- xfr-tsig, unit test for tsig_verify_query.

2026-02-18 18:25:10 -05:00 · 2025-06-25 12:06:15 +02:00 · 2025-06-25 12:06:15 +02:00 · 0719ef21fa
commit 0719ef21fa
parent 6d5f22b56d
7 changed files with 138 additions and 16 deletions
--- a/testcode/unittsig.c
+++ b/testcode/unittsig.c
@ -81,6 +81,13 @@ static int vtest = 0;
 *	result of the call is compared with the expected result, and
 *	the test fails if not equal. The result is in the packet buffer.
 * tsig-verify-query <key> <time> <rcode> <tsigerror> <tsigothertime>
+ *	It tsig verifies the packet, looks up key in the key table.
+ *	The verification is at timestamp, in secs. The result is checked,
+ *	the key with keyname of result, the rcode function result, and
+ *	if tsig data is returned, the tsigerror and tsigothertime are
+ *	checked if present. If not equal the test fails.
+ *	If no tsig data is returned, keyname '.', and 0 and 0 are the
+ *	tsigerr and tsigothertime values that are checked.
 *
 */

@ -464,6 +471,43 @@ handle_tsig_sign_query(char* line, struct tsig_key_table* key_table,
 	tsig_delete(tsig);
 }

+/** Convert RCODE string to number. */
+static int
+str2wire_rcode(const char* str)
+{
+	sldns_lookup_table *lt = sldns_lookup_by_name(sldns_rcodes, str);
+	if(lt) {
+		return (int)lt->id;
+	} else if(strncmp(str, "RCODE", 5) == 0) {
+		return atoi(str+5);
+	}
+	/* Try as-is, a number. */
+	return atoi(str);
+}
+
+/** Convert TSIG error code string to number. */
+static int
+str2wire_tsigerror(const char* str)
+{
+	sldns_lookup_table *lt = sldns_lookup_by_name(sldns_tsig_errors, str);
+	if(lt) {
+		return (int)lt->id;
+	}
+	/* Try as-is, a number. */
+	return atoi(str);
+}
+
+/** Print TSIG error code to string */
+static void
+wire2str_tsigerror_buf(int tsigerr, char* buf, size_t len)
+{
+	sldns_lookup_table *lt;
+	lt = sldns_lookup_by_id(sldns_tsig_errors, tsigerr);
+	if(lt && lt->name)
+		snprintf(buf, len, "%s", lt->name);
+	else	snprintf(buf, len, "%d", tsigerr);
+}
+
 /** Handle the tsig-verify-query */
 static void
 handle_tsig_verify_query(char* line, struct tsig_key_table* key_table,
@ -472,9 +516,10 @@ handle_tsig_verify_query(char* line, struct tsig_key_table* key_table,
 	char* arg = get_arg_on_line(line, "tsig-verify-query");
 	char* keyname, *s, *timestr, *expected_rcode_str,
 		*expected_tsigerr_str, *expected_other_str;
-	int expected_rcode, expected_tsigerr, expected_other, ret;
-	uint64_t timepoint;
+	int expected_rcode, expected_tsigerr, ret;
+	uint64_t timepoint, expected_other;
 	struct tsig_data* tsig;
+	char keyname_dname[256];

 	keyname = arg;
 	s = arg;
@ -514,19 +559,31 @@ handle_tsig_verify_query(char* line, struct tsig_key_table* key_table,
 	timepoint = (uint64_t)atoll(timestr);
 	if(timepoint == 0 && strcmp(timestr, "0") != 0)
 		fatal_exit("expected time argument for %s", timestr);
-	expected_rcode = atoi(expected_rcode_str);
-	if(expected_rcode == 0 && strcmp(expected_rcode_str, "0") != 0)
-		fatal_exit("expected int argument for %s", expected_rcode_str);
-	expected_tsigerr = atoi(expected_tsigerr_str);
-	if(expected_tsigerr == 0 && strcmp(expected_tsigerr_str, "0") != 0)
-		fatal_exit("expected int argument for %s", expected_tsigerr_str);
-	expected_other = atoi(expected_other_str);
+	expected_rcode = str2wire_rcode(expected_rcode_str);
+	if(expected_rcode == 0 && strcmp(expected_rcode_str, "0") != 0 &&
+		strcmp(expected_rcode_str, "NOERROR") != 0 &&
+		strcmp(expected_rcode_str, "RCODE0") != 0)
+		fatal_exit("expected rcode argument for %s", expected_rcode_str);
+	expected_tsigerr = str2wire_tsigerror(expected_tsigerr_str);
+	if(expected_tsigerr == 0 && strcmp(expected_tsigerr_str, "0") != 0 &&
+		strcmp(expected_rcode_str, "NOERROR") != 0)
+		fatal_exit("expected tsigerrorcode argument for %s",
+			expected_tsigerr_str);
+	expected_other = (uint64_t)atoll(expected_other_str);
 	if(expected_other == 0 && strcmp(expected_other_str, "0") != 0)
 		fatal_exit("expected int argument for %s", expected_other_str);
+	if(strlen(keyname) > 0 && keyname[strlen(keyname)-1] == '.')
+		snprintf(keyname_dname, sizeof(keyname_dname), "%s", keyname);
+	else	snprintf(keyname_dname, sizeof(keyname_dname), "%s.", keyname);

-	if(vtest)
-		printf("tsig-verify-query with %s %d %d\n", keyname,
-			(int)timepoint, expected_rcode);
+	if(vtest) {
+		char bufrc[16], bufte[16];
+		sldns_wire2str_rcode_buf(expected_rcode, bufrc, sizeof(bufrc));
+		wire2str_tsigerror_buf(expected_tsigerr, bufte, sizeof(bufte));
+		printf("tsig-verify-query with %s %d %s %s %llu\n", keyname,
+			(int)timepoint, bufrc, bufte,
+			(unsigned long long)expected_other);
+	}

 	/* Put position before TSIG */
 	if(!tsig_find_rr(pkt)) {
@ -538,23 +595,65 @@ handle_tsig_verify_query(char* line, struct tsig_key_table* key_table,
 	ret = tsig_parse_verify_query(key_table, pkt, &tsig, NULL, timepoint);

 	if(vtest) {
+		char bufrc[16], bufte[16], retrc[16], rette[16];
+		sldns_wire2str_rcode_buf(expected_rcode, bufrc, sizeof(bufrc));
+		wire2str_tsigerror_buf(expected_tsigerr, bufte, sizeof(bufte));
+		sldns_wire2str_rcode_buf(ret, retrc, sizeof(retrc));
+		if(tsig)
+			wire2str_tsigerror_buf(tsig->error, rette, sizeof(rette));
+		else	snprintf(rette, sizeof(rette), "none");
 		if(ret == expected_rcode)
-			printf("function ok, %s\n", (ret?"success":"fail"));
+			printf("function ok, rcode %s\n", retrc);
 		else
-			printf("function returned %d, expected result %d\n",
-				ret, expected_rcode);
+			printf("function returned %s, expected result %s\n",
+				retrc, bufrc);
+		if(tsig) {
+			char keynm[256];
+			if(tsig->error == expected_tsigerr)
+				printf("tsig error ok, it is %s\n", bufte);
+			else	printf("tsig error %s, expected %s\n", rette,
+					bufte);
+			if(tsig->other_len == 6) {
+				if(tsig->other_time == expected_other)
+					printf("othererrortime ok, it is %llu\n",
+						(unsigned long long)expected_other);
+				else	printf("othererrortime %llu, expected %llu\n",
+						(unsigned long long)tsig->other_time,
+						(unsigned long long)expected_other);
+			} else {
+				if(0 == expected_other)
+					printf("othererrortime ok, none\n");
+				else	printf("othererrortime none, expected %llu\n",
+						(unsigned long long)expected_other);
+			}
+			sldns_wire2str_dname_buf(tsig->key_name,
+				tsig->key_name_len, keynm, sizeof(keynm));
+			if(strcmp(keynm, keyname_dname) != 0)
+				printf("tsig key is %s, expected %s\n",
+					keynm, keyname_dname);
+		} else {
+			if(expected_tsigerr != 0 || expected_other != 0 ||
+				strcmp(keyname_dname, ".") != 0) {
+				printf("no tsig data returned, but expected it\n");
+			}
+		}
 	}
 	unit_assert(ret == expected_rcode);
 	if(tsig) {
+		char keynm[256];
 		unit_assert(tsig->error == expected_tsigerr);
 		if(tsig->other_len == 6) {
 			unit_assert(tsig->other_time == (uint64_t)expected_other);
 		} else {
 			unit_assert(0 == expected_other);
 		}
+		sldns_wire2str_dname_buf(tsig->key_name, tsig->key_name_len,
+			keynm, sizeof(keynm));
+		unit_assert(strcmp(keynm, keyname_dname) == 0);
 	} else {
 		unit_assert(0 == expected_tsigerr);
 		unit_assert(0 == expected_other);
+		unit_assert(strcmp(keyname_dname, ".") == 0);
 	}

 	tsig_delete(tsig);
--- a/testdata/tsig_test.1
+++ b/testdata/tsig_test.1
@ -49,7 +49,20 @@ c00e00f1bafa240f41ee9cbe507b9802e7070000
 0000
 endpacket

-tsig-verify-query test.key 1750419725 0 0 0
+tsig-verify-query test.key 1750419725 NOERROR NOERROR 0
+
+# add some fudge to the time
+packet
+e707002000010000000000020377777707657861
+6d706c65036e6574000001000100002910000000
+000000000474657374036b65790000fa00ff0000
+0000003a08686d61632d6d6435077369672d616c
+670372656703696e740000006855490d012c0010
+c00e00f1bafa240f41ee9cbe507b9802e7070000
+0000
+endpacket
+
+tsig-verify-query test.key 1750419730 NOERROR NOERROR 0

 # reply for www.example.net A
 #packet
--- a/testdata/tsig_test.2
+++ b/testdata/tsig_test.2
@ -30,6 +30,8 @@ check-packet
 092d0000000100000000000203777777076578616d706c65036e6574000001000100002910000000000000000474657374036b65790000fa00ff00000000002f09686d61632d7368613100000068554d04012c0014f493f53a80f43dbd81df4f2feb7064de8247ba0b092d00000000
 endpacket

+tsig-verify-query test.key 1750420740 NOERROR NOERROR 0
+
 # reply for www.example.net A
 #packet
 #092d8400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000002f09686d61632d7368613100000068554d04012c001475eace537fd51a9fbf192a10b20bfe824dd20318092d00000000
--- a/testdata/tsig_test.3
+++ b/testdata/tsig_test.3
@ -30,6 +30,8 @@ check-packet
 7e7e0000000100000000000203777777076578616d706c65036e6574000001000100002910000000000000000474657374036b65790000fa00ff0000000000390b686d61632d736861323234000000685550bc012c001c03431f500872691d8780dafe326cdbe56ceaaca1d0ea3e3a262848e77e7e00000000
 endpacket

+tsig-verify-query test.key 1750421692 NOERROR NOERROR 0
+
 # reply for www.example.net A
 #packet
 #7e7e8400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff0000000000390b686d61632d736861323234000000685550bc012c001c0fa7ddec264122b5e0c3d1a64ed043c3d68582f0ae2ba2d5b3e186127e7e00000000
--- a/testdata/tsig_test.4
+++ b/testdata/tsig_test.4
@ -30,6 +30,8 @@ check-packet
 c7580000000100000000000203777777076578616d706c65036e6574000001000100002910000000000000000474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068555107012c0020aa49c7e324b075dd057aeaba998ee10b6c72f8573f56d3b42fb2f65ee1e81f76c75800000000
 endpacket

+tsig-verify-query test.key 1750421767 NOERROR NOERROR 0
+
 # reply for www.example.net A
 #packet
 #c7588400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068555107012c0020a377c921817d4009a6ab35e7f84aa697751b3a976701e8fb6b843965325bf9bdc75800000000
--- a/testdata/tsig_test.5
+++ b/testdata/tsig_test.5
@ -30,6 +30,8 @@ check-packet
 aafc0000000100000000000203777777076578616d706c65036e6574000001000100002910000000000000000474657374036b65790000fa00ff00000000004d0b686d61632d73686133383400000068555139012c00300953f74bcc78dae61e9d93aad74e128dbc240a671de017efd3707235be7890cbf2a51255f5843438fbaa26d04caca506aafc00000000
 endpacket

+tsig-verify-query test.key 1750421817 NOERROR NOERROR 0
+
 # reply for www.example.net A
 #packet
 #aafc8400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000004d0b686d61632d73686133383400000068555139012c00301e895712f5633d84e82afd7b1dcdd792c5d51532c7a5f52701c9bd464f0d8f6cc735530d16417e8bf3cf104808554642aafc00000000
--- a/testdata/tsig_test.6
+++ b/testdata/tsig_test.6
@ -30,6 +30,8 @@ check-packet
 e74d0000000100000000000203777777076578616d706c65036e6574000001000100002910000000000000000474657374036b65790000fa00ff00000000005d0b686d61632d7368613531320000006855516b012c0040bbc78c7a8019119b79f89f3ed66d874acb3a29bfcd3ac75fce3779d60d41080fe536c03de404a9143314eabce88a0c5eff6204d94d3225cf42327322c8a48acae74d00000000
 endpacket

+tsig-verify-query test.key 1750421867 NOERROR NOERROR 0
+
 # reply for www.example.net A
 #packet
 #e74d8400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000005d0b686d61632d7368613531320000006855516b012c0040690c00d5e01a382b7a4c07739e0faab1a3c98f5bae1b49213032b7da070c4b985056894e1ebc88468d5d070d0589ea8032fb88f3a1902fa91211d2b4989bbb93e74d00000000