resolved: optimize dnssec_verify_rrset() a bit

Let's determine the source of synthesis once instead of for each RR in the RRset.

1 files changed, 16 insertions, 12 deletions

diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 6f5a61a41d..8dfb5edbc0 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -513,8 +513,9 @@ int dnssec_verify_rrset(
         DnsResourceRecord **list, *rr;
         gcry_md_hd_t md = NULL;
         int r, md_algorithm;
-        bool wildcard = false;
         size_t k, n = 0;
+        bool wildcard;
+        const char *source;
 
         assert(key);
         assert(rrsig);
@@ -543,6 +544,12 @@ int dnssec_verify_rrset(
                 return 0;
         }
 
+        /* Determine the "Source of Synthesis" and whether this is a wildcard RRSIG */
+        r = dns_name_suffix(DNS_RESOURCE_KEY_NAME(key), rrsig->rrsig.labels, &source);
+        if (r < 0)
+                return r;
+        wildcard = r > 0;
+
         /* Collect all relevant RRs in a single array, so that we can look at the RRset */
         list = newa(DnsResourceRecord *, dns_answer_size(a));
 
@@ -593,22 +600,19 @@ int dnssec_verify_rrset(
                 goto finish;
         gcry_md_write(md, wire_format_name, r);
 
+        /* Convert the source of synthesis into wire format */
+        r = dns_name_to_wire_format(source, wire_format_name, sizeof(wire_format_name), true);
+        if (r < 0)
+                goto finish;
+
         for (k = 0; k < n; k++) {
-                const char *suffix;
                 size_t l;
+
                 rr = list[k];
 
-                r = dns_name_suffix(DNS_RESOURCE_KEY_NAME(rr->key), rrsig->rrsig.labels, &suffix);
-                if (r < 0)
-                        goto finish;
-                if (r > 0) /* This is a wildcard! */ {
+                /* Hash the source of synthesis. If this is a wildcard, then prefix it with the *. label */
+                if (wildcard)
                         gcry_md_write(md, (uint8_t[]) { 1, '*'}, 2);
-                        wildcard = true;
-                }
-
-                r = dns_name_to_wire_format(suffix, wire_format_name, sizeof(wire_format_name), true);
-                if (r < 0)
-                        goto finish;
                 gcry_md_write(md, wire_format_name, r);
 
                 md_add_uint16(md, rr->key->type);