summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-dnssec.c
diff options
context:
space:
mode:
authorTom Gundersen <teg@jklm.no>2016-01-03 14:02:10 +0100
committerTom Gundersen <teg@jklm.no>2016-01-03 14:02:10 +0100
commit113325b8641207a99447d8a439e7ffac1e69f196 (patch)
tree169dab1461ecff7e55fc54c7702d80511c2bd5ae /src/resolve/resolved-dns-dnssec.c
parent5809f340fd7e5e6c76e229059c50d92e1f57e8d8 (diff)
parentc1dafe4f310aeb80d513c00a388d8cbb5a397838 (diff)
Merge pull request #2256 from poettering/dnssec10
Tenth DNSSEC patch set
Diffstat (limited to 'src/resolve/resolved-dns-dnssec.c')
-rw-r--r--src/resolve/resolved-dns-dnssec.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index e4b32c7e4b..b7c0b5b824 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -35,7 +35,6 @@
*
* TODO:
*
- * - Make trust anchor store read additional DS+DNSKEY data from disk
* - wildcard zones compatibility (NSEC/NSEC3 wildcard check is missing)
* - multi-label zone compatibility
* - cname/dname compatibility
@@ -53,6 +52,9 @@
/* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
#define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)
+/* Maximum number of NSEC3 iterations we'll do. */
+#define NSEC3_ITERATIONS_MAX 2048
+
/*
* The DNSSEC Chain of trust:
*
@@ -1087,6 +1089,9 @@ int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret) {
if (nsec3->key->type != DNS_TYPE_NSEC3)
return -EINVAL;
+ if (nsec3->nsec3.iterations > NSEC3_ITERATIONS_MAX)
+ return -EOPNOTSUPP;
+
algorithm = nsec3_hash_to_gcrypt_md(nsec3->nsec3.algorithm);
if (algorithm < 0)
return algorithm;
@@ -1155,6 +1160,9 @@ static int nsec3_is_good(DnsResourceRecord *rr, DnsAnswerFlags flags, DnsResourc
/* Ignore NSEC3 RRs whose algorithm we don't know */
if (nsec3_hash_to_gcrypt_md(rr->nsec3.algorithm) < 0)
return 0;
+ /* Ignore NSEC3 RRs with an excessive number of required iterations */
+ if (rr->nsec3.iterations > NSEC3_ITERATIONS_MAX)
+ return 0;
if (!nsec3)
return 1;