1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-23 17:34:00 +03:00

resolved: rename dnssec_verify_dnskey() → dnssec_verify_dnskey_by_ds()

This should clarify that this is not regular signature-based validation, but validation through DS RR fingerprints.
This commit is contained in:
Lennart Poettering 2016-01-14 20:11:11 +01:00
parent 93a3b9294f
commit 96bb76734d
5 changed files with 9 additions and 9 deletions

View File

@ -1070,7 +1070,7 @@ static int digest_to_gcrypt_md(uint8_t algorithm) {
}
}
int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke) {
int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke) {
char owner_name[DNSSEC_CANONICAL_HOSTNAME_MAX];
gcry_md_hd_t md = NULL;
size_t hash_size;
@ -1140,7 +1140,7 @@ finish:
return r;
}
int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds) {
int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds) {
DnsResourceRecord *ds;
DnsAnswerFlags flags;
int r;
@ -1166,7 +1166,7 @@ int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_
if (r == 0)
continue;
r = dnssec_verify_dnskey(dnskey, ds, false);
r = dnssec_verify_dnskey_by_ds(dnskey, ds, false);
if (IN_SET(r, -EKEYREJECTED, -EOPNOTSUPP))
return 0; /* The DNSKEY is revoked or otherwise invalid, or we don't support the digest algorithm */
if (r < 0)

View File

@ -61,8 +61,8 @@ int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig);
int dnssec_verify_rrset(DnsAnswer *answer, const DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result);
int dnssec_verify_rrset_search(DnsAnswer *answer, const DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result, DnsResourceRecord **rrsig);
int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke);
int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds);
int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke);
int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds);
int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key);

View File

@ -1950,7 +1950,7 @@ static int dns_transaction_validate_dnskey_by_ds(DnsTransaction *t) {
DNS_ANSWER_FOREACH_IFINDEX(rr, ifindex, t->answer) {
r = dnssec_verify_dnskey_search(rr, t->validated_keys);
r = dnssec_verify_dnskey_by_ds_search(rr, t->validated_keys);
if (r < 0)
return r;
if (r == 0)

View File

@ -665,7 +665,7 @@ static int dns_trust_anchor_check_revoked_one(DnsTrustAnchor *d, DnsResourceReco
* DS fingerprint will be the one of the
* unrevoked DNSKEY, but the one we got passed
* here has the bit set. */
r = dnssec_verify_dnskey(revoked_dnskey, anchor, true);
r = dnssec_verify_dnskey_by_ds(revoked_dnskey, anchor, true);
if (r < 0)
return r;
if (r == 0)

View File

@ -270,8 +270,8 @@ static void test_dnssec_verify_dns_key(void) {
log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
assert_se(dnssec_verify_dnskey(dnskey, ds1, false) > 0);
assert_se(dnssec_verify_dnskey(dnskey, ds2, false) > 0);
assert_se(dnssec_verify_dnskey_by_ds(dnskey, ds1, false) > 0);
assert_se(dnssec_verify_dnskey_by_ds(dnskey, ds2, false) > 0);
}
static void test_dnssec_canonicalize_one(const char *original, const char *canonical, int r) {