Lines Matching refs:rrsig
241 DnsResourceRecord *rrsig, in dnssec_rsa_verify() argument
250 assert(rrsig); in dnssec_rsa_verify()
288 rrsig->rrsig.signature, rrsig->rrsig.signature_size, in dnssec_rsa_verify()
453 DnsResourceRecord *rrsig, in dnssec_ecdsa_verify() argument
462 assert(rrsig); in dnssec_ecdsa_verify()
477 if (rrsig->rrsig.signature_size != key_size * 2) in dnssec_ecdsa_verify()
487 rrsig->rrsig.signature, key_size, in dnssec_ecdsa_verify()
488 (uint8_t*) rrsig->rrsig.signature + key_size, key_size, in dnssec_ecdsa_verify()
604 DnsResourceRecord *rrsig, in dnssec_eddsa_verify() argument
618 if (rrsig->rrsig.signature_size != key_size * 2) in dnssec_eddsa_verify()
623 rrsig->rrsig.signature, rrsig->rrsig.signature_size, in dnssec_eddsa_verify()
661 static int dnssec_rrsig_prepare(DnsResourceRecord *rrsig) { in dnssec_rrsig_prepare() argument
669 assert(rrsig); in dnssec_rrsig_prepare()
670 assert(rrsig->key->type == DNS_TYPE_RRSIG); in dnssec_rrsig_prepare()
673 if (rrsig->n_skip_labels_source != UINT8_MAX) in dnssec_rrsig_prepare()
676 if (rrsig->rrsig.inception > rrsig->rrsig.expiration) in dnssec_rrsig_prepare()
679 name = dns_resource_key_name(rrsig->key); in dnssec_rrsig_prepare()
684 if (rrsig->rrsig.labels > n_key_labels) in dnssec_rrsig_prepare()
687 n_signer_labels = dns_name_count_labels(rrsig->rrsig.signer); in dnssec_rrsig_prepare()
690 if (n_signer_labels > rrsig->rrsig.labels) in dnssec_rrsig_prepare()
700 r = dns_name_equal(name, rrsig->rrsig.signer); in dnssec_rrsig_prepare()
707 rrsig->n_skip_labels_source = n_key_labels - rrsig->rrsig.labels; in dnssec_rrsig_prepare()
708 rrsig->n_skip_labels_signer = n_key_labels - n_signer_labels; in dnssec_rrsig_prepare()
713 static int dnssec_rrsig_expired(DnsResourceRecord *rrsig, usec_t realtime) { in dnssec_rrsig_expired() argument
716 assert(rrsig); in dnssec_rrsig_expired()
717 assert(rrsig->key->type == DNS_TYPE_RRSIG); in dnssec_rrsig_expired()
722 expiration = rrsig->rrsig.expiration * USEC_PER_SEC; in dnssec_rrsig_expired()
723 inception = rrsig->rrsig.inception * USEC_PER_SEC; in dnssec_rrsig_expired()
781 DnsResourceRecord *rrsig) { in dnssec_fix_rrset_ttl() argument
785 assert(rrsig); in dnssec_fix_rrset_ttl()
793 rr->ttl = MIN3(rr->ttl, rrsig->rrsig.original_ttl, rrsig->ttl); in dnssec_fix_rrset_ttl()
794 rr->expiry = rrsig->rrsig.expiration * USEC_PER_SEC; in dnssec_fix_rrset_ttl()
797 rr->n_skip_labels_source = rrsig->n_skip_labels_source; in dnssec_fix_rrset_ttl()
798 rr->n_skip_labels_signer = rrsig->n_skip_labels_signer; in dnssec_fix_rrset_ttl()
801 rrsig->expiry = rrsig->rrsig.expiration * USEC_PER_SEC; in dnssec_fix_rrset_ttl()
805 DnsResourceRecord *rrsig, in dnssec_rrset_serialize_sig() argument
820 assert(rrsig); in dnssec_rrset_serialize_sig()
830 fwrite_uint16(f, rrsig->rrsig.type_covered); in dnssec_rrset_serialize_sig()
831 fwrite_uint8(f, rrsig->rrsig.algorithm); in dnssec_rrset_serialize_sig()
832 fwrite_uint8(f, rrsig->rrsig.labels); in dnssec_rrset_serialize_sig()
833 fwrite_uint32(f, rrsig->rrsig.original_ttl); in dnssec_rrset_serialize_sig()
834 fwrite_uint32(f, rrsig->rrsig.expiration); in dnssec_rrset_serialize_sig()
835 fwrite_uint32(f, rrsig->rrsig.inception); in dnssec_rrset_serialize_sig()
836 fwrite_uint16(f, rrsig->rrsig.key_tag); in dnssec_rrset_serialize_sig()
838 …r = dns_name_to_wire_format(rrsig->rrsig.signer, wire_format_name, sizeof(wire_format_name), true); in dnssec_rrset_serialize_sig()
860 fwrite_uint32(f, rrsig->rrsig.original_ttl); in dnssec_rrset_serialize_sig()
880 DnsResourceRecord *rrsig, in dnssec_rrset_verify_sig() argument
885 assert(rrsig); in dnssec_rrset_verify_sig()
903 switch (rrsig->rrsig.algorithm) { in dnssec_rrset_verify_sig()
907 rrsig->rrsig.algorithm, in dnssec_rrset_verify_sig()
909 rrsig, in dnssec_rrset_verify_sig()
916 md_algorithm = algorithm_to_implementation_id(rrsig->rrsig.algorithm); in dnssec_rrset_verify_sig()
955 switch (rrsig->rrsig.algorithm) { in dnssec_rrset_verify_sig()
964 rrsig, in dnssec_rrset_verify_sig()
971 rrsig->rrsig.algorithm, in dnssec_rrset_verify_sig()
973 rrsig, in dnssec_rrset_verify_sig()
984 DnsResourceRecord *rrsig, in dnssec_verify_rrset() argument
998 assert(rrsig); in dnssec_verify_rrset()
1001 assert(rrsig->key->type == DNS_TYPE_RRSIG); in dnssec_verify_rrset()
1008 r = dnssec_rrsig_prepare(rrsig); in dnssec_verify_rrset()
1016 r = dnssec_rrsig_expired(rrsig, realtime); in dnssec_verify_rrset()
1027 if (dns_type_apex_only(rrsig->rrsig.type_covered)) { in dnssec_verify_rrset()
1028 r = dns_name_equal(rrsig->rrsig.signer, name); in dnssec_verify_rrset()
1038 if (rrsig->rrsig.type_covered == DNS_TYPE_DS) { in dnssec_verify_rrset()
1039 r = dns_name_equal(rrsig->rrsig.signer, name); in dnssec_verify_rrset()
1049 r = dns_name_suffix(name, rrsig->rrsig.labels, &source); in dnssec_verify_rrset()
1052 if (r > 0 && !dns_type_may_wildcard(rrsig->rrsig.type_covered)) { in dnssec_verify_rrset()
1097 r = dnssec_rrset_serialize_sig(rrsig, source, list, n, wildcard, in dnssec_verify_rrset()
1102 r = dnssec_rrset_verify_sig(rrsig, dnskey, sig_data, sig_size); in dnssec_verify_rrset()
1112 dnssec_fix_rrset_ttl(list, n, rrsig); in dnssec_verify_rrset()
1124 int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok)… in dnssec_rrsig_match_dnskey() argument
1126 assert(rrsig); in dnssec_rrsig_match_dnskey()
1132 if (rrsig->key->type != DNS_TYPE_RRSIG) in dnssec_rrsig_match_dnskey()
1137 if (dnskey->key->class != rrsig->key->class) in dnssec_rrsig_match_dnskey()
1145 if (dnskey->dnskey.algorithm != rrsig->rrsig.algorithm) in dnssec_rrsig_match_dnskey()
1148 if (dnssec_keytag(dnskey, false) != rrsig->rrsig.key_tag) in dnssec_rrsig_match_dnskey()
1151 return dns_name_equal(dns_resource_key_name(dnskey->key), rrsig->rrsig.signer); in dnssec_rrsig_match_dnskey()
1154 int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig) { in dnssec_key_match_rrsig() argument
1156 assert(rrsig); in dnssec_key_match_rrsig()
1160 if (rrsig->key->type != DNS_TYPE_RRSIG) in dnssec_key_match_rrsig()
1162 if (rrsig->key->class != key->class) in dnssec_key_match_rrsig()
1164 if (rrsig->rrsig.type_covered != key->type) in dnssec_key_match_rrsig()
1167 return dns_name_equal(dns_resource_key_name(rrsig->key), dns_resource_key_name(key)); in dnssec_key_match_rrsig()
1179 DnsResourceRecord *rrsig; in dnssec_verify_rrset_search() local
1191 DNS_ANSWER_FOREACH(rrsig, a) { in dnssec_verify_rrset_search()
1196 r = dnssec_key_match_rrsig(key, rrsig); in dnssec_verify_rrset_search()
1212 r = dnssec_rrsig_match_dnskey(rrsig, dnskey, false); in dnssec_verify_rrset_search()
1229 r = dnssec_verify_rrset(a, key, rrsig, dnskey, realtime, &one_result); in dnssec_verify_rrset_search()
1240 *ret_rrsig = rrsig; in dnssec_verify_rrset_search()
2496 DnsResourceRecord *rrsig, in dnssec_verify_rrset() argument
2504 int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok)… in dnssec_rrsig_match_dnskey() argument
2509 int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig) { in dnssec_key_match_rrsig() argument