Reduce nsec3 max iterations to 150

author Mark Andrews <marka@isc.org>

Mon, 19 Apr 2021 06:32:54 +0000 (16:32 +1000)

committer Mark Andrews <marka@isc.org>

Thu, 29 Apr 2021 07:44:46 +0000 (17:44 +1000)
author Mark Andrews <marka@isc.org>
Mon, 19 Apr 2021 06:32:54 +0000 (16:32 +1000)
committer Mark Andrews <marka@isc.org>
Thu, 29 Apr 2021 07:44:46 +0000 (17:44 +1000)
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c

index 8b97a43ce599cf1d177ed183a8246c11ef413c1a..083f30b6a1b30312bbf2c58f463e4646668438fd 100644 (file)
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -3855,7 +3855,6 @@ main(int argc, char *argv[]) {
         warnifallksk(gdb);
  
         if (IS_NSEC3) {
-               unsigned int max;
                 bool answer;
  
                 hash_length = dns_nsec3_hashlength(dns_hash_sha1);
@@ -3874,12 +3873,10 @@ main(int argc, char *argv[]) {
                               "NSEC-only DNSKEY");
                 }
  
-               result = dns_nsec3_maxiterations(gdb, NULL, mctx, &max);
-               check_result(result, "dns_nsec3_maxiterations()");
-               if (nsec3iter > max) {
+               if (nsec3iter > dns_nsec3_maxiterations()) {
                         fatal("NSEC3 iterations too big for weakest DNSKEY "
                               "strength. Maximum iterations allowed %u.",
-                             max);
+                             dns_nsec3_maxiterations());
                 }
         } else {
                 hashlist_init(&hashlist, 0, 0); /* silence clang */
diff --git a/bin/named/server.c b/bin/named/server.c

index e2b44c4b173ab4fb009e5fe6fa87ffb7b1ccea4b..2842d369330aa4dcdb8114d21fbb13a9d36b00e0 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -14445,7 +14445,8 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
                                 return (ISC_R_BADNUMBER);
                         }
  
-                       if (hash > 0xffU || flags > 0xffU) {
+                       if (hash > 0xffU || flags > 0xffU ||
+                           iter > dns_nsec3_maxiterations()) {
                                 return (ISC_R_RANGE);
                         }
  
diff --git a/lib/dns/include/dns/nsec3.h b/lib/dns/include/dns/nsec3.h

index 1c12a464e965610f025d8b53a5fbebf18ef9bbd1..2f178b680b25e0285d221d8a53883177b11ed506 100644 (file)
--- a/lib/dns/include/dns/nsec3.h
+++ b/lib/dns/include/dns/nsec3.h
@@ -208,18 +208,10 @@ dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version, bool complete,
   *     'answer' to be non NULL.
   */
  
-isc_result_t
-dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version, isc_mem_t *mctx,
-                       unsigned int *iterationsp);
+unsigned int
+dns_nsec3_maxiterations(void);
  /*%<
- * Find the maximum permissible number of iterations allowed based on
- * the key strength.
- *
- * Requires:
- *     'db' to be valid.
- *     'version' to be valid or NULL.
- *     'mctx' to be valid.
- *     'iterationsp' to be non NULL.
+ * Return the maximum permissible number of NSEC3 iterations.
   */
  
  bool
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c

index a6401e92f51cecfa66d47ff042e95f621fade12a..b5df23eefeab2080f53ff778846965158c28cbc9 100644 (file)
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1878,78 +1878,9 @@ try_private:
         return (result);
  }
  
-isc_result_t
-dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version, isc_mem_t *mctx,
-                       unsigned int *iterationsp) {
-       dns_dbnode_t *node = NULL;
-       dns_rdataset_t rdataset;
-       dst_key_t *key = NULL;
-       isc_buffer_t buffer;
-       isc_result_t result;
-       unsigned int bits, minbits = 4096;
-
-       result = dns_db_getoriginnode(db, &node);
-       if (result != ISC_R_SUCCESS) {
-               return (result);
-       }
-
-       dns_rdataset_init(&rdataset);
-       result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 0,
-                                    0, &rdataset, NULL);
-       dns_db_detachnode(db, &node);
-       if (result == ISC_R_NOTFOUND) {
-               *iterationsp = 0;
-               return (ISC_R_SUCCESS);
-       }
-       if (result != ISC_R_SUCCESS) {
-               goto failure;
-       }
-
-       for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
-            result = dns_rdataset_next(&rdataset))
-       {
-               dns_rdata_t rdata = DNS_RDATA_INIT;
-               dns_rdataset_current(&rdataset, &rdata);
-
-               REQUIRE(rdata.type == dns_rdatatype_key ||
-                       rdata.type == dns_rdatatype_dnskey);
-               REQUIRE(rdata.length > 3);
-
-               /* Skip unsupported algorithms when
-                * calculating the maximum iterations.
-                */
-               if (!dst_algorithm_supported(rdata.data[3])) {
-                       continue;
-               }
-
-               isc_buffer_init(&buffer, rdata.data, rdata.length);
-               isc_buffer_add(&buffer, rdata.length);
-               CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,
-                                     &buffer, mctx, &key));
-               bits = dst_key_size(key);
-               dst_key_free(&key);
-               if (minbits > bits) {
-                       minbits = bits;
-               }
-       }
-       if (result != ISC_R_NOMORE) {
-               goto failure;
-       }
-
-       if (minbits <= 1024) {
-               *iterationsp = 150;
-       } else if (minbits <= 2048) {
-               *iterationsp = 500;
-       } else {
-               *iterationsp = 2500;
-       }
-       result = ISC_R_SUCCESS;
-
-failure:
-       if (dns_rdataset_isassociated(&rdataset)) {
-               dns_rdataset_disassociate(&rdataset);
-       }
-       return (result);
+unsigned int
+dns_nsec3_maxiterations(void) {
+       return (150);
  }
  
  isc_result_t
diff --git a/lib/dns/tests/nsec3_test.c b/lib/dns/tests/nsec3_test.c

index a71b3c908bfc18948a5e6ad1198663ebc7043b14..a9868dd843c619c8dc202b24decee6b413c17404 100644 (file)
--- a/lib/dns/tests/nsec3_test.c
+++ b/lib/dns/tests/nsec3_test.c
@@ -60,8 +60,7 @@ iteration_test(const char *file, unsigned int expected) {
         result = dns_test_loaddb(&db, dns_dbtype_zone, "test", file);
         assert_int_equal(result, ISC_R_SUCCESS);
  
-       result = dns_nsec3_maxiterations(db, NULL, dt_mctx, &iterations);
-       assert_int_equal(result, ISC_R_SUCCESS);
+       iterations = dns_nsec3_maxiterations();
  
         assert_int_equal(iterations, expected);
  
@@ -138,10 +137,10 @@ max_iterations(void **state) {
         UNUSED(state);
  
         iteration_test("testdata/nsec3/1024.db", 150);
-       iteration_test("testdata/nsec3/2048.db", 500);
-       iteration_test("testdata/nsec3/4096.db", 2500);
+       iteration_test("testdata/nsec3/2048.db", 150);
+       iteration_test("testdata/nsec3/4096.db", 150);
         iteration_test("testdata/nsec3/min-1024.db", 150);
-       iteration_test("testdata/nsec3/min-2048.db", 500);
+       iteration_test("testdata/nsec3/min-2048.db", 150);
  }
  
  /* check dns_nsec3param_salttotext() */
diff --git a/lib/ns/update.c b/lib/ns/update.c

index 277bc1b6ebba6e3eb04e6486d84c401402df7463..8add90ab8e806c9bc5a0852b101075a6766af227 100644 (file)
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -1994,7 +1994,7 @@ check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
         dns_difftuple_t *tuple;
         bool nseconly = false, nsec3 = false;
         isc_result_t result;
-       unsigned int iterations = 0, max;
+       unsigned int iterations = 0;
         dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
  
         /* Scan the tuples for an NSEC-only DNSKEY or an NSEC3PARAM */
@@ -2049,12 +2049,9 @@ check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
  
         /* Verify NSEC3 params */
         CHECK(get_iterations(db, ver, privatetype, &iterations));
-       CHECK(dns_nsec3_maxiterations(db, ver, client->mctx, &max));
-       if (max != 0 && iterations > max) {
+       if (iterations > dns_nsec3_maxiterations()) {
                 update_log(client, zone, ISC_LOG_ERROR,
-                          "too many NSEC3 iterations (%u) for "
-                          "weakest DNSKEY (%u)",
-                          iterations, max);
+                          "too many NSEC3 iterations (%u)", iterations);
                 result = DNS_R_REFUSED;
                 goto failure;
         }
author	Mark Andrews <marka@isc.org>
	Mon, 19 Apr 2021 06:32:54 +0000 (16:32 +1000)
committer	Mark Andrews <marka@isc.org>
	Thu, 29 Apr 2021 07:44:46 +0000 (17:44 +1000)
bin/dnssec/dnssec-signzone.c		patch \| blob \| blame \| history
bin/named/server.c		patch \| blob \| blame \| history
lib/dns/include/dns/nsec3.h		patch \| blob \| blame \| history
lib/dns/nsec3.c		patch \| blob \| blame \| history
lib/dns/tests/nsec3_test.c		patch \| blob \| blame \| history
lib/ns/update.c		patch \| blob \| blame \| history