From 3807bf00da282a4b5ff1b2c97138c08c96e10ec8 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Fri, 27 Jun 2025 10:59:36 +0200
Subject: [PATCH] - xfr-tsig, unit test for tsig_sign_reply.

---
 testcode/unittsig.c  | 99 ++++++++++++++++++++++++++++++++++++++++++++
 testdata/tsig_test.1 | 23 ++++++++--
 2 files changed, 119 insertions(+), 3 deletions(-)

diff --git a/testcode/unittsig.c b/testcode/unittsig.c
index bfc806616..b73c89ccd 100644
--- a/testcode/unittsig.c
+++ b/testcode/unittsig.c
@@ -43,6 +43,7 @@
 #include "util/net_help.h"
 #include "testcode/unitmain.h"
 #include "sldns/parseutil.h"
+#include "sldns/pkthdr.h"
 #include "sldns/sbuffer.h"
 #include "sldns/str2wire.h"
 #include "sldns/wire2str.h"
@@ -772,6 +773,102 @@ handle_tsig_verify_shared(char* line, struct tsig_key_table* key_table,
 	unit_assert(ret == expected_result);
 }
 
+/** Handle the tsig-sign-reply */
+static void
+handle_tsig_sign_reply(char* line, FILE* in, const char* fname,
+	struct tsig_key_table* key_table, struct sldns_buffer* pkt)
+{
+	char* arg = get_arg_on_line(line, "tsig-sign-reply");
+	char* s, *timestr, *expected_rcode_str, *expectedstr2;
+	int expected_rcode, expected_result2, ret;
+	uint64_t timepoint;
+	struct tsig_data* tsig;
+	size_t pos;
+	uint8_t buf[65536];
+	sldns_buffer reply_pkt;
+
+	s = arg;
+	timestr = get_next_arg_on_line(&s);
+	expected_rcode_str = get_next_arg_on_line(&s);
+	expectedstr2 = get_next_arg_on_line(&s);
+
+	timepoint = (uint64_t)atoll(timestr);
+	if(timepoint == 0 && strcmp(timestr, "0") != 0)
+		fatal_exit("expected time argument for %s", timestr);
+	expected_rcode = str2wire_rcode(expected_rcode_str);
+	if(expected_rcode == 0 && strcmp(expected_rcode_str, "0") != 0 &&
+		strcmp(expected_rcode_str, "NOERROR") != 0 &&
+		strcmp(expected_rcode_str, "RCODE0") != 0)
+		fatal_exit("expected rcode argument for %s", expected_rcode_str);
+	expected_result2 = atoi(expectedstr2);
+	if(expected_result2 == 0 && strcmp(expectedstr2, "0") != 0)
+		fatal_exit("expected int argument for %s", expectedstr2);
+
+	sldns_buffer_init_frm_data(&reply_pkt, buf, sizeof(buf));
+	if(!read_packet_hex("", &reply_pkt, in, fname))
+		fatal_exit("Could not read reply packet");
+	if(vtest >= 2) {
+		char* str = sldns_wire2str_pkt(sldns_buffer_begin(&reply_pkt),
+			sldns_buffer_limit(&reply_pkt));
+		if(str)
+			printf("reply packet: %s\n", str);
+		else
+			printf("could not wire2str_pkt\n");
+		free(str);
+	}
+
+	if(vtest) {
+		char bufrc[16];
+		sldns_wire2str_rcode_buf(expected_rcode, bufrc, sizeof(bufrc));
+		printf("tsig-sign-reply with %d %s %d\n", (int)timepoint,
+			bufrc, expected_result2);
+	}
+
+	/* Verify the query in the packet buffer. Use that TSIG to sign
+	 * a reply. */
+	if(!tsig_find_rr(pkt)) {
+		if(vtest)
+			printf("tsig-verify-query found no TSIG RR\n");
+		unit_assert(0);
+		return;
+	}
+	ret = tsig_parse_verify_query(key_table, pkt, &tsig, NULL, timepoint);
+	if(vtest) {
+		char bufrc[16];
+		sldns_wire2str_rcode_buf(expected_rcode, bufrc, sizeof(bufrc));
+		if(ret == expected_rcode)
+			printf("verify ok, ret %s\n", bufrc);
+		else
+			printf("verify returned %d, expected result %d %s\n",
+				ret, expected_rcode, bufrc);
+	}
+	unit_assert(ret == expected_rcode);
+
+	/* Put position at the end of the packet to sign it. */
+	pos = sldns_buffer_limit(&reply_pkt);
+	sldns_buffer_clear(&reply_pkt);
+	sldns_buffer_set_position(&reply_pkt, pos);
+	if(ret != 0) {
+		/* There was an error, set the rcode for it */
+		LDNS_RCODE_SET(sldns_buffer_begin(&reply_pkt), ret);
+	}
+
+	ret = tsig_sign_reply(tsig, &reply_pkt, key_table, timepoint);
+	sldns_buffer_flip(pkt);
+
+	if(vtest) {
+		if(ret == expected_result2)
+			printf("function ok, %s\n", (ret?"success":"fail"));
+		else
+			printf("function returned %d, expected result %d\n",
+				ret, expected_result2);
+	}
+	unit_assert(ret == expected_result2);
+
+	tsig_delete(tsig);
+	sldns_buffer_flip(&reply_pkt);
+	sldns_buffer_copy(pkt, &reply_pkt);
+}
 
 /** Handle one line from the TSIG test file */
 static void
@@ -800,6 +897,8 @@ handle_line(char* line, struct tsig_key_table* key_table,
 		handle_tsig_sign_shared(s, key_table, pkt);
 	} else if(strncmp(s, "tsig-verify-shared", 18) == 0) {
 		handle_tsig_verify_shared(s, key_table, pkt);
+	} else if(strncmp(s, "tsig-sign-reply", 15) == 0) {
+		handle_tsig_sign_reply(s, in,fname, key_table, pkt);
 	} else if(strncmp(s, "#", 1) == 0) {
 		/* skip comment */
 	} else if(strcmp(s, "") == 0) {
diff --git a/testdata/tsig_test.1 b/testdata/tsig_test.1
index bf3feb9a5..d74bd1076 100644
--- a/testdata/tsig_test.1
+++ b/testdata/tsig_test.1
@@ -142,7 +142,24 @@ endpacket
 
 tsig-verify-query . 1750419725 FORMERR NOERROR 0
 
+# www.example.net A
+packet
+e707002000010000000000020377777707657861
+6d706c65036e6574000001000100002910000000
+000000000474657374036b65790000fa00ff0000
+0000003a08686d61632d6d6435077369672d616c
+670372656703696e740000006855490d012c0010
+c00e00f1bafa240f41ee9cbe507b9802e7070000
+0000
+endpacket
+
+tsig-sign-reply 1750419725 NOERROR 1
+e707840000010001000000010377777707657861
+6d706c65036e65740000010001c00c0001000100
+000e1000040a141e2800002904d0000000000000
+endpacket
+
 # reply for www.example.net A
-#packet
-#e7078400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000003a08686d61632d6d6435077369672d616c670372656703696e740000006855490d012c0010dc3c138476fcb04cc138aa5c59647b86e70700000000
-#endpacket
+check-packet
+e7078400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000003a08686d61632d6d6435077369672d616c670372656703696e740000006855490d012c0010dc3c138476fcb04cc138aa5c59647b86e70700000000
+endpacket
-- 
2.47.3