resolved: rename dnssec_verify_dnskey() → dnssec_verify_dnskey_by_ds()
This should clarify that this is not regular signature-based validation, but validation through DS RR fingerprints.
This commit is contained in:
Lennart Poettering
parent
93a3b9294f
commit
96bb76734d
|
|
@ -1070,7 +1070,7 @@ static int digest_to_gcrypt_md(uint8_t algorithm) {
|
|||
}
|
||||
}
|
||||
|
||||
int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke) {
|
||||
int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke) {
|
||||
char owner_name[DNSSEC_CANONICAL_HOSTNAME_MAX];
|
||||
gcry_md_hd_t md = NULL;
|
||||
size_t hash_size;
|
||||
|
|
@ -1140,7 +1140,7 @@ finish:
|
|||
return r;
|
||||
}
|
||||
|
||||
int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds) {
|
||||
int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds) {
|
||||
DnsResourceRecord *ds;
|
||||
DnsAnswerFlags flags;
|
||||
int r;
|
||||
|
|
@ -1166,7 +1166,7 @@ int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_
|
|||
if (r == 0)
|
||||
continue;
|
||||
|
||||
r = dnssec_verify_dnskey(dnskey, ds, false);
|
||||
r = dnssec_verify_dnskey_by_ds(dnskey, ds, false);
|
||||
if (IN_SET(r, -EKEYREJECTED, -EOPNOTSUPP))
|
||||
return 0; /* The DNSKEY is revoked or otherwise invalid, or we don't support the digest algorithm */
|
||||
if (r < 0)
|
||||
|
|
|
|||
|
|
@ -61,8 +61,8 @@ int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig);
|
|||
int dnssec_verify_rrset(DnsAnswer *answer, const DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result);
|
||||
int dnssec_verify_rrset_search(DnsAnswer *answer, const DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result, DnsResourceRecord **rrsig);
|
||||
|
||||
int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke);
|
||||
int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds);
|
||||
int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke);
|
||||
int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds);
|
||||
|
||||
int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key);
|
||||
|
||||
|
|
|
|||
|
|
@ -1950,7 +1950,7 @@ static int dns_transaction_validate_dnskey_by_ds(DnsTransaction *t) {
|
|||
|
||||
DNS_ANSWER_FOREACH_IFINDEX(rr, ifindex, t->answer) {
|
||||
|
||||
r = dnssec_verify_dnskey_search(rr, t->validated_keys);
|
||||
r = dnssec_verify_dnskey_by_ds_search(rr, t->validated_keys);
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (r == 0)
|
||||
|
|
|
|||
|
|
@ -665,7 +665,7 @@ static int dns_trust_anchor_check_revoked_one(DnsTrustAnchor *d, DnsResourceReco
|
|||
* DS fingerprint will be the one of the
|
||||
* unrevoked DNSKEY, but the one we got passed
|
||||
* here has the bit set. */
|
||||
r = dnssec_verify_dnskey(revoked_dnskey, anchor, true);
|
||||
r = dnssec_verify_dnskey_by_ds(revoked_dnskey, anchor, true);
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (r == 0)
|
||||
|
|
|
|||
|
|
@ -270,8 +270,8 @@ static void test_dnssec_verify_dns_key(void) {
|
|||
log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
|
||||
log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
|
||||
|
||||
assert_se(dnssec_verify_dnskey(dnskey, ds1, false) > 0);
|
||||
assert_se(dnssec_verify_dnskey(dnskey, ds2, false) > 0);
|
||||
assert_se(dnssec_verify_dnskey_by_ds(dnskey, ds1, false) > 0);
|
||||
assert_se(dnssec_verify_dnskey_by_ds(dnskey, ds2, false) > 0);
|
||||
}
|
||||
|
||||
static void test_dnssec_canonicalize_one(const char *original, const char *canonical, int r) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue