);
203 }
204 }
205
206 /** verify and test an entry - every rr in the message */
207 static void
verifytest_entry(struct entry * e,struct alloc_cache * alloc,struct regional * region,sldns_buffer * pkt,struct ub_packed_rrset_key * dnskey,struct module_env * env,struct val_env * ve)208 verifytest_entry(struct entry* e, struct alloc_cache* alloc,
209 struct regional* region, sldns_buffer* pkt,
210 struct ub_packed_rrset_key* dnskey, struct module_env* env,
211 struct val_env* ve)
212 {
213 struct query_info qinfo;
214 struct reply_info* rep = NULL;
215 size_t i;
216
217 regional_free_all(region);
218 if(vsig) {
219 char* s = sldns_wire2str_pkt(e->reply_list->reply_pkt,
220 e->reply_list->reply_len);
221 printf("verifying pkt:\n%s\n", s?s:"outofmemory");
222 free(s);
223 }
224 entry_to_repinfo(e, alloc, region, pkt, &qinfo, &rep);
225
226 for(i=0; i<rep->rrset_count; i++) {
227 verifytest_rrset(env, ve, rep->rrsets[i], dnskey, &qinfo);
228 }
229
230 reply_info_parsedelete(rep, alloc);
231 query_info_clear(&qinfo);
232 }
233
234 /** find RRset in reply by type */
235 static struct ub_packed_rrset_key*
find_rrset_type(struct reply_info * rep,uint16_t type)236 find_rrset_type(struct reply_info* rep, uint16_t type)
237 {
238 size_t i;
239 for(i=0; i<rep->rrset_count; i++) {
240 if(ntohs(rep->rrsets[i]->rk.type) == type)
241 return rep->rrsets[i];
242 }
243 return NULL;
244 }
245
246 /** DS sig test an entry - get DNSKEY and DS in entry and verify */
247 static void
dstest_entry(struct entry * e,struct alloc_cache * alloc,struct regional * region,sldns_buffer * pkt,struct module_env * env)248 dstest_entry(struct entry* e, struct alloc_cache* alloc,
249 struct regional* region, sldns_buffer* pkt, struct module_env* env)
250 {
251 struct query_info qinfo;
252 struct reply_info* rep = NULL;
253 struct ub_packed_rrset_key* ds, *dnskey;
254 int ret;
255
256 regional_free_all(region);
257 if(vsig) {
258 char* s = sldns_wire2str_pkt(e->reply_list->reply_pkt,
259 e->reply_list->reply_len);
260 printf("verifying DS-DNSKEY match:\n%s\n", s?s:"outofmemory");
261 free(s);
262 }
263 entry_to_repinfo(e, alloc, region, pkt, &qinfo, &rep);
264 ds = find_rrset_type(rep, LDNS_RR_TYPE_DS);
265 dnskey = find_rrset_type(rep, LDNS_RR_TYPE_DNSKEY);
266 /* check test is OK */
267 unit_assert(ds && dnskey);
268
269 ret = ds_digest_match_dnskey(env, dnskey, 0, ds, 0);
270 if(strncmp((char*)qinfo.qname, "\003yes", 4) == 0) {
271 if(vsig) {
272 printf("result(yes)= %s\n", ret?"yes":"no");
273 }
274 unit_assert(ret);
275 } else if (strncmp((char*)qinfo.qname, "\002no", 3) == 0) {
276 if(vsig) {
277 printf("result(no)= %s\n", ret?"yes":"no");
278 }
279 unit_assert(!ret);
280 verbose(VERB_QUERY, "DS fail: OK; matched unit test");
281 } else {
282 fatal_exit("Bad qname in DS unit test, yes or no");
283 }
284
285 reply_info_parsedelete(rep, alloc);
286 query_info_clear(&qinfo);
287 }
288
289 /** verify from a file */
290 static void
verifytest_file(const char * fname,const char * at_date)291 verifytest_file(const char* fname, const char* at_date)
292 {
293 /*
294 * The file contains a list of ldns-testpkts entries.
295 * The first entry must be a query for DNSKEY.
296 * The answer rrset is the keyset that will be used for verification
297 */
298 struct ub_packed_rrset_key* dnskey;
299 struct regional* region = regional_create();
300 struct alloc_cache alloc;
301 sldns_buffer* buf = sldns_buffer_new(65535);
302 struct entry* e;
303 struct entry* list = read_datafile(fname, 1);
304 struct module_env env;
305 struct val_env ve;
306 time_t now = time(NULL);
307 unit_show_func("signature verify", fname);
308
309 if(!list)
310 fatal_exit("could not read %s: %s", fname, strerror(errno));
311 alloc_init(&alloc, NULL, 1);
312 memset(&env, 0, sizeof(env));
313 memset(&ve, 0, sizeof(ve));
314 env.scratch = region;
315 env.scratch_buffer = buf;
316 env.now = &now;
317 ve.date_override = cfg_convert_timeval(at_date);
318 unit_assert(region && buf);
319 dnskey = extract_keys(list, &alloc, region, buf);
320 if(vsig) log_nametypeclass(VERB_QUERY, "test dnskey",
321 dnskey->rk.dname, ntohs(dnskey->rk.type),
322 ntohs(dnskey->rk.rrset_class));
323 /* ready to go! */
324 for(e = list->next; e; e = e->next) {
325 verifytest_entry(e, &alloc, region, buf, dnskey, &env, &ve);
326 }
327
328 ub_packed_rrset_parsedelete(dnskey, &alloc);
329 delete_entry(list);
330 regional_destroy(region);
331 alloc_clear(&alloc);
332 sldns_buffer_free(buf);
333 }
334
335 /** verify DS matches DNSKEY from a file */
336 static void
dstest_file(const char * fname)337 dstest_file(const char* fname)
338 {
339 /*
340 * The file contains a list of ldns-testpkts entries.
341 * The first entry must be a query for DNSKEY.
342 * The answer rrset is the keyset that will be used for verification
343 */
344 struct regional* region = regional_create();
345 struct alloc_cache alloc;
346 sldns_buffer* buf = sldns_buffer_new(65535);
347 struct entry* e;
348 struct entry* list = read_datafile(fname, 1);
349 struct module_env env;
350 unit_show_func("DS verify", fname);
351
352 if(!list)
353 fatal_exit("could not read %s: %s", fname, strerror(errno));
354 alloc_init(&alloc, NULL, 1);
355 memset(&env, 0, sizeof(env));
356 env.scratch = region;
357 env.scratch_buffer = buf;
358 unit_assert(region && buf);
359
360 /* ready to go! */
361 for(e = list; e; e = e->next) {
362 dstest_entry(e, &alloc, region, buf, &env);
363 }
364
365 delete_entry(list);
366 regional_destroy(region);
367 alloc_clear(&alloc);
368 sldns_buffer_free(buf);
369 }
370
371 /** helper for unittest of NSEC routines */
372 static int
unitest_nsec_has_type_rdata(char * bitmap,size_t len,uint16_t type)373 unitest_nsec_has_type_rdata(char* bitmap, size_t len, uint16_t type)
374 {
375 return nsecbitmap_has_type_rdata((uint8_t*)bitmap, len, type);
376 }
377
378 /** Test NSEC type bitmap routine */
379 static void
nsectest(void)380 nsectest(void)
381 {
382 /* bitmap starts at type bitmap rdata field */
383 /* from rfc 4034 example */
384 char* bitmap = "\000\006\100\001\000\000\000\003"
385 "\004\033\000\000\000\000\000\000"
386 "\000\000\000\000\000\000\000\000"
387 "\000\000\000\000\000\000\000\000"
388 "\000\000\000\000\040";
389 size_t len = 37;
390
391 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 0));
392 unit_assert(unitest_nsec_has_type_rdata(bitmap, len, LDNS_RR_TYPE_A));
393 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 2));
394 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 3));
395 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 4));
396 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 5));
397 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 6));
398 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 7));
399 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 8));
400 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 9));
401 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 10));
402 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 11));
403 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 12));
404 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 13));
405 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 14));
406 unit_assert(unitest_nsec_has_type_rdata(bitmap, len, LDNS_RR_TYPE_MX));
407 unit_assert(unitest_nsec_has_type_rdata(bitmap, len, LDNS_RR_TYPE_RRSIG));
408 unit_assert(unitest_nsec_has_type_rdata(bitmap, len, LDNS_RR_TYPE_NSEC));
409 unit_assert(unitest_nsec_has_type_rdata(bitmap, len, 1234));
410 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1233));
411 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1235));
412 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1236));
413 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1237));
414 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1238));
415 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1239));
416 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 1240));
417 unit_assert(!unitest_nsec_has_type_rdata(bitmap, len, 2230));
418 }
419
420 /** Test hash algo - NSEC3 hash it and compare result */
421 static void
nsec3_hash_test_entry(struct entry * e,rbtree_type * ct,struct alloc_cache * alloc,struct regional * region,sldns_buffer * buf)422 nsec3_hash_test_entry(struct entry* e, rbtree_type* ct,
423 struct alloc_cache* alloc, struct regional* region,
424 sldns_buffer* buf)
425 {
426 struct query_info qinfo;
427 struct reply_info* rep = NULL;
428 struct ub_packed_rrset_key* answer, *nsec3;
429 struct nsec3_cached_hash* hash = NULL;
430 int ret;
431 uint8_t* qname;
432
433 if(vsig) {
434 char* s = sldns_wire2str_pkt(e->reply_list->reply_pkt,
435 e->reply_list->reply_len);
436 printf("verifying NSEC3 hash:\n%s\n", s?s:"outofmemory");
437 free(s);
438 }
439 entry_to_repinfo(e, alloc, region, buf, &qinfo, &rep);
440 nsec3 = find_rrset_type(rep, LDNS_RR_TYPE_NSEC3);
441 answer = find_rrset_type(rep, LDNS_RR_TYPE_AAAA);
442 qname = regional_alloc_init(region, qinfo.qname, qinfo.qname_len);
443 /* check test is OK */
444 unit_assert(nsec3 && answer && qname);
445
446 ret = nsec3_hash_name(ct, region, buf, nsec3, 0, qname,
447 qinfo.qname_len, &hash);
448 if(ret < 1) {
449 printf("Bad nsec3_hash_name retcode %d\n", ret);
450 unit_assert(ret == 1 || ret == 2);
451 }
452 unit_assert(hash->dname && hash->hash && hash->hash_len &&
453 hash->b32 && hash->b32_len);
454 unit_assert(hash->b32_len == (size_t)answer->rk.dname[0]);
455 /* does not do lowercasing. */
456 unit_assert(memcmp(hash->b32, answer->rk.dname+1, hash->b32_len)
457 == 0);
458
459 reply_info_parsedelete(rep, alloc);
460 query_info_clear(&qinfo);
461 }
462
463
464 /** Read file to test NSEC3 hash algo */
465 static void
nsec3_hash_test(const char * fname)466 nsec3_hash_test(const char* fname)
467 {
468 /*
469 * The list contains a list of ldns-testpkts entries.
470 * Every entry is a test.
471 * The qname is hashed.
472 * The answer section AAAA RR name is the required result.
473 * The auth section NSEC3 is used to get hash parameters.
474 * The hash cache is maintained per file.
475 *
476 * The test does not perform canonicalization during the compare.
477 */
478 rbtree_type ct;
479 struct regional* region = regional_create();
480 struct alloc_cache alloc;
481 sldns_buffer* buf = sldns_buffer_new(65535);
482 struct entry* e;
483 struct entry* list = read_datafile(fname, 1);
484 unit_show_func("NSEC3 hash", fname);
485
486 if(!list)
487 fatal_exit("could not read %s: %s", fname, strerror(errno));
488 rbtree_init(&ct, &nsec3_hash_cmp);
489 alloc_init(&alloc, NULL, 1);
490 unit_assert(region && buf);
491
492 /* ready to go! */
493 for(e = list; e; e = e->next) {
494 nsec3_hash_test_entry(e, &ct, &alloc, region, buf);
495 }
496
497 delete_entry(list);
498 regional_destroy(region);
499 alloc_clear(&alloc);
500 sldns_buffer_free(buf);
501 }
502
503 #define xstr(s) str(s)
504 #define str(s) #s
505
506 #define SRCDIRSTR xstr(SRCDIR)
507
508 void
verify_test(void)509 verify_test(void)
510 {
511 unit_show_feature("signature verify");
512 #ifdef USE_SHA1
513 verifytest_file(SRCDIRSTR "/testdata/test_signatures.1", "20070818005004");
514 #endif
515 #if defined(USE_DSA) && defined(USE_SHA1)
516 verifytest_file(SRCDIRSTR "/testdata/test_signatures.2", "20080414005004");
517 verifytest_file(SRCDIRSTR "/testdata/test_signatures.3", "20080416005004");
518 verifytest_file(SRCDIRSTR "/testdata/test_signatures.4", "20080416005004");
519 verifytest_file(SRCDIRSTR "/testdata/test_signatures.5", "20080416005004");
520 verifytest_file(SRCDIRSTR "/testdata/test_signatures.6", "20080416005004");
521 verifytest_file(SRCDIRSTR "/testdata/test_signatures.7", "20070829144150");
522 #endif /* USE_DSA */
523 #ifdef USE_SHA1
524 verifytest_file(SRCDIRSTR "/testdata/test_signatures.8", "20070829144150");
525 #endif
526 #if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2)
527 verifytest_file(SRCDIRSTR "/testdata/test_sigs.rsasha256", "20070829144150");
528 # ifdef USE_SHA1
529 verifytest_file(SRCDIRSTR "/testdata/test_sigs.sha1_and_256", "20070829144150");
530 # endif
531 verifytest_file(SRCDIRSTR "/testdata/test_sigs.rsasha256_draft", "20090101000000");
532 #endif
533 #if (defined(HAVE_EVP_SHA512) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2)
534 verifytest_file(SRCDIRSTR "/testdata/test_sigs.rsasha512_draft", "20070829144150");
535 verifytest_file(SRCDIRSTR "/testdata/test_signatures.9", "20171215000000");
536 #endif
537 #ifdef USE_SHA1
538 verifytest_file(SRCDIRSTR "/testdata/test_sigs.hinfo", "20090107100022");
539 verifytest_file(SRCDIRSTR "/testdata/test_sigs.revoked", "20080414005004");
540 #endif
541 #ifdef USE_GOST
542 if(sldns_key_EVP_load_gost_id())
543 verifytest_file(SRCDIRSTR "/testdata/test_sigs.gost", "20090807060504");
544 else printf("Warning: skipped GOST, openssl does not provide gost.\n");
545 #endif
546 #ifdef USE_ECDSA
547 /* test for support in case we use libNSS and ECC is removed */
548 if(dnskey_algo_id_is_supported(LDNS_ECDSAP256SHA256)) {
549 verifytest_file(SRCDIRSTR "/testdata/test_sigs.ecdsa_p256", "20100908100439");
550 verifytest_file(SRCDIRSTR "/testdata/test_sigs.ecdsa_p384", "20100908100439");
551 }
552 dstest_file(SRCDIRSTR "/testdata/test_ds.sha384");
553 #endif
554 #ifdef USE_ED25519
555 if(dnskey_algo_id_is_supported(LDNS_ED25519)) {
556 verifytest_file(SRCDIRSTR "/testdata/test_sigs.ed25519", "20170530140439");
557 }
558 #endif
559 #ifdef USE_ED448
560 if(dnskey_algo_id_is_supported(LDNS_ED448)) {
561 verifytest_file(SRCDIRSTR "/testdata/test_sigs.ed448", "20180408143630");
562 }
563 #endif
564 #ifdef USE_SHA1
565 dstest_file(SRCDIRSTR "/testdata/test_ds.sha1");
566 #endif
567 nsectest();
568 nsec3_hash_test(SRCDIRSTR "/testdata/test_nsec3_hash.1");
569 }
570