From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 9 Sep 2025 12:36:33 +0000 (+0200)
Subject: - xfr-tsig, fix algorithm name write in xfr reply tsig and unit test
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e3c1981a6a3bf9552ce891581c36991b933623f6;p=thirdparty%2Funbound.git

- xfr-tsig, fix algorithm name write in xfr reply tsig and unit test
  that works with output that works with dig and NSD.
---

diff --git a/testcode/unittsig.c b/testcode/unittsig.c
index 01533fef3..840e584ec 100644
--- a/testcode/unittsig.c
+++ b/testcode/unittsig.c
@@ -996,6 +996,26 @@ handle_tsig_verify_reply(char* line, FILE* in, const char* fname,
 	tsig_delete(tsig);
 }
 
+/* Read next line from file, skip empty and comment lines. It returns the
+ * key_keyword of the line. Returns false on failure. */
+static char*
+read_next_keyword(char* line, size_t len, FILE* in)
+{
+	char* s = NULL;
+	while(1) {
+		if(!fgets(line, len, in)) {
+			if(vtest) printf("fgets: %s\n", strerror(errno));
+			return NULL;
+		}
+		line[len-1]=0;
+		s = get_keyword(line);
+		if(s[0] == 0 || s[0] == '#')
+			continue;
+		break;
+	}
+	return s;
+}
+
 /** Handle the tsig-sign-reply-xfr */
 static void
 handle_tsig_sign_reply_xfr(char* line, FILE* in, const char* fname,
@@ -1013,8 +1033,8 @@ handle_tsig_sign_reply_xfr(char* line, FILE* in, const char* fname,
 	sldns_buffer_init_frm_data(&check_pkt, buf2, sizeof(buf2));
 
 	s = arg;
-	timestr = get_next_arg_on_line(&s);
 	numstr = get_next_arg_on_line(&s);
+	timestr = get_next_arg_on_line(&s);
 	expected_rcode_str = get_next_arg_on_line(&s);
 
 	num = atoi(numstr);
@@ -1064,22 +1084,19 @@ handle_tsig_sign_reply_xfr(char* line, FILE* in, const char* fname,
 			printf("xfr packet %d/%d\n", i+1, num);
 
 		/* read packet keyword */
-		if(!fgets(callline, sizeof(callline), in))
-			fatal_exit("could not read line %d of "
-				"tsig-sign-reply-xfr", i);
-		callline[sizeof(callline)-1]=0;
-		if(strcmp(get_keyword(callline), "packet")!=0)
+		if(!(s=read_next_keyword(callline, sizeof(callline), in)))
+			fatal_exit("could not read next line for "
+				"tsig-sign-reply-xfr %d", i+1);
+		if(strcmp(s, "packet")!=0)
 			fatal_exit("expected 'packet', but read '%s'",
 				callline);
 		if(!read_packet_hex("", &reply_pkt, in, fname))
 			fatal_exit("Could not read reply packet");
 
 		/* read call arguments */
-		if(!fgets(callline, sizeof(callline), in))
-			fatal_exit("could not read line %d of "
-				"tsig-sign-reply-xfr", i);
-		callline[sizeof(callline)-1]=0;
-		s = get_keyword(callline);
+		if(!(s=read_next_keyword(callline, sizeof(callline), in)))
+			fatal_exit("could not read next line for "
+				"tsig-sign-reply-xfr %d", i+1);
 		if(strncmp(s, "call", 4) == 0) {
 			s = get_arg_on_line(s, "call");
 			timestr = get_next_arg_on_line(&s);
@@ -1092,15 +1109,14 @@ handle_tsig_sign_reply_xfr(char* line, FILE* in, const char* fname,
 				fatal_exit("expected int argument for %s", expectedstr2);
 		} else {
 			fatal_exit("unknown line '%s' is not 'call' for %d in "
-				"tsig-sign-reply-xfr", s, i);
+				"tsig-sign-reply-xfr", s, i+1);
 		}
 
 		/* read check-packet keyword */
-		if(!fgets(callline, sizeof(callline), in))
-			fatal_exit("could not read line %d of "
-				"tsig-sign-reply-xfr", i);
-		callline[sizeof(callline)-1]=0;
-		if(strcmp(get_keyword(callline), "check-packet")!=0)
+		if(!(s=read_next_keyword(callline, sizeof(callline), in)))
+			fatal_exit("could not read next line for "
+				"tsig-sign-reply-xfr %d", i+1);
+		if(strcmp(s, "check-packet")!=0)
 			fatal_exit("expected 'check-packet', but read '%s'",
 				callline);
 		if(!read_packet_hex("", &check_pkt, in, fname))
@@ -1157,7 +1173,8 @@ handle_tsig_sign_reply_xfr(char* line, FILE* in, const char* fname,
 				sldns_buffer_begin(&check_pkt),
 				sldns_buffer_limit(&reply_pkt)) == 0);
 		if(vtest)
-			printf("check-packet is equal\n");
+			printf("check-packet is equal, for %d/%d\n",
+				i+1, num);
 	}
 
 	tsig_delete(tsig);
diff --git a/testdata/tsig_test.4 b/testdata/tsig_test.4
index b145097dc..f0c3d8b87 100644
--- a/testdata/tsig_test.4
+++ b/testdata/tsig_test.4
@@ -108,3 +108,236 @@ endpacket
 tsig-verify-reply test.key 1756302015 1 1
 74c484000001000200000002076578616d706c6503636f6d0000fc0001c00c0006000100000e100023c00c0a686f73746d6173746572c00c5cd7fffe00000e10000003840012750000000708c00c0001000100000e1000043ed26e0700002904d00000000000000474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068af0abf012c0020df2b53f8f88720570cd0cb8f31e315037d68e95c380674f5439793a576ef615e74c400000000
 endpacket
+
+# tsig-sign-reply-xfr test.
+# The output was captured from NSD, with dig as querier. NSD and dig verified.
+# It signs an AXFR for example.com, every two RRs.
+# it was: dig @127.0.0.1 -p <port> +nocookie +noadflag -y hmac-sha256:test.key:K2tf3TRjvQkVCmJF3/Z9vA== example.com AXFR
+
+# the incoming query, example.com AXFR
+packet
+1c9600000001000000000002076578616d706c6503636f6d0000fc000100002910000000000000000474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c00202f017432ef8f8ef3dab9be9f9c4765eda7939f0485dfe384206e97e13acbd8f91c9600000000
+endpacket
+#      <number of packets> <time> <rcode for query process>
+tsig-sign-reply-xfr 24 1757420114 NOERROR
+# packet 1
+# unsigned input before the TSIG is added
+# (without TSIG so, ARcount 02->01, RR TSIG 0474657374036b657900.. deleted.)
+packet
+1c9684000001000200000001076578616d706c6503636f6d0000fc0001c00c0006000100000e100023c00c0a686f73746d6173746572c00c5cd7fffe00000e10000003840012750000000708c00c0001000100000e1000043ed26e0700002904d0000000000000
+endpacket
+# call information of the TSIG routine.
+#    <timepoint> <expected function return value>
+call 1757420114 1
+# check for output packet that is the result of TSIG signature.
+check-packet
+1c9684000001000200000002076578616d706c6503636f6d0000fc0001c00c0006000100000e100023c00c0a686f73746d6173746572c00c5cd7fffe00000e10000003840012750000000708c00c0001000100000e1000043ed26e0700002904d00000000000000474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c00200fe349e19b5b3e952c097db0dfef9430734da92125ab1d4542d450774f352b4d1c9600000000
+endpacket
+
+# packet 2
+packet
+1c9684000000000200000000076578616d706c6503636f6d000002000100000e100005026e73c00cc00c000f000100000e1000070005026d78c00c
+endpacket
+call 1757420114 1
+check-packet
+1c9684000000000200000001076578616d706c6503636f6d000002000100000e100005026e73c00cc00c000f000100000e1000070005026d78c00c0474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c0020d03727ee94d091b5ae91ffb0b7aec23ad6f753571c66b958c0e5fca8ad49f9931c9600000000
+endpacket
+
+# packet 3
+packet
+1c96840000000002000000000131026161076578616d706c6503636f6d000001000100000e1000047f000001023130c00e0001000100000e1000047f000001
+endpacket
+call 1757420114 1
+check-packet
+1c96840000000002000000010131026161076578616d706c6503636f6d000001000100000e1000047f000001023130c00e0001000100000e1000047f0000010474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c0020e32db0e11c2084fbe37f0a7603ba35eca8ad24efeeea0a6ad0a9c5fac2d82fef1c9600000000
+endpacket
+
+# packet 4
+packet
+1c9684000000000200000000023131026161076578616d706c6503636f6d000001000100000e1000047f000001023132c00f0001000100000e1000047f000001
+endpacket
+call 1757420114 1
+check-packet
+1c9684000000000200000001023131026161076578616d706c6503636f6d000001000100000e1000047f000001023132c00f0001000100000e1000047f0000010474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c0020e38f1b5ff94189c0f1e43d12002f72fedd04842b9562036a890e434b28b01a361c9600000000
+endpacket
+
+# packet 5
+packet
+1c9684000000000200000000023133026161076578616d706c6503636f6d000001000100000e1000047f000001023134c00f0001000100000e1000047f000001
+endpacket
+call 1757420114 1
+check-packet
+1c9684000000000200000001023133026161076578616d706c6503636f6d000001000100000e1000047f000001023134c00f0001000100000e1000047f0000010474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c00209ec339cdb4ff11f704920aebc81decded09ddb6ff3e5181f3ef410fbc7074b201c9600000000
+endpacket
+
+# packet 6
+packet
+1c9684000000000200000000023135026161076578616d706c6503636f6d000001000100000e1000047f000001023136c00f0001000100000e1000047f000001
+endpacket
+call 1757420114 1
+check-packet
+1c9684000000000200000001023135026161076578616d706c6503636f6d000001000100000e1000047f000001023136c00f0001000100000e1000047f0000010474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c00209d4fc84ad670d95791fd281d8465213ff95432d18d920d3bba819ef8ef39307a1c9600000000
+endpacket
+
+# packet 7
+packet
+1c9684000000000200000000023137026161076578616d706c6503636f6d000001000100000e1000047f000001023138c00f0001000100000e1000047f000001
+endpacket
+call 1757420114 1
+check-packet
+1c9684000000000200000001023137026161076578616d706c6503636f6d000001000100000e1000047f000001023138c00f0001000100000e1000047f0000010474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c002085b43b7552da236e9e786a764797936dd35bf5b66240eda86b55b1401b7c89001c9600000000
+endpacket
+
+# packet 8
+packet
+1c9684000000000200000000023139026161076578616d706c6503636f6d000001000100000e1000047f0000010132c00f0001000100000e1000047f000001
+endpacket
+call 1757420114 1
+check-packet
+1c9684000000000200000001023139026161076578616d706c6503636f6d000001000100000e1000047f0000010132c00f0001000100000e1000047f0000010474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c0020c509d9d88403cd38de55041c25df3918094d2ba58d7aef3421894375145c9b481c9600000000
+endpacket
+
+# packet 9
+packet
+1c9684000000000200000000023230026161076578616d706c6503636f6d000001000100000e1000047f000001023231c00f0001000100000e1000047f000001
+endpacket
+call 1757420114 1
+check-packet
+1c9684000000000200000001023230026161076578616d706c6503636f6d000001000100000e1000047f000001023231c00f0001000100000e1000047f0000010474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c002035bb99b902597883326e520924197823afe67c16bc1277b76c0fe6a5c8df71481c9600000000
+endpacket
+
+# packet 10
+packet
+1c9684000000000200000000023232026161076578616d706c6503636f6d000001000100000e1000047f000001023233c00f0001000100000e1000047f000001
+endpacket
+call 1757420114 1
+check-packet
+1c9684000000000200000001023232026161076578616d706c6503636f6d000001000100000e1000047f000001023233c00f0001000100000e1000047f0000010474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c002076cabe0adbfd33dc0de403b12eb4ab6760a01e309590b2fcbf1feb58d2b9d2d21c9600000000
+endpacket
+
+# packet 11
+packet
+1c9684000000000200000000023234026161076578616d706c6503636f6d000001000100000e1000047f000001023235c00f0001000100000e1000047f000001
+endpacket
+call 1757420114 1
+check-packet
+1c9684000000000200000001023234026161076578616d706c6503636f6d000001000100000e1000047f000001023235c00f0001000100000e1000047f0000010474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c0020239b0438becc231a906e1b58871d708f8f2f6b4fa3d13d4c416e6a405261f7c11c9600000000
+endpacket
+
+# packet 12
+packet
+1c9684000000000200000000023236026161076578616d706c6503636f6d000001000100000e1000047f000001023237c00f0001000100000e1000047f000001
+endpacket
+call 1757420114 1
+check-packet
+1c9684000000000200000001023236026161076578616d706c6503636f6d000001000100000e1000047f000001023237c00f0001000100000e1000047f0000010474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c0020f7f700322f917f820711b19d0737ea883ef1f84df10fe43768ddeb208436a2c71c9600000000
+endpacket
+
+# packet 13
+packet
+1c9684000000000200000000023238026161076578616d706c6503636f6d000001000100000e1000047f000001023239c00f0001000100000e1000047f000001
+endpacket
+call 1757420114 1
+check-packet
+1c9684000000000200000001023238026161076578616d706c6503636f6d000001000100000e1000047f000001023239c00f0001000100000e1000047f0000010474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c0020734aeda53e0b3bba7adbc6f3107be3a1ca15c0519ef9bc4c358266b279e4a84c1c9600000000
+endpacket
+
+# packet 14
+packet
+1c96840000000002000000000133026161076578616d706c6503636f6d000001000100000e1000047f000001023330c00e0001000100000e1000047f000001
+endpacket
+call 1757420114 1
+check-packet
+1c96840000000002000000010133026161076578616d706c6503636f6d000001000100000e1000047f000001023330c00e0001000100000e1000047f0000010474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c00208bba7720eb76db59ca223e72e75161a51905ad7da75bfe87ea7e3f858e95a5e31c9600000000
+endpacket
+
+# packet 15
+packet
+1c96840000000002000000000134026161076578616d706c6503636f6d000001000100000e1000047f0000010135c00e0001000100000e1000047f000001
+endpacket
+call 1757420114 1
+check-packet
+1c96840000000002000000010134026161076578616d706c6503636f6d000001000100000e1000047f0000010135c00e0001000100000e1000047f0000010474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c0020bd18bd75f9b6073af2f0c2e3321530f18b48768881fc246e5485b7adf744e18f1c9600000000
+endpacket
+
+# packet 16
+packet
+1c96840000000002000000000136026161076578616d706c6503636f6d000001000100000e1000047f0000010137c00e0001000100000e1000047f000001
+endpacket
+call 1757420114 1
+check-packet
+1c96840000000002000000010136026161076578616d706c6503636f6d000001000100000e1000047f0000010137c00e0001000100000e1000047f0000010474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c00209bde6bd3ff63bcadc4987cb97056fefa57b6f2b62f0715d7f569ff2526c1cd7a1c9600000000
+endpacket
+
+# packet 17
+packet
+1c96840000000002000000000138026161076578616d706c6503636f6d000001000100000e1000047f0000010139c00e0001000100000e1000047f000001
+endpacket
+call 1757420114 1
+check-packet
+1c96840000000002000000010138026161076578616d706c6503636f6d000001000100000e1000047f0000010139c00e0001000100000e1000047f0000010474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c0020eb67e8b02e2e2464a688c420e5705e137ada69a9e56d65e1fb94fe4061a1bb091c9600000000
+endpacket
+
+# packet 18
+packet
+1c9684000000000200000000012a01630164076578616d706c6503636f6d000010000100000e1000222174657874207265636f72642077697468206d61696c207065726d697373696f6e73c00c000f000100000e1000070005026d78c012
+endpacket
+call 1757420114 1
+check-packet
+1c9684000000000200000001012a01630164076578616d706c6503636f6d000010000100000e1000222174657874207265636f72642077697468206d61696c207065726d697373696f6e73c00c000f000100000e1000070005026d78c0120474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c0020b529a10450c8fbf8582b18e1de1cd23470f09c77ec0b7d8fff783067dac7eca91c9600000000
+endpacket
+
+# packet 19
+packet
+1c968400000000020000000004646f6e65076578616d706c6503636f6d000001000100000e100004010101010166c0110027000100000e10001101780166076578616d706c6503636f6d00
+endpacket
+call 1757420114 1
+check-packet
+1c968400000000020000000104646f6e65076578616d706c6503636f6d000001000100000e100004010101010166c0110027000100000e10001101780166076578616d706c6503636f6d000474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c00207742d4b6f182ff0f547a0f192ef85f5e7167739768a83a669816145995bd0be61c9600000000
+endpacket
+
+# packet 20
+packet
+1c9684000000000200000000026d78076578616d706c6503636f6d000001000100000e1000043ed26e07026e73c00f0001000100000e1000043ed26e07
+endpacket
+call 1757420114 1
+check-packet
+1c9684000000000200000001026d78076578616d706c6503636f6d000001000100000e1000043ed26e07026e73c00f0001000100000e1000043ed26e070474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c00203139787980ff264c8a9eec8b90abe2456b10177a72d2ebc929e23c90c7af555b1c9600000000
+endpacket
+
+# packet 21
+packet
+1c9684000000000200000000027274076578616d706c6503636f6d000010000100000e1000130261620263640665662267682202696a026b6c03727432c00f0010000100000e10000d06616263646566056768696a6b
+endpacket
+call 1757420114 1
+check-packet
+1c9684000000000200000001027274076578616d706c6503636f6d000010000100000e1000130261620263640665662267682202696a026b6c03727432c00f0010000100000e10000d06616263646566056768696a6b0474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c0020bfedd8e7dd2cf2cfa4dd0eb2229c4aefe6e6efc6856aca79b1f2dbbf140f9eee1c9600000000
+endpacket
+
+# packet 22
+packet
+1c968400000000020000000003727433076578616d706c6503636f6d000010000100000e10001202616202636402656602676802696a026b6c03727434c0100010000100000e10000d06616263646566056768696a6b
+endpacket
+call 1757420114 1
+check-packet
+1c968400000000020000000103727433076578616d706c6503636f6d000010000100000e10001202616202636402656602676802696a026b6c03727434c0100010000100000e10000d06616263646566056768696a6b0474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c0020915c444174214b9876cbbfc2d5a3039af0a7a6e5a93eb592fa46436d48c732a81c9600000000
+endpacket
+
+# packet 23
+packet
+1c96840000000002000000000178076578616d706c6503636f6d000027000100000e10000f0179076578616d706c6503636f6d0003666f6f0179c00e0005000100000e10000704646f6e65c00e
+endpacket
+call 1757420114 1
+check-packet
+1c96840000000002000000010178076578616d706c6503636f6d000027000100000e10000f0179076578616d706c6503636f6d0003666f6f0179c00e0005000100000e10000704646f6e65c00e0474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c0020011049e9d4ab4cc0af1717e56077ff8a2be5030cb6b7b4a42aabe212dd7f34701c9600000000
+endpacket
+
+# packet 24
+packet
+1c9684000000000100000000076578616d706c6503636f6d000006000100000e100023c00c0a686f73746d6173746572c00c5cd7fffe00000e10000003840012750000000708
+endpacket
+call 1757420114 1
+check-packet
+1c9684000000000100000001076578616d706c6503636f6d000006000100000e100023c00c0a686f73746d6173746572c00c5cd7fffe00000e100000038400127500000007080474657374036b65790000fa00ff00000000003d0b686d61632d73686132353600000068c01a52012c0020b2559f077753cfb86c254c472dcfeb9010f5c924098bd12101006cd661926f951c9600000000
+endpacket
+# end of tsig-sign-reply-xfr test, example.com AXFR.
diff --git a/util/tsig.c b/util/tsig.c
index eb49ea459..2f9889772 100644
--- a/util/tsig.c
+++ b/util/tsig.c
@@ -2071,6 +2071,7 @@ tsig_sign_reply_xfr(struct tsig_data* tsig, struct sldns_buffer* pkt,
 	uint16_t current_query_id;
 	uint8_t timers_var_buf[64];
 	struct sldns_buffer timers_var;
+	struct tsig_key* key;
 
 	sldns_buffer_init_frm_data(&timers_var, timers_var_buf,
 		sizeof(timers_var_buf));
@@ -2121,7 +2122,6 @@ tsig_sign_reply_xfr(struct tsig_data* tsig, struct sldns_buffer* pkt,
 	if(tsig->num_updates == 0) {
 		/* Init the calc state for the new packet, or for the new
 		 * packet sequence. */
-		struct tsig_key* key;
 		if(tsig->calc_state) {
 			tsig_calc_state_delete(tsig->calc_state);
 			tsig->calc_state = NULL;
@@ -2212,8 +2212,20 @@ tsig_sign_reply_xfr(struct tsig_data* tsig, struct sldns_buffer* pkt,
 	sldns_buffer_write_u16_at(pkt, 0, current_query_id);
 	sldns_buffer_write(pkt, tsig->key_name, tsig->key_name_len);
 	aftername_pos = sldns_buffer_position(pkt);
-	tsig_append_rr(tsig, pkt, aftername_pos, tsig->algo_name,
-		tsig->algo_name_len, tsig->mac, tsig->mac_size);
+
+	/* Get the key for the algorithm name. */
+	lock_rw_rdlock(&key_table->lock);
+	key = tsig_key_table_search(key_table, tsig->key_name,
+		tsig->key_name_len);
+	if(!key) {
+		/* The tsig key has disappeared from the key table. */
+		lock_rw_unlock(&key_table->lock);
+		verbose(VERB_ALGO, "tsig_sign_reply_xfr: key not in table");
+		return 0;
+	}
+	tsig_append_rr(tsig, pkt, aftername_pos, key->algo->wireformat_name,
+		key->algo->wireformat_name_len, tsig->mac, tsig->mac_size);
+	lock_rw_unlock(&key_table->lock);
 	tsig->num_updates = 0;
 	return 1;
 }