requestor: temporary fix for missing last message TSIG check

src/knot/events/handlers/refresh.c

@@ -726,11 +726,13 @@ static int transfer_consume(knot_layer_t *layer, knot_pkt_t *pkt)
 		                 LOG_DIRECTION_IN, data->remote, &data->stats);
 
 		/*
-		 * TODO: Add TSIG check, or move finialization into finish
+		 * TODO: Move finialization into finish
 		 * callback. And update requestor to allow reset from fallback
 		 * as we need IXFR to AXFR failover.
 		 */
-		#warning SECURITY: final TSIG packet is not verified yet
+		if (tsig_unsigned_count(layer->tsig) != 0) {
+			return KNOT_STATE_FAIL;
+		}
 
 		// Finalize and publish the zone
 		int ret = data->is_ixfr ? ixfr_finalize(data) : axfr_finalize(data);

src/knot/query/layer.h

@@ -18,6 +18,7 @@
 
 #include "libknot/packet/pkt.h"
 #include "libknot/mm_ctx.h"
+#include "knot/nameserver/tsig_ctx.h"
 
 /*!
  * \brief Layer processing states.
@@ -46,6 +47,7 @@ struct knot_layer {
 	enum knot_layer_state state;  //!< Processing state.
 	void *data;                   //!< Module specific.
 	const struct knot_layer_api *api;
+	tsig_ctx_t *tsig;             //!< TODO: remove
 };
 
 /*! \brief Packet processing module API. */

src/knot/query/requestor.c

@@ -292,6 +292,8 @@ int knot_requestor_exec(struct knot_requestor *requestor,
 
 	int ret = KNOT_EOK;
 
+	requestor->layer.tsig = &request->tsig;
+
 	/* Do I/O until the processing is satisifed or fails. */
 	while (layer_active(requestor->layer.state)) {
 		ret = request_io(requestor, request, timeout_ms);