upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-27 20:25:55 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
bind9/tests
History
Ondřej Surý 2b18aa9d59 Reject RSA DNSKEYs with oversize public exponents at parse time 
The wire-format RSA DNSKEY parser was the only key path with no upper
bound on the public exponent — opensslrsa_parse and opensslrsa_fromlabel
already cap at RSA_MAX_PUBEXP_BITS.  An attacker-controlled DNSKEY could
therefore force a validator to compute s^e mod n with e up to ~|n| bits,
amplifying every verify by ~120x for typical 2048-bit moduli (OpenSSL
itself only caps the exponent for moduli above 3072 bits).  Apply the
same bit-count cap to wire-format keys.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit ab8c1a77e0)
2026-04-30 13:16:30 +02:00
..
bench Enforce NSEC3 record consistency 2026-02-24 17:10:52 +01:00
dns Reject RSA DNSKEYs with oversize public exponents at parse time 2026-04-30 13:16:30 +02:00
include/tests ISC_RUN_TEST_IMPL should use a static declaration 2026-01-29 00:26:35 +11:00
isc Enforce isc_work enqueue loop affinity 2026-03-14 07:52:56 +01:00
isccfg Add none parameter to query-source and query-source-v6 to disable IPv4 or IPv6 upstream queries 2024-12-10 11:58:20 +01:00
libtest Rename 'free' variable to 'nfree' to not clash with free() 2025-07-22 14:28:15 +02:00
ns wrap ns_client_error() for unit testing 2025-02-26 00:55:51 +00:00
.gitignore Move all the unit tests to /tests/<libname>/ 2022-05-28 14:53:02 -07:00
Makefile.am Move resconf_test.c to tests/dns and cleanup 2024-12-12 22:50:22 +00:00
unit-test-driver.sh.in Reformat shell scripts with shfmt 2023-10-26 10:23:50 +02:00