1/* |
2 * validator/val_nsec3.c - validator NSEC3 denial of existence functions. |
3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: --- 22 unchanged lines hidden (view full) --- 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36/** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * The functions help with NSEC3 checking, the different NSEC3 proofs |
41 * for denial of existence, and proofs for presence of types. |
42 */ 43#include "config.h" 44#include <ctype.h> |
45#include "validator/val_nsec3.h" |
46#include "validator/val_secalgo.h" |
47#include "validator/validator.h" 48#include "validator/val_kentry.h" 49#include "services/cache/rrset.h" 50#include "util/regional.h" 51#include "util/rbtree.h" 52#include "util/module.h" 53#include "util/net_help.h" 54#include "util/data/packed_rrset.h" --- 304 unchanged lines hidden (view full) --- 359 } 360 } 361 return NULL; 362} 363 364/** 365 * Start iterating over NSEC3 records. 366 * @param filter: the filter structure, must have been filter_init-ed. |
367 * @param rrsetnum: can be undefined on call, initialised. 368 * @param rrnum: can be undefined on call, initialised. |
369 * @return first rrset of an NSEC3, together with rrnum this points to 370 * the first RR to examine. Is NULL on empty list. 371 */ 372static struct ub_packed_rrset_key* 373filter_first(struct nsec3_filter* filter, size_t* rrsetnum, int* rrnum) 374{ 375 *rrsetnum = 0; 376 *rrnum = -1; --- 157 unchanged lines hidden (view full) --- 534{ 535 size_t i, hash_len; 536 /* prepare buffer for first iteration */ 537 sldns_buffer_clear(buf); 538 sldns_buffer_write(buf, nm, nmlen); 539 query_dname_tolower(sldns_buffer_begin(buf)); 540 sldns_buffer_write(buf, salt, saltlen); 541 sldns_buffer_flip(buf); |
542 hash_len = nsec3_hash_algo_size_supported(algo); 543 if(hash_len == 0) { 544 log_err("nsec3 hash of unknown algo %d", algo); 545 return 0; 546 } 547 if(hash_len > max) 548 return 0; 549 if(!secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf), 550 sldns_buffer_limit(buf), (unsigned char*)res)) 551 return 0; 552 for(i=0; i<iter; i++) { 553 sldns_buffer_clear(buf); 554 sldns_buffer_write(buf, res, hash_len); 555 sldns_buffer_write(buf, salt, saltlen); 556 sldns_buffer_flip(buf); 557 if(!secalgo_nsec3_hash(algo, 558 (unsigned char*)sldns_buffer_begin(buf), 559 sldns_buffer_limit(buf), (unsigned char*)res)) |
560 return 0; 561 } 562 return hash_len; 563} 564 565/** perform hash of name */ 566static int 567nsec3_calc_hash(struct regional* region, sldns_buffer* buf, --- 6 unchanged lines hidden (view full) --- 574 if(!nsec3_get_salt(c->nsec3, c->rr, &salt, &saltlen)) 575 return -1; 576 /* prepare buffer for first iteration */ 577 sldns_buffer_clear(buf); 578 sldns_buffer_write(buf, c->dname, c->dname_len); 579 query_dname_tolower(sldns_buffer_begin(buf)); 580 sldns_buffer_write(buf, salt, saltlen); 581 sldns_buffer_flip(buf); |
582 c->hash_len = nsec3_hash_algo_size_supported(algo); 583 if(c->hash_len == 0) { 584 log_err("nsec3 hash of unknown algo %d", algo); 585 return -1; |
586 } |
587 c->hash = (uint8_t*)regional_alloc(region, c->hash_len); 588 if(!c->hash) 589 return 0; 590 (void)secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf), 591 sldns_buffer_limit(buf), (unsigned char*)c->hash); 592 for(i=0; i<iter; i++) { 593 sldns_buffer_clear(buf); 594 sldns_buffer_write(buf, c->hash, c->hash_len); 595 sldns_buffer_write(buf, salt, saltlen); 596 sldns_buffer_flip(buf); 597 (void)secalgo_nsec3_hash(algo, 598 (unsigned char*)sldns_buffer_begin(buf), 599 sldns_buffer_limit(buf), (unsigned char*)c->hash); 600 } |
601 return 1; 602} 603 604/** perform b32 encoding of hash */ 605static int 606nsec3_calc_b32(struct regional* region, sldns_buffer* buf, 607 struct nsec3_cached_hash* c) 608{ --- 826 unchanged lines hidden --- |