val_nsec3.c (287917) | val_nsec3.c (292206) |
---|---|
1/* | 1/* |
2 * validator/val_nsec3.c - validator NSEC3 denial of existance functions. | 2 * validator/val_nsec3.c - validator NSEC3 denial of existence functions. |
3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: --- 22 unchanged lines hidden (view full) --- 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36/** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * The functions help with NSEC3 checking, the different NSEC3 proofs | 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: --- 22 unchanged lines hidden (view full) --- 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36/** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * The functions help with NSEC3 checking, the different NSEC3 proofs |
41 * for denial of existance, and proofs for presence of types. | 41 * for denial of existence, and proofs for presence of types. |
42 */ 43#include "config.h" 44#include <ctype.h> | 42 */ 43#include "config.h" 44#include <ctype.h> |
45#ifdef HAVE_OPENSSL_SSL_H 46#include "openssl/ssl.h" 47#endif 48#ifdef HAVE_NSS 49/* nss3 */ 50#include "sechash.h" 51#endif | |
52#include "validator/val_nsec3.h" | 45#include "validator/val_nsec3.h" |
46#include "validator/val_secalgo.h" |
|
53#include "validator/validator.h" 54#include "validator/val_kentry.h" 55#include "services/cache/rrset.h" 56#include "util/regional.h" 57#include "util/rbtree.h" 58#include "util/module.h" 59#include "util/net_help.h" 60#include "util/data/packed_rrset.h" --- 304 unchanged lines hidden (view full) --- 365 } 366 } 367 return NULL; 368} 369 370/** 371 * Start iterating over NSEC3 records. 372 * @param filter: the filter structure, must have been filter_init-ed. | 47#include "validator/validator.h" 48#include "validator/val_kentry.h" 49#include "services/cache/rrset.h" 50#include "util/regional.h" 51#include "util/rbtree.h" 52#include "util/module.h" 53#include "util/net_help.h" 54#include "util/data/packed_rrset.h" --- 304 unchanged lines hidden (view full) --- 359 } 360 } 361 return NULL; 362} 363 364/** 365 * Start iterating over NSEC3 records. 366 * @param filter: the filter structure, must have been filter_init-ed. |
373 * @param rrsetnum: can be undefined on call, inited. 374 * @param rrnum: can be undefined on call, inited. | 367 * @param rrsetnum: can be undefined on call, initialised. 368 * @param rrnum: can be undefined on call, initialised. |
375 * @return first rrset of an NSEC3, together with rrnum this points to 376 * the first RR to examine. Is NULL on empty list. 377 */ 378static struct ub_packed_rrset_key* 379filter_first(struct nsec3_filter* filter, size_t* rrsetnum, int* rrnum) 380{ 381 *rrsetnum = 0; 382 *rrnum = -1; --- 157 unchanged lines hidden (view full) --- 540{ 541 size_t i, hash_len; 542 /* prepare buffer for first iteration */ 543 sldns_buffer_clear(buf); 544 sldns_buffer_write(buf, nm, nmlen); 545 query_dname_tolower(sldns_buffer_begin(buf)); 546 sldns_buffer_write(buf, salt, saltlen); 547 sldns_buffer_flip(buf); | 369 * @return first rrset of an NSEC3, together with rrnum this points to 370 * the first RR to examine. Is NULL on empty list. 371 */ 372static struct ub_packed_rrset_key* 373filter_first(struct nsec3_filter* filter, size_t* rrsetnum, int* rrnum) 374{ 375 *rrsetnum = 0; 376 *rrnum = -1; --- 157 unchanged lines hidden (view full) --- 534{ 535 size_t i, hash_len; 536 /* prepare buffer for first iteration */ 537 sldns_buffer_clear(buf); 538 sldns_buffer_write(buf, nm, nmlen); 539 query_dname_tolower(sldns_buffer_begin(buf)); 540 sldns_buffer_write(buf, salt, saltlen); 541 sldns_buffer_flip(buf); |
548 switch(algo) { 549#if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS) 550 case NSEC3_HASH_SHA1: 551#ifdef HAVE_SSL 552 hash_len = SHA_DIGEST_LENGTH; 553#else 554 hash_len = SHA1_LENGTH; 555#endif 556 if(hash_len > max) 557 return 0; 558# ifdef HAVE_SSL 559 (void)SHA1((unsigned char*)sldns_buffer_begin(buf), 560 (unsigned long)sldns_buffer_limit(buf), 561 (unsigned char*)res); 562# else 563 (void)HASH_HashBuf(HASH_AlgSHA1, (unsigned char*)res, 564 (unsigned char*)sldns_buffer_begin(buf), 565 (unsigned long)sldns_buffer_limit(buf)); 566# endif 567 for(i=0; i<iter; i++) { 568 sldns_buffer_clear(buf); 569 sldns_buffer_write(buf, res, hash_len); 570 sldns_buffer_write(buf, salt, saltlen); 571 sldns_buffer_flip(buf); 572# ifdef HAVE_SSL 573 (void)SHA1( 574 (unsigned char*)sldns_buffer_begin(buf), 575 (unsigned long)sldns_buffer_limit(buf), 576 (unsigned char*)res); 577# else 578 (void)HASH_HashBuf(HASH_AlgSHA1, 579 (unsigned char*)res, 580 (unsigned char*)sldns_buffer_begin(buf), 581 (unsigned long)sldns_buffer_limit(buf)); 582# endif 583 } 584 break; 585#endif /* HAVE_EVP_SHA1 or NSS */ 586 default: 587 log_err("nsec3 hash of unknown algo %d", algo); | 542 hash_len = nsec3_hash_algo_size_supported(algo); 543 if(hash_len == 0) { 544 log_err("nsec3 hash of unknown algo %d", algo); 545 return 0; 546 } 547 if(hash_len > max) 548 return 0; 549 if(!secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf), 550 sldns_buffer_limit(buf), (unsigned char*)res)) 551 return 0; 552 for(i=0; i<iter; i++) { 553 sldns_buffer_clear(buf); 554 sldns_buffer_write(buf, res, hash_len); 555 sldns_buffer_write(buf, salt, saltlen); 556 sldns_buffer_flip(buf); 557 if(!secalgo_nsec3_hash(algo, 558 (unsigned char*)sldns_buffer_begin(buf), 559 sldns_buffer_limit(buf), (unsigned char*)res)) |
588 return 0; 589 } 590 return hash_len; 591} 592 593/** perform hash of name */ 594static int 595nsec3_calc_hash(struct regional* region, sldns_buffer* buf, --- 6 unchanged lines hidden (view full) --- 602 if(!nsec3_get_salt(c->nsec3, c->rr, &salt, &saltlen)) 603 return -1; 604 /* prepare buffer for first iteration */ 605 sldns_buffer_clear(buf); 606 sldns_buffer_write(buf, c->dname, c->dname_len); 607 query_dname_tolower(sldns_buffer_begin(buf)); 608 sldns_buffer_write(buf, salt, saltlen); 609 sldns_buffer_flip(buf); | 560 return 0; 561 } 562 return hash_len; 563} 564 565/** perform hash of name */ 566static int 567nsec3_calc_hash(struct regional* region, sldns_buffer* buf, --- 6 unchanged lines hidden (view full) --- 574 if(!nsec3_get_salt(c->nsec3, c->rr, &salt, &saltlen)) 575 return -1; 576 /* prepare buffer for first iteration */ 577 sldns_buffer_clear(buf); 578 sldns_buffer_write(buf, c->dname, c->dname_len); 579 query_dname_tolower(sldns_buffer_begin(buf)); 580 sldns_buffer_write(buf, salt, saltlen); 581 sldns_buffer_flip(buf); |
610 switch(algo) { 611#if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS) 612 case NSEC3_HASH_SHA1: 613#ifdef HAVE_SSL 614 c->hash_len = SHA_DIGEST_LENGTH; 615#else 616 c->hash_len = SHA1_LENGTH; 617#endif 618 c->hash = (uint8_t*)regional_alloc(region, 619 c->hash_len); 620 if(!c->hash) 621 return 0; 622# ifdef HAVE_SSL 623 (void)SHA1((unsigned char*)sldns_buffer_begin(buf), 624 (unsigned long)sldns_buffer_limit(buf), 625 (unsigned char*)c->hash); 626# else 627 (void)HASH_HashBuf(HASH_AlgSHA1, 628 (unsigned char*)c->hash, 629 (unsigned char*)sldns_buffer_begin(buf), 630 (unsigned long)sldns_buffer_limit(buf)); 631# endif 632 for(i=0; i<iter; i++) { 633 sldns_buffer_clear(buf); 634 sldns_buffer_write(buf, c->hash, c->hash_len); 635 sldns_buffer_write(buf, salt, saltlen); 636 sldns_buffer_flip(buf); 637# ifdef HAVE_SSL 638 (void)SHA1( 639 (unsigned char*)sldns_buffer_begin(buf), 640 (unsigned long)sldns_buffer_limit(buf), 641 (unsigned char*)c->hash); 642# else 643 (void)HASH_HashBuf(HASH_AlgSHA1, 644 (unsigned char*)c->hash, 645 (unsigned char*)sldns_buffer_begin(buf), 646 (unsigned long)sldns_buffer_limit(buf)); 647# endif 648 } 649 break; 650#endif /* HAVE_EVP_SHA1 or NSS */ 651 default: 652 log_err("nsec3 hash of unknown algo %d", algo); 653 return -1; | 582 c->hash_len = nsec3_hash_algo_size_supported(algo); 583 if(c->hash_len == 0) { 584 log_err("nsec3 hash of unknown algo %d", algo); 585 return -1; |
654 } | 586 } |
587 c->hash = (uint8_t*)regional_alloc(region, c->hash_len); 588 if(!c->hash) 589 return 0; 590 (void)secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf), 591 sldns_buffer_limit(buf), (unsigned char*)c->hash); 592 for(i=0; i<iter; i++) { 593 sldns_buffer_clear(buf); 594 sldns_buffer_write(buf, c->hash, c->hash_len); 595 sldns_buffer_write(buf, salt, saltlen); 596 sldns_buffer_flip(buf); 597 (void)secalgo_nsec3_hash(algo, 598 (unsigned char*)sldns_buffer_begin(buf), 599 sldns_buffer_limit(buf), (unsigned char*)c->hash); 600 } |
|
655 return 1; 656} 657 658/** perform b32 encoding of hash */ 659static int 660nsec3_calc_b32(struct regional* region, sldns_buffer* buf, 661 struct nsec3_cached_hash* c) 662{ --- 826 unchanged lines hidden --- | 601 return 1; 602} 603 604/** perform b32 encoding of hash */ 605static int 606nsec3_calc_b32(struct regional* region, sldns_buffer* buf, 607 struct nsec3_cached_hash* c) 608{ --- 826 unchanged lines hidden --- |