[2157] fix checks for response is TSIG signed or not

src/bin/auth/auth_srv.cc

@@ -467,6 +467,7 @@ makeErrorMessage(MessageRenderer& renderer, Message& message,
     RendererHolder holder(renderer, &buffer, stats_attrs);
     if (tsig_context.get() != NULL) {
         message.toWire(renderer, *tsig_context);
+        stats_attrs.setResponseSigTSIG(true);
     } else {
         message.toWire(renderer);
     }
@@ -687,6 +688,7 @@ AuthSrvImpl::processNormalQuery(const IOMessage& io_message,
     renderer_.setLengthLimit(udp_buffer ? remote_bufsize : 65535);
     if (tsig_context.get() != NULL) {
         message.toWire(renderer_, *tsig_context);
+        stats_attrs.setResponseSigTSIG(true);
     } else {
         message.toWire(renderer_);
     }
@@ -818,6 +820,7 @@ AuthSrvImpl::processNotify(const IOMessage& io_message, Message& message,
     RendererHolder holder(renderer_, &buffer, stats_attrs);
     if (tsig_context.get() != NULL) {
         message.toWire(renderer_, *tsig_context);
+        stats_attrs.setResponseSigTSIG(true);
     } else {
         message.toWire(renderer_);
     }

src/bin/auth/statistics.cc.pre

@@ -174,8 +174,7 @@ Counters::incResponse(const MessageAttributes& msgattrs,
     }
 
     // response TSIG
-    if (msgattrs.getRequestSigTSIG()) {
-        // assume response is TSIG signed if request is TSIG signed
+    if (msgattrs.getResponseSigTSIG()) {
         server_msg_counter_.inc(MSG_RESPONSE_TSIG);
     }
 

src/bin/auth/statistics.h

@@ -59,11 +59,12 @@ private:
     TransportProtocol req_transport_protocol_; // Transport layer protocol
     Opcode req_opcode_;                        // OpCode
     enum BitAttributes {
-        REQ_IS_EDNS_0,              // EDNS ver.0
-        REQ_IS_DNSSEC_OK,           // DNSSEC OK (DO) bit is set
-        REQ_IS_TSIG,                // signed with valid TSIG
-        REQ_IS_BADSIG,              // signed but bad signature
-        RES_IS_TRUNCATED,           // DNS message is truncated
+        REQ_IS_EDNS_0,              // request is EDNS ver.0
+        REQ_IS_DNSSEC_OK,           // DNSSEC OK (DO) bit is set in request
+        REQ_IS_TSIG,                // request is signed with valid TSIG
+        REQ_IS_BADSIG,              // request is signed but bad signature
+        RES_IS_TRUNCATED,           // response is truncated
+        RES_IS_TSIG_SIGNED,         // response is TSIG signed
         BIT_ATTRIBUTES_TYPES
     };
     std::bitset<BIT_ATTRIBUTES_TYPES> bit_attributes_;
@@ -71,10 +72,10 @@ public:
     /// \brief The constructor.
     ///
     /// \throw None
-    MessageAttributes() : req_ip_version_(IP_VERSION_UNSPEC),
-                          req_transport_protocol_(TRANSPORT_UNSPEC),
-                          req_opcode_(Opcode::RESERVED15_CODE),
-                          bit_attributes_()
+    MessageAttributes() :
+        req_ip_version_(IP_VERSION_UNSPEC),
+        req_transport_protocol_(TRANSPORT_UNSPEC),
+        req_opcode_(Opcode::RESERVED15_CODE), bit_attributes_()
     {}
 
     /// \brief Return request opcode.
@@ -188,6 +189,20 @@ public:
     void setResponseTruncated(const bool is_truncated) {
         bit_attributes_[RES_IS_TRUNCATED] = is_truncated;
     }
+
+    /// \brief Return TSIG attributes of the response.
+    /// \return true if the response is TSIG signed
+    /// \throw None
+    bool getResponseSigTSIG() const {
+        return (bit_attributes_[RES_IS_TSIG_SIGNED]);
+    }
+
+    /// \brief Set TSIG attributes of the response.
+    /// \param is_tsig_signed true if the response is TSIG signed
+    /// \throw None
+    void setResponseSigTSIG(const bool is_tsig_signed) {
+        bit_attributes_[RES_IS_TSIG_SIGNED] = is_tsig_signed;
+    }
 };
 
 /// \brief Set of DNS message counters.

src/bin/auth/tests/auth_srv_unittest.cc

@@ -923,6 +923,7 @@ TEST_F(AuthSrvTest, TSIGSigned) {
     expectCounterItem(stats_after->get("request"), "badsig", 0);
     expectCounterItem(stats_after, "responses", 1);
     expectCounterItem(stats_after, "qryauthans", 1);
+    expectCounterItem(stats_after->get("response"), "tsig", 1);
 }
 
 // Same test emulating the UDPServer class behavior (defined in libasiolink).

src/bin/auth/tests/statistics_unittest.cc.pre

@@ -317,19 +317,21 @@ TEST_F(CountersTest, incrementTSIG) {
     std::map<std::string, int> expect;
 
     // Test these patterns:
-    //      signature  badsig
-    //     -------------------
-    //      (none)     false
-    //      TSIG       false
-    //      TSIG       true
+    //      request signature  badsig   response signature
+    //     -----------------------------------------------
+    //      (none)             false    (none)
+    //      TSIG               false    TSIG
+    //      TSIG               true     (none)
     //
     // badsig can't be true if the message does not have signature.
     int count_req_tsig = 0, count_res_tsig = 0, count_badsig = 0;
     for (int i = 0; i < 3; ++i) {
-        const bool is_tsig = (i == 2) ? true : i & 1;
+        const bool is_req_tsig = (i == 2) ? true : i & 1;
+        const bool is_res_tsig = i & 1;
         const bool is_badsig = i & 2;
         buildSkeletonMessage(msgattrs);
-        msgattrs.setRequestSig(is_tsig, is_badsig);
+        msgattrs.setRequestSig(is_req_tsig, is_badsig);
+        msgattrs.setResponseSigTSIG(is_res_tsig);
 
         response.setRcode(Rcode::REFUSED());
         response.addQuestion(Question(Name("example.com"),
@@ -339,11 +341,11 @@ TEST_F(CountersTest, incrementTSIG) {
         // don't increment response counters if signature is bad
         counters.inc(msgattrs, response, !is_badsig);
 
-        if (is_tsig) {
+        if (is_req_tsig) {
             ++count_req_tsig;
-            if (!is_badsig) {
-                ++count_res_tsig;
-            }
+        }
+        if (is_res_tsig) {
+            ++count_res_tsig;
         }
         if (is_badsig) {
             ++count_badsig;