- xfr-tsig, unit test for tsig_verify_reply.

2026-06-11 09:31:28 -04:00 · 2025-07-23 16:16:41 +02:00 · 2025-07-23 16:16:41 +02:00 · e55b3a2a4c
commit e55b3a2a4c
parent e4069e5619
7 changed files with 159 additions and 1 deletions
--- a/testcode/unittsig.c
+++ b/testcode/unittsig.c
@ -118,6 +118,15 @@ static int vtest = 0;
 *	buffer. The expected rcode is the result of the verify,
 *	the expected result2 is the result of the sign. If that differs
 *	the test fails.
+ * tsig-verify-reply <key> <time> <expected result> <expected result2>
+ * <hex>
+ * endpacket
+ *	The data from previous packet in the buffer is used with
+ *	tsig-sign-query. Then the hex data is the reply, it is used
+ *	with tsig-verify-reply. It TSIG signs with key name, at timestamp
+ *	in secs. The result of the sign call is compared with the
+ *	expected result, the result of the verify call is compared with
+ *	the expected result2, and the test fails if not equal.
 *
 */

@ -880,6 +889,97 @@ handle_tsig_sign_reply(char* line, FILE* in, const char* fname,
 	sldns_buffer_copy(pkt, &reply_pkt);
 }

+/** Handle the tsig-verify-reply */
+static void
+handle_tsig_verify_reply(char* line, FILE* in, const char* fname,
+	struct tsig_key_table* key_table, struct sldns_buffer* pkt)
+{
+	char* arg = get_arg_on_line(line, "tsig-verify-reply");
+	char* s, *keyname, *timestr, *expectedstr, *expectedstr2;
+	int expected_result, expected_result2, ret;
+	uint64_t timepoint;
+	struct tsig_data* tsig;
+	size_t pos;
+	uint8_t buf[65536];
+	sldns_buffer reply_pkt;
+
+	s = arg;
+	keyname = get_next_arg_on_line(&s);
+	timestr = get_next_arg_on_line(&s);
+	expectedstr = get_next_arg_on_line(&s);
+	expectedstr2 = get_next_arg_on_line(&s);
+
+	timepoint = (uint64_t)atoll(timestr);
+	if(timepoint == 0 && strcmp(timestr, "0") != 0)
+		fatal_exit("expected time argument for %s", timestr);
+	expected_result = atoi(expectedstr);
+	if(expected_result == 0 && strcmp(expectedstr, "0") != 0)
+		fatal_exit("expected int argument for %s", expectedstr);
+	expected_result2 = atoi(expectedstr2);
+	if(expected_result2 == 0 && strcmp(expectedstr2, "0") != 0)
+		fatal_exit("expected int argument for %s", expectedstr2);
+
+	sldns_buffer_init_frm_data(&reply_pkt, buf, sizeof(buf));
+	if(!read_packet_hex("", &reply_pkt, in, fname))
+		fatal_exit("Could not read reply packet");
+	if(vtest >= 2) {
+		char* str = sldns_wire2str_pkt(sldns_buffer_begin(&reply_pkt),
+			sldns_buffer_limit(&reply_pkt));
+		if(str)
+			printf("reply packet: %s\n", str);
+		else
+			printf("could not wire2str_pkt\n");
+		free(str);
+	}
+
+	if(vtest) {
+		printf("tsig-verify-reply with %s %d %d %d\n", keyname,
+			(int)timepoint, expected_result, expected_result2);
+	}
+
+	tsig = tsig_create_fromstr(key_table, keyname);
+	if(!tsig)
+		fatal_exit("alloc fail or key not found %s", keyname);
+
+	/* Put position at the end of the packet to sign it. */
+	pos = sldns_buffer_limit(pkt);
+	sldns_buffer_clear(pkt);
+	sldns_buffer_set_position(pkt, pos);
+
+	ret = tsig_sign_query(tsig, pkt, key_table, timepoint);
+	sldns_buffer_flip(pkt);
+
+	if(vtest) {
+		if(ret == expected_result)
+			printf("function ok, %s\n", (ret?"success":"fail"));
+		else
+			printf("function returned %d, expected result %d\n",
+				ret, expected_result);
+	}
+	unit_assert(ret == expected_result);
+
+	/* Verify the reply */
+	/* Put position before TSIG */
+	if(!tsig_find_rr(&reply_pkt)) {
+		if(vtest)
+			printf("tsig-verify-reply found no TSIG RR\n");
+		unit_assert(0);
+		return;
+	}
+	ret = tsig_parse_verify_reply(tsig, &reply_pkt, key_table, timepoint);
+
+	if(vtest) {
+		if(ret == expected_result2)
+			printf("function ok, %s\n", (ret?"success":"fail"));
+		else
+			printf("function returned %d, expected result2 %d\n",
+				ret, expected_result2);
+	}
+	unit_assert(ret == expected_result2);
+
+	tsig_delete(tsig);
+}
+
 /** Handle one line from the TSIG test file */
 static void
 handle_line(char* line, struct tsig_key_table* key_table,
@ -908,7 +1008,9 @@ handle_line(char* line, struct tsig_key_table* key_table,
 	} else if(strncmp(s, "tsig-verify-shared", 18) == 0) {
 		handle_tsig_verify_shared(s, key_table, pkt);
 	} else if(strncmp(s, "tsig-sign-reply", 15) == 0) {
-		handle_tsig_sign_reply(s, in,fname, key_table, pkt);
+		handle_tsig_sign_reply(s, in, fname, key_table, pkt);
+	} else if(strncmp(s, "tsig-verify-reply", 17) == 0) {
+		handle_tsig_verify_reply(s, in, fname, key_table, pkt);
 	} else if(strncmp(s, "#", 1) == 0) {
 		/* skip comment */
 	} else if(strcmp(s, "") == 0) {
--- a/testdata/tsig_test.1
+++ b/testdata/tsig_test.1
@ -163,3 +163,14 @@ endpacket
 check-packet
 e7078400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000003a08686d61632d6d6435077369672d616c670372656703696e740000006855490d012c0010dc3c138476fcb04cc138aa5c59647b86e70700000000
 endpacket
+
+# www.example.net A
+packet
+e707002000010000000000010377777707657861
+6d706c65036e6574000001000100002910000000
+00000000
+endpacket
+
+tsig-verify-reply test.key 1750419725 1 1
+e7078400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000003a08686d61632d6d6435077369672d616c670372656703696e740000006855490d012c0010dc3c138476fcb04cc138aa5c59647b86e70700000000
+endpacket
--- a/testdata/tsig_test.2
+++ b/testdata/tsig_test.2
@ -46,3 +46,12 @@ endpacket
 check-packet
 092d8400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000002f09686d61632d7368613100000068554d04012c001475eace537fd51a9fbf192a10b20bfe824dd20318092d00000000
 endpacket
+
+# www.example.net A
+packet
+092d0000000100000000000103777777076578616d706c65036e657400000100010000291000000000000000
+endpacket
+
+tsig-verify-reply test.key 1750420740 1 1
+092d8400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000002f09686d61632d7368613100000068554d04012c001475eace537fd51a9fbf192a10b20bfe824dd20318092d00000000
+endpacket
--- a/testdata/tsig_test.3
+++ b/testdata/tsig_test.3
@ -46,3 +46,12 @@ endpacket
 check-packet
 7e7e8400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff0000000000390b686d61632d736861323234000000685550bc012c001c0fa7ddec264122b5e0c3d1a64ed043c3d68582f0ae2ba2d5b3e186127e7e00000000
 endpacket
+
+# www.example.net A
+packet
+7e7e0000000100000000000103777777076578616d706c65036e657400000100010000291000000000000000
+endpacket
+
+tsig-verify-reply test.key 1750421692 1 1
+7e7e8400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff0000000000390b686d61632d736861323234000000685550bc012c001c0fa7ddec264122b5e0c3d1a64ed043c3d68582f0ae2ba2d5b3e186127e7e00000000
+endpacket
--- a/testdata/tsig_test.4
+++ b/testdata/tsig_test.4
@ -58,3 +58,12 @@ c7588400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100
 endpacket

 tsig-verify-shared test.key 1750411954 0
+
+# www.example.net A
+packet
+c7580000000100000000000103777777076578616d706c65036e657400000100010000291000000000000000
+endpacket
+
+tsig-verify-reply test.key 1750421767 1 1
+c7588400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068555107012c0020a377c921817d4009a6ab35e7f84aa697751b3a976701e8fb6b843965325bf9bdc75800000000
+endpacket
--- a/testdata/tsig_test.5
+++ b/testdata/tsig_test.5
@ -46,3 +46,12 @@ endpacket
 check-packet
 aafc8400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000004d0b686d61632d73686133383400000068555139012c00301e895712f5633d84e82afd7b1dcdd792c5d51532c7a5f52701c9bd464f0d8f6cc735530d16417e8bf3cf104808554642aafc00000000
 endpacket
+
+# www.example.net A
+packet
+aafc0000000100000000000103777777076578616d706c65036e657400000100010000291000000000000000
+endpacket
+
+tsig-verify-reply test.key 1750421817 1 1
+aafc8400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000004d0b686d61632d73686133383400000068555139012c00301e895712f5633d84e82afd7b1dcdd792c5d51532c7a5f52701c9bd464f0d8f6cc735530d16417e8bf3cf104808554642aafc00000000
+endpacket
--- a/testdata/tsig_test.6
+++ b/testdata/tsig_test.6
@ -46,3 +46,12 @@ endpacket
 check-packet
 e74d8400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000005d0b686d61632d7368613531320000006855516b012c0040690c00d5e01a382b7a4c07739e0faab1a3c98f5bae1b49213032b7da070c4b985056894e1ebc88468d5d070d0589ea8032fb88f3a1902fa91211d2b4989bbb93e74d00000000
 endpacket
+
+# www.example.net A
+packet
+e74d0000000100000000000103777777076578616d706c65036e657400000100010000291000000000000000
+endpacket
+
+tsig-verify-reply test.key 1750421867 1 1
+e74d8400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000005d0b686d61632d7368613531320000006855516b012c0040690c00d5e01a382b7a4c07739e0faab1a3c98f5bae1b49213032b7da070c4b985056894e1ebc88468d5d070d0589ea8032fb88f3a1902fa91211d2b4989bbb93e74d00000000
+endpacket