Lines Matching refs:rrsig
263 DnsResourceRecord *rrsig,
272 assert(rrsig);
310 rrsig->rrsig.signature, rrsig->rrsig.signature_size,
410 DnsResourceRecord *rrsig,
419 assert(rrsig);
434 if (rrsig->rrsig.signature_size != key_size * 2)
444 rrsig->rrsig.signature, key_size,
445 (uint8_t*) rrsig->rrsig.signature + key_size, key_size,
464 static int dnssec_rrsig_prepare(DnsResourceRecord *rrsig) {
472 assert(rrsig);
473 assert(rrsig->key->type == DNS_TYPE_RRSIG);
476 if (rrsig->n_skip_labels_source != (unsigned) -1)
479 if (rrsig->rrsig.inception > rrsig->rrsig.expiration)
482 name = DNS_RESOURCE_KEY_NAME(rrsig->key);
487 if (rrsig->rrsig.labels > n_key_labels)
490 n_signer_labels = dns_name_count_labels(rrsig->rrsig.signer);
493 if (n_signer_labels > rrsig->rrsig.labels)
503 r = dns_name_equal(name, rrsig->rrsig.signer);
509 rrsig->n_skip_labels_source = n_key_labels - rrsig->rrsig.labels;
510 rrsig->n_skip_labels_signer = n_key_labels - n_signer_labels;
515 static int dnssec_rrsig_expired(DnsResourceRecord *rrsig, usec_t realtime) {
518 assert(rrsig);
519 assert(rrsig->key->type == DNS_TYPE_RRSIG);
524 expiration = rrsig->rrsig.expiration * USEC_PER_SEC;
525 inception = rrsig->rrsig.inception * USEC_PER_SEC;
587 DnsResourceRecord *rrsig,
594 assert(rrsig);
602 rr->ttl = MIN3(rr->ttl, rrsig->rrsig.original_ttl, rrsig->ttl);
603 rr->expiry = rrsig->rrsig.expiration * USEC_PER_SEC;
606 rr->n_skip_labels_source = rrsig->n_skip_labels_source;
607 rr->n_skip_labels_signer = rrsig->n_skip_labels_signer;
610 rrsig->expiry = rrsig->rrsig.expiration * USEC_PER_SEC;
616 DnsResourceRecord *rrsig,
632 assert(rrsig);
635 assert(rrsig->key->type == DNS_TYPE_RRSIG);
639 * using the signature "rrsig" and the key "dnskey". It's
642 md_algorithm = algorithm_to_gcrypt_md(rrsig->rrsig.algorithm);
650 r = dnssec_rrsig_prepare(rrsig);
658 r = dnssec_rrsig_expired(rrsig, realtime);
669 if (dns_type_apex_only(rrsig->rrsig.type_covered)) {
670 r = dns_name_equal(rrsig->rrsig.signer, name);
680 if (rrsig->rrsig.type_covered == DNS_TYPE_DS) {
681 r = dns_name_equal(rrsig->rrsig.signer, name);
691 r = dns_name_suffix(name, rrsig->rrsig.labels, &source);
694 if (r > 0 && !dns_type_may_wildcard(rrsig->rrsig.type_covered)) {
749 md_add_uint16(md, rrsig->rrsig.type_covered);
750 md_add_uint8(md, rrsig->rrsig.algorithm);
751 md_add_uint8(md, rrsig->rrsig.labels);
752 md_add_uint32(md, rrsig->rrsig.original_ttl);
753 md_add_uint32(md, rrsig->rrsig.expiration);
754 md_add_uint32(md, rrsig->rrsig.inception);
755 md_add_uint16(md, rrsig->rrsig.key_tag);
757 r = dns_name_to_wire_format(rrsig->rrsig.signer, wire_format_name, sizeof(wire_format_name), true);
779 md_add_uint32(md, rrsig->rrsig.original_ttl);
794 switch (rrsig->rrsig.algorithm) {
803 rrsig,
811 rrsig->rrsig.algorithm,
813 rrsig,
823 dnssec_fix_rrset_ttl(list, n, rrsig, realtime);
839 int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok) {
841 assert(rrsig);
847 if (rrsig->key->type != DNS_TYPE_RRSIG)
852 if (dnskey->key->class != rrsig->key->class)
860 if (dnskey->dnskey.algorithm != rrsig->rrsig.algorithm)
863 if (dnssec_keytag(dnskey, false) != rrsig->rrsig.key_tag)
866 return dns_name_equal(DNS_RESOURCE_KEY_NAME(dnskey->key), rrsig->rrsig.signer);
869 int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig) {
871 assert(rrsig);
875 if (rrsig->key->type != DNS_TYPE_RRSIG)
877 if (rrsig->key->class != key->class)
879 if (rrsig->rrsig.type_covered != key->type)
882 return dns_name_equal(DNS_RESOURCE_KEY_NAME(rrsig->key), DNS_RESOURCE_KEY_NAME(key));
894 DnsResourceRecord *rrsig;
906 DNS_ANSWER_FOREACH(rrsig, a) {
911 r = dnssec_key_match_rrsig(key, rrsig);
927 r = dnssec_rrsig_match_dnskey(rrsig, dnskey, false);
944 r = dnssec_verify_rrset(a, key, rrsig, dnskey, realtime, &one_result);
955 *ret_rrsig = rrsig;
2124 DnsResourceRecord *rrsig,
2132 int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok) {
2137 int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig) {