return kr_ok();
}
if (rr->type == KNOT_RRTYPE_NSEC3 && rr->rrs.count
- && knot_nsec3_iters(rr->rrs.rdata) > KR_NSEC3_MAX_ITERATIONS) {
+ && kr_nsec3_limited_rdata(rr->rrs.rdata)) {
/* This shouldn't happen often, thanks to downgrades during validation. */
VERBOSE_MSG(qry, "=> skipping NSEC3 with too many iterations\n");
return kr_ok();
.data = (uint8_t *)/*const-cast*/name,
};
- if (kr_fails_assert(nsec_p->libknot.iterations <= KR_NSEC3_MAX_ITERATIONS)) {
+ if (kr_fails_assert(!kr_nsec3_limited_params(&nsec_p->libknot))) {
/* This is mainly defensive; it shouldn't happen thanks to downgrades. */
return VAL_EMPTY;
}
return kr_error(EINVAL);
if (!name)
return kr_error(EINVAL);
- if (kr_fails_assert(params->iterations <= KR_NSEC3_MAX_ITERATIONS)) {
+ if (kr_fails_assert(!kr_nsec3_limited_params(params))) {
/* This if is mainly defensive; it shouldn't happen. */
return kr_error(EINVAL);
}
const knot_rrset_t *rrset = knot_pkt_rr(sec, i);
if (rrset->type != KNOT_RRTYPE_NSEC3)
continue;
- if (knot_nsec3_iters(rrset->rrs.rdata) > KR_NSEC3_MAX_ITERATIONS) {
+ if (kr_nsec3_limited_rdata(rrset->rrs.rdata)) {
/* Avoid hashing with too many iterations.
* If we get here, the `sname` wildcard probably ends up bogus,
* but it gets downgraded to KR_RANK_INSECURE when validator
#pragma once
#include <libknot/packet/pkt.h>
+#include <libknot/rrtype/nsec3.h>
+#include <libdnssec/nsec.h>
+
+
+static inline unsigned int kr_nsec3_price(unsigned int iterations, unsigned int salt_len)
+{
+ // SHA1 works on 64-byte chunks.
+ // On iterating we hash the salt + 20 bytes of the previous hash.
+ int chunks_per_iter = (20 + salt_len - 1) / 64 + 1;
+ return (iterations + 1) * chunks_per_iter;
+}
/** High numbers in NSEC3 iterations don't really help security
*
- * ...so we avoid doing all the work. The value is a current compromise;
- * zones shooting over get downgraded to insecure status.
+ * ...so we avoid doing all the work. The limit is a current compromise;
+ * answers using NSEC3 over kr_nsec3_limited* get downgraded to insecure status.
*
https://datatracker.ietf.org/doc/html/rfc9276#name-recommendation-for-validati
*/
-#define KR_NSEC3_MAX_ITERATIONS 50
+static inline bool kr_nsec3_limited(unsigned int iterations, unsigned int salt_len)
+{
+ const int MAX_ITERATIONS = 50; // limit with short salt length
+ return kr_nsec3_price(iterations, salt_len) > MAX_ITERATIONS + 1;
+}
+static inline bool kr_nsec3_limited_rdata(const knot_rdata_t *rd)
+{
+ return kr_nsec3_limited(knot_nsec3_iters(rd), knot_nsec3_salt_len(rd));
+}
+static inline bool kr_nsec3_limited_params(const dnssec_nsec3_params_t *params)
+{
+ return kr_nsec3_limited(params->iterations, params->salt.size);
+}
+
/**
* Name error response check (RFC5155 7.2.2).
* KNOT_ERANGE - NSEC3 RR that covers a wildcard
* has been found, but has opt-out flag set;
* otherwise - error.
- * Records over KR_NSEC3_MAX_ITERATIONS are skipped, so you probably get kr_error(ENOENT).
+ * Too expensive NSEC3 records are skipped, so you probably get kr_error(ENOENT).
*/
int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_t section_id,
const knot_dname_t *sname, int trim_to_next);
const knot_rdataset_t *rrs = &e->rr->rrs;
knot_rdata_t *rd = rrs->rdata;
for (int j = 0; j < rrs->count; ++j, rd = knot_rdataset_next(rd)) {
- if (knot_nsec3_iters(rd) > KR_NSEC3_MAX_ITERATIONS)
+ if (kr_nsec3_limited_rdata(rd))
goto do_downgrade;
}
return false;
do_downgrade: // we do this deep inside calls because of having signer name available
- VERBOSE_MSG(qry, "<= DNSSEC downgraded due to NSEC3 iterations %d > %d\n",
- (int)knot_nsec3_iters(rd), (int)KR_NSEC3_MAX_ITERATIONS);
+ VERBOSE_MSG(qry,
+ "<= DNSSEC downgraded due to expensive NSEC3: %d iterations, %d salt length\n",
+ (int)knot_nsec3_iters(rd), (int)knot_nsec3_salt_len(rd));
qry->flags.DNSSEC_WANT = false;
qry->flags.DNSSEC_INSECURE = true;
rank_records(qry, true, KR_RANK_INSECURE, vctx->zone_name);
projects / thirdparty / knot-resolver.git / commitdiff
