/* nsec3_cache_compare for rbtree */ int nsec3_hash_cmp(const void* c1, const void* c2) { struct nsec3_cached_hash* h1 = (struct nsec3_cached_hash*)c1; struct nsec3_cached_hash* h2 = (struct nsec3_cached_hash*)c2; uint8_t* s1, *s2; size_t s1len, s2len; int c = query_dname_compare(h1->dname, h2->dname); if(c != 0) return c; /* compare parameters */ /* if both malformed, its equal, robustness */ if(nsec3_get_algo(h1->nsec3, h1->rr) != nsec3_get_algo(h2->nsec3, h2->rr)) { if(nsec3_get_algo(h1->nsec3, h1->rr) < nsec3_get_algo(h2->nsec3, h2->rr)) return -1; return 1; } if(nsec3_get_iter(h1->nsec3, h1->rr) != nsec3_get_iter(h2->nsec3, h2->rr)) { if(nsec3_get_iter(h1->nsec3, h1->rr) < nsec3_get_iter(h2->nsec3, h2->rr)) return -1; return 1; } (void)nsec3_get_salt(h1->nsec3, h1->rr, &s1, &s1len); (void)nsec3_get_salt(h2->nsec3, h2->rr, &s2, &s2len); if(s1len != s2len) { if(s1len < s2len) return -1; return 1; } return memcmp(s1, s2, s1len); }
int nsec3_get_params(struct ub_packed_rrset_key* rrset, int r, int* algo, size_t* iter, uint8_t** salt, size_t* saltlen) { if(!nsec3_known_algo(rrset, r) || nsec3_unknown_flags(rrset, r)) return 0; if(!nsec3_get_salt(rrset, r, salt, saltlen)) return 0; *algo = nsec3_get_algo(rrset, r); *iter = nsec3_get_iter(rrset, r); return 1; }
/** * Determine if any of the NSEC3 rrs iteration count is too high, from key. * @param ve: validator environment with iteration count config settings. * @param filter: what NSEC3s to loop over. * @param kkey: key entry used for verification; used for iteration counts. * @return 1 if some nsec3s are above the max iteration count. */ static int nsec3_iteration_count_high(struct val_env* ve, struct nsec3_filter* filter, struct key_entry_key* kkey) { size_t rrsetnum; int rrnum; struct ub_packed_rrset_key* rrset; /* first determine the max number of iterations */ size_t bits = key_entry_keysize(kkey); size_t max_iter = get_max_iter(ve, bits); verbose(VERB_ALGO, "nsec3: keysize %d bits, max iterations %d", (int)bits, (int)max_iter); for(rrset=filter_first(filter, &rrsetnum, &rrnum); rrset; rrset=filter_next(filter, &rrsetnum, &rrnum)) { if(nsec3_get_iter(rrset, rrnum) > max_iter) return 1; } return 0; }
/** perform hash of name */ static int nsec3_calc_hash(struct regional* region, sldns_buffer* buf, struct nsec3_cached_hash* c) { int algo = nsec3_get_algo(c->nsec3, c->rr); size_t iter = nsec3_get_iter(c->nsec3, c->rr); uint8_t* salt; size_t saltlen, i; if(!nsec3_get_salt(c->nsec3, c->rr, &salt, &saltlen)) return -1; /* prepare buffer for first iteration */ sldns_buffer_clear(buf); sldns_buffer_write(buf, c->dname, c->dname_len); query_dname_tolower(sldns_buffer_begin(buf)); sldns_buffer_write(buf, salt, saltlen); sldns_buffer_flip(buf); c->hash_len = nsec3_hash_algo_size_supported(algo); if(c->hash_len == 0) { log_err("nsec3 hash of unknown algo %d", algo); return -1; } c->hash = (uint8_t*)regional_alloc(region, c->hash_len); if(!c->hash) return 0; (void)secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf), sldns_buffer_limit(buf), (unsigned char*)c->hash); for(i=0; i<iter; i++) { sldns_buffer_clear(buf); sldns_buffer_write(buf, c->hash, c->hash_len); sldns_buffer_write(buf, salt, saltlen); sldns_buffer_flip(buf); (void)secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf), sldns_buffer_limit(buf), (unsigned char*)c->hash); } return 1; }
/** perform hash of name */ static int nsec3_calc_hash(struct regional* region, ldns_buffer* buf, struct nsec3_cached_hash* c) { int algo = nsec3_get_algo(c->nsec3, c->rr); size_t iter = nsec3_get_iter(c->nsec3, c->rr); uint8_t* salt; size_t saltlen, i; if(!nsec3_get_salt(c->nsec3, c->rr, &salt, &saltlen)) return -1; /* prepare buffer for first iteration */ ldns_buffer_clear(buf); ldns_buffer_write(buf, c->dname, c->dname_len); query_dname_tolower(ldns_buffer_begin(buf)); ldns_buffer_write(buf, salt, saltlen); ldns_buffer_flip(buf); switch(algo) { #if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS) case NSEC3_HASH_SHA1: #ifdef HAVE_SSL c->hash_len = SHA_DIGEST_LENGTH; #else c->hash_len = SHA1_LENGTH; #endif c->hash = (uint8_t*)regional_alloc(region, c->hash_len); if(!c->hash) return 0; # ifdef HAVE_SSL (void)SHA1((unsigned char*)ldns_buffer_begin(buf), (unsigned long)ldns_buffer_limit(buf), (unsigned char*)c->hash); # else (void)HASH_HashBuf(HASH_AlgSHA1, (unsigned char*)c->hash, (unsigned char*)ldns_buffer_begin(buf), (unsigned long)ldns_buffer_limit(buf)); # endif for(i=0; i<iter; i++) { ldns_buffer_clear(buf); ldns_buffer_write(buf, c->hash, c->hash_len); ldns_buffer_write(buf, salt, saltlen); ldns_buffer_flip(buf); # ifdef HAVE_SSL (void)SHA1( (unsigned char*)ldns_buffer_begin(buf), (unsigned long)ldns_buffer_limit(buf), (unsigned char*)c->hash); # else (void)HASH_HashBuf(HASH_AlgSHA1, (unsigned char*)c->hash, (unsigned char*)ldns_buffer_begin(buf), (unsigned long)ldns_buffer_limit(buf)); # endif } break; #endif /* HAVE_EVP_SHA1 or NSS */ default: log_err("nsec3 hash of unknown algo %d", algo); return -1; } return 1; }