/* nsec3_cache_compare for rbtree */
int
nsec3_hash_cmp(const void* c1, const void* c2)
{
struct nsec3_cached_hash* h1 = (struct nsec3_cached_hash*)c1;
struct nsec3_cached_hash* h2 = (struct nsec3_cached_hash*)c2;
uint8_t* s1, *s2;
size_t s1len, s2len;
int c = query_dname_compare(h1->dname, h2->dname);
if(c != 0)
return c;
/* compare parameters */
/* if both malformed, its equal, robustness */
if(nsec3_get_algo(h1->nsec3, h1->rr) !=
nsec3_get_algo(h2->nsec3, h2->rr)) {
if(nsec3_get_algo(h1->nsec3, h1->rr) <
nsec3_get_algo(h2->nsec3, h2->rr))
return -1;
return 1;
}
if(nsec3_get_iter(h1->nsec3, h1->rr) !=
nsec3_get_iter(h2->nsec3, h2->rr)) {
if(nsec3_get_iter(h1->nsec3, h1->rr) <
nsec3_get_iter(h2->nsec3, h2->rr))
return -1;
return 1;
}
(void)nsec3_get_salt(h1->nsec3, h1->rr, &s1, &s1len);
(void)nsec3_get_salt(h2->nsec3, h2->rr, &s2, &s2len);
if(s1len != s2len) {
if(s1len < s2len)
return -1;
return 1;
}
return memcmp(s1, s2, s1len);
}
int nsec3_get_params(struct ub_packed_rrset_key* rrset, int r,
int* algo, size_t* iter, uint8_t** salt, size_t* saltlen)
{
if(!nsec3_known_algo(rrset, r) || nsec3_unknown_flags(rrset, r))
return 0;
if(!nsec3_get_salt(rrset, r, salt, saltlen))
return 0;
*algo = nsec3_get_algo(rrset, r);
*iter = nsec3_get_iter(rrset, r);
return 1;
}
/**
* Determine if any of the NSEC3 rrs iteration count is too high, from key.
* @param ve: validator environment with iteration count config settings.
* @param filter: what NSEC3s to loop over.
* @param kkey: key entry used for verification; used for iteration counts.
* @return 1 if some nsec3s are above the max iteration count.
*/
static int
nsec3_iteration_count_high(struct val_env* ve, struct nsec3_filter* filter,
struct key_entry_key* kkey)
{
size_t rrsetnum;
int rrnum;
struct ub_packed_rrset_key* rrset;
/* first determine the max number of iterations */
size_t bits = key_entry_keysize(kkey);
size_t max_iter = get_max_iter(ve, bits);
verbose(VERB_ALGO, "nsec3: keysize %d bits, max iterations %d",
(int)bits, (int)max_iter);
for(rrset=filter_first(filter, &rrsetnum, &rrnum); rrset;
rrset=filter_next(filter, &rrsetnum, &rrnum)) {
if(nsec3_get_iter(rrset, rrnum) > max_iter)
return 1;
}
return 0;
}
/** perform hash of name */
static int
nsec3_calc_hash(struct regional* region, sldns_buffer* buf,
struct nsec3_cached_hash* c)
{
int algo = nsec3_get_algo(c->nsec3, c->rr);
size_t iter = nsec3_get_iter(c->nsec3, c->rr);
uint8_t* salt;
size_t saltlen, i;
if(!nsec3_get_salt(c->nsec3, c->rr, &salt, &saltlen))
return -1;
/* prepare buffer for first iteration */
sldns_buffer_clear(buf);
sldns_buffer_write(buf, c->dname, c->dname_len);
query_dname_tolower(sldns_buffer_begin(buf));
sldns_buffer_write(buf, salt, saltlen);
sldns_buffer_flip(buf);
c->hash_len = nsec3_hash_algo_size_supported(algo);
if(c->hash_len == 0) {
log_err("nsec3 hash of unknown algo %d", algo);
return -1;
}
c->hash = (uint8_t*)regional_alloc(region, c->hash_len);
if(!c->hash)
return 0;
(void)secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf),
sldns_buffer_limit(buf), (unsigned char*)c->hash);
for(i=0; i<iter; i++) {
sldns_buffer_clear(buf);
sldns_buffer_write(buf, c->hash, c->hash_len);
sldns_buffer_write(buf, salt, saltlen);
sldns_buffer_flip(buf);
(void)secalgo_nsec3_hash(algo,
(unsigned char*)sldns_buffer_begin(buf),
sldns_buffer_limit(buf), (unsigned char*)c->hash);
}
return 1;
}
/** perform hash of name */
static int
nsec3_calc_hash(struct regional* region, ldns_buffer* buf,
struct nsec3_cached_hash* c)
{
int algo = nsec3_get_algo(c->nsec3, c->rr);
size_t iter = nsec3_get_iter(c->nsec3, c->rr);
uint8_t* salt;
size_t saltlen, i;
if(!nsec3_get_salt(c->nsec3, c->rr, &salt, &saltlen))
return -1;
/* prepare buffer for first iteration */
ldns_buffer_clear(buf);
ldns_buffer_write(buf, c->dname, c->dname_len);
query_dname_tolower(ldns_buffer_begin(buf));
ldns_buffer_write(buf, salt, saltlen);
ldns_buffer_flip(buf);
switch(algo) {
#if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS)
case NSEC3_HASH_SHA1:
#ifdef HAVE_SSL
c->hash_len = SHA_DIGEST_LENGTH;
#else
c->hash_len = SHA1_LENGTH;
#endif
c->hash = (uint8_t*)regional_alloc(region,
c->hash_len);
if(!c->hash)
return 0;
# ifdef HAVE_SSL
(void)SHA1((unsigned char*)ldns_buffer_begin(buf),
(unsigned long)ldns_buffer_limit(buf),
(unsigned char*)c->hash);
# else
(void)HASH_HashBuf(HASH_AlgSHA1,
(unsigned char*)c->hash,
(unsigned char*)ldns_buffer_begin(buf),
(unsigned long)ldns_buffer_limit(buf));
# endif
for(i=0; i<iter; i++) {
ldns_buffer_clear(buf);
ldns_buffer_write(buf, c->hash, c->hash_len);
ldns_buffer_write(buf, salt, saltlen);
ldns_buffer_flip(buf);
# ifdef HAVE_SSL
(void)SHA1(
(unsigned char*)ldns_buffer_begin(buf),
(unsigned long)ldns_buffer_limit(buf),
(unsigned char*)c->hash);
# else
(void)HASH_HashBuf(HASH_AlgSHA1,
(unsigned char*)c->hash,
(unsigned char*)ldns_buffer_begin(buf),
(unsigned long)ldns_buffer_limit(buf));
# endif
}
break;
#endif /* HAVE_EVP_SHA1 or NSS */
default:
log_err("nsec3 hash of unknown algo %d", algo);
return -1;
}
return 1;
}
