18370591226

Committed 09 Oct 2025 08:40AM UTC coverage: 64.094% (-0.04%) from 64.136%

Build # 18370591226

Build Type

Pull #16224

github

Committed by

web-flow

Commit Message

Merge b58891300 into 152db0df0

Pull Request Pull Request #16224: dnsdist: Fix a typo in the XSK documentation

Run Details

42757 of 101504 branches covered (42.12%)

Branch coverage included in aggregate %.

129859 of 167814 relevant lines covered (77.38%)

5755713.48 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

77.22

/pdns/tsigverifier.cc


#include "tsigverifier.hh"
#include "dnssecinfra.hh"
#include "gss_context.hh"

bool TSIGTCPVerifier::check(const string& data, const MOADNSParser& mdp)
{
  if(d_tt.name.empty()) { // TSIG verify message
    return true;
  }

  string theirMac;
  bool checkTSIG = false;
  // If we have multiple messages, we need to concatenate them together. We also need to make sure we know the location of
  // the TSIG record so we can remove it in makeTSIGMessageFromTSIGPacket
  d_signData.append(data);
  if (mdp.getTSIGPos() == 0) {
    d_tsigPos += data.size();
  }
  else {
    d_tsigPos += mdp.getTSIGPos();
  }

  for(const auto& answer :  mdp.d_answers) {
    if (answer.d_type == QType::SOA) {
      // A SOA is either the first or the last record. We need to check TSIG if that's the case.
      checkTSIG = true;
    }

    if(answer.d_type == QType::TSIG) {
      auto trc = getRR<TSIGRecordContent>(answer);
      if(trc) {
        theirMac = trc->d_mac;
        d_trc.d_time = trc->d_time;
        d_trc.d_fudge = trc->d_fudge;
        d_trc.d_eRcode = trc->d_eRcode;
        d_trc.d_origID = trc->d_origID;
        checkTSIG = true;
      }
    }
  }

  if(!checkTSIG && d_nonSignedMessages > 99) { // We're allowed to get 100 digest without a TSIG.
    throw std::runtime_error("No TSIG message received in last 100 messages of AXFR transfer.");
  }

  if (checkTSIG) {
    if (theirMac.empty()) {
      throw std::runtime_error("No TSIG on AXFR response from "+d_remote.toStringWithPort()+" , should be signed with TSIG key '"+d_tt.name.toLogString()+"'");
    }

    try {
      if (!d_prevMac.empty()) {
        validateTSIG(d_signData, d_tsigPos, d_tt, d_trc, d_prevMac, theirMac, true, d_signData.size()-data.size());
      }
      else {
        validateTSIG(d_signData, d_tsigPos, d_tt, d_trc, d_trc.d_mac, theirMac, false);
      }
    }
    catch(const std::runtime_error& err) {
      throw std::runtime_error("Error while validating TSIG signature on AXFR response from "+d_remote.toStringWithPort()+":"+err.what());
    }

    // Reset and store some values for the next chunks.
    d_prevMac = std::move(theirMac);
    d_nonSignedMessages = 0;
    d_signData.clear();
    d_tsigPos = 0;
  }
  else {
    d_nonSignedMessages++;
  }

  return true;
}

1
2	#include "tsigverifier.hh"
3	#include "dnssecinfra.hh"
4	#include "gss_context.hh"
5
6	bool TSIGTCPVerifier::check(const string& data, const MOADNSParser& mdp)
7	{	19,366✔
8	if(d_tt.name.empty()) { // TSIG verify message	19,366✔
9	return true;	19,297✔
10	}	19,297✔
11
12	string theirMac;	69✔
13	bool checkTSIG = false;	69✔
14	// If we have multiple messages, we need to concatenate them together. We also need to make sure we know the location of
15	// the TSIG record so we can remove it in makeTSIGMessageFromTSIGPacket
16	d_signData.append(data);	69✔
17	if (mdp.getTSIGPos() == 0) {	69!
18	d_tsigPos += data.size();	×
19	}	×
20	else {	69✔
21	d_tsigPos += mdp.getTSIGPos();	69✔
22	}	69✔
23
24	for(const auto& answer : mdp.d_answers) {	287✔
25	if (answer.d_type == QType::SOA) {	287✔
26	// A SOA is either the first or the last record. We need to check TSIG if that's the case.
27	checkTSIG = true;	46✔
28	}	46✔
29
30	if(answer.d_type == QType::TSIG) {	287✔
31	auto trc = getRR<TSIGRecordContent>(answer);	69✔
32	if(trc) {	69!
33	theirMac = trc->d_mac;	69✔
34	d_trc.d_time = trc->d_time;	69✔
35	d_trc.d_fudge = trc->d_fudge;	69✔
36	d_trc.d_eRcode = trc->d_eRcode;	69✔
37	d_trc.d_origID = trc->d_origID;	69✔
38	checkTSIG = true;	69✔
39	}	69✔
40	}	69✔
41	}	287✔
42
43	if(!checkTSIG && d_nonSignedMessages > 99) { // We're allowed to get 100 digest without a TSIG.	69!
44	throw std::runtime_error("No TSIG message received in last 100 messages of AXFR transfer.");	×
45	}	×
46
47	if (checkTSIG) {	69!
48	if (theirMac.empty()) {	69!
49	throw std::runtime_error("No TSIG on AXFR response from "+d_remote.toStringWithPort()+" , should be signed with TSIG key '"+d_tt.name.toLogString()+"'");	×
50	}	×
51
52	try {	69✔
53	if (!d_prevMac.empty()) {	69✔
54	validateTSIG(d_signData, d_tsigPos, d_tt, d_trc, d_prevMac, theirMac, true, d_signData.size()-data.size());	46✔
55	}	46✔
56	else {	23✔
57	validateTSIG(d_signData, d_tsigPos, d_tt, d_trc, d_trc.d_mac, theirMac, false);	23✔
58	}	23✔
59	}	69✔
60	catch(const std::runtime_error& err) {	69✔
61	throw std::runtime_error("Error while validating TSIG signature on AXFR response from "+d_remote.toStringWithPort()+":"+err.what());	×
62	}	×
63
64	// Reset and store some values for the next chunks.
65	d_prevMac = std::move(theirMac);	69✔
66	d_nonSignedMessages = 0;	69✔
67	d_signData.clear();	69✔
68	d_tsigPos = 0;	69✔
69	}	69✔
70	else {	×
71	d_nonSignedMessages++;	×
72	}	×
73
74	return true;	69✔
75	}	69✔

PowerDNS / pdns / 18370591226

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous