upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-22 10:10:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
bind9/tests
History
Ondřej Surý ab8c1a77e0 Reject RSA DNSKEYs with oversize public exponents at parse time 
The wire-format RSA DNSKEY parser was the only key path with no upper
bound on the public exponent — opensslrsa_parse and opensslrsa_fromlabel
already cap at RSA_MAX_PUBEXP_BITS.  An attacker-controlled DNSKEY could
therefore force a validator to compute s^e mod n with e up to ~|n| bits,
amplifying every verify by ~120x for typical 2048-bit moduli (OpenSSL
itself only caps the exponent for moduli above 3072 bits).  Apply the
same bit-count cap to wire-format keys.

Assisted-by: Claude:claude-opus-4-7
2026-04-30 10:55:42 +02:00
..
bench embed default sanitizer flags in executables 2026-04-05 12:46:38 +03:00
dns Reject RSA DNSKEYs with oversize public exponents at parse time 2026-04-30 10:55:42 +02:00
include/tests ISC_RUN_TEST_IMPL should use a static declaration 2026-01-28 07:26:04 +11:00
isc Stop isc_file_safecreate from following symlinks 2026-04-29 16:56:25 +02:00
isccfg embed default sanitizer flags in executables 2026-04-05 12:46:38 +03:00
libtest Move zonemgr to own source file 2026-04-08 14:24:17 +02:00
ns embed default sanitizer flags in executables 2026-04-05 12:46:38 +03:00
.gitignore Move all the unit tests to /tests/<libname>/ 2022-05-28 14:53:02 -07:00
meson.build replace the build system with meson 2025-06-11 10:30:12 +03:00