upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-26 11:22:52 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
bind9/tests
History
Ondřej Surý ca6ea809b0
Reject RSA DNSKEYs with oversize public exponents at parse time 
The wire-format RSA DNSKEY parser was the only key path with no upper
bound on the public exponent — opensslrsa_parse and opensslrsa_fromlabel
already cap at RSA_MAX_PUBEXP_BITS.  An attacker-controlled DNSKEY could
therefore force a validator to compute s^e mod n with e up to ~|n| bits,
amplifying every verify by ~120x for typical 2048-bit moduli (OpenSSL
itself only caps the exponent for moduli above 3072 bits).  Apply the
same bit-count cap to wire-format keys.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit ab8c1a77e0)
2026-04-30 12:20:30 +02:00
..
dns Reject RSA DNSKEYs with oversize public exponents at parse time 2026-04-30 12:20:30 +02:00
include/tests ISC_RUN_TEST_IMPL should use a static declaration 2026-01-29 00:43:25 +11:00
irs Check that nameservers are parsed correctly 2024-12-13 10:27:22 +11:00
isc Use clang-format-22 to update formatting 2026-03-04 12:24:53 +01:00
isccfg Remove redundant parentheses from the return statement 2024-11-19 16:06:16 +01:00
libtest Drop superfluous isc_mem_get() NULL check 2024-12-13 14:54:48 +01:00
ns wrap ns_client_error() for unit testing 2025-02-25 16:23:14 -08:00
.gitignore Move all the unit tests to /tests/<libname>/ 2022-05-31 12:06:00 +02:00
Makefile.am Stop the unit tests from running twice 2022-05-31 12:06:00 +02:00
unit-test-driver.sh.in Reformat shell scripts with shfmt 2023-10-26 13:05:00 +02:00