upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-26 03:12:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
bind9/lib
History
Ondřej Surý ca6ea809b0
Reject RSA DNSKEYs with oversize public exponents at parse time 
The wire-format RSA DNSKEY parser was the only key path with no upper
bound on the public exponent — opensslrsa_parse and opensslrsa_fromlabel
already cap at RSA_MAX_PUBEXP_BITS.  An attacker-controlled DNSKEY could
therefore force a validator to compute s^e mod n with e up to ~|n| bits,
amplifying every verify by ~120x for typical 2048-bit moduli (OpenSSL
itself only caps the exponent for moduli above 3072 bits).  Apply the
same bit-count cap to wire-format keys.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit ab8c1a77e0)
2026-04-30 12:20:30 +02:00
..
bind9 Remove redundant parentheses from the return statement 2024-11-19 16:06:16 +01:00
dns Reject RSA DNSKEYs with oversize public exponents at parse time 2026-04-30 12:20:30 +02:00
irs standardize CHECK and RETERR macros 2025-12-03 19:18:12 -08:00
isc Add MOVE_OWNERSHIP() macro for transferring pointer ownership 2026-03-23 12:05:18 +01:00
isccc Remove redundant parentheses from the return statement 2024-11-19 16:06:16 +01:00
isccfg standardize CHECK and RETERR macros 2025-12-03 19:18:12 -08:00
ns Fix swapped arguments in redirect2() single-label branch 2026-04-30 07:08:47 +02:00
.gitignore The isc/platform.h header has been completely removed 2021-07-06 05:33:48 +00:00
Makefile.am move samples/resolve.c to bin/tests/system 2021-04-16 14:29:43 +02:00