upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-04-26 08:37:50 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/contrib/bind9/lib/dns/spnego.asn1
Doug Barton 37bb75f740 Upgrade to 9.6-ESV-R4-P1, which address the following issues: 
1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.

This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.

2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.

Add a patch provided by ru@ and confirmed by ISC to fix a crash at
shutdown time when a SIG(0) key is being used.
2011-05-28 00:21:28 +00:00

52 lines
1.3 KiB
Groff
Raw Blame History

-- Copyright (C) The Internet Society 2005. This version of
-- this module is part of RFC 4178; see the RFC itself for
-- full legal notices.
-- (The above copyright notice is per RFC 3978 5.6 (a), q.v.)
-- $Id: spnego.asn1,v 1.2 2006-12-04 01:52:46 marka Exp $
-- This is the SPNEGO ASN.1 module from RFC 4178, tweaked
-- to get the Heimdal ASN.1 compiler to accept it.
SPNEGOASNOneSpec DEFINITIONS ::= BEGIN
MechType ::= OBJECT IDENTIFIER
MechTypeList ::= SEQUENCE OF MechType
ContextFlags ::= BIT STRING {
delegFlag (0),
mutualFlag (1),
replayFlag (2),
sequenceFlag (3),
anonFlag (4),
confFlag (5),
integFlag (6)
}
NegTokenInit ::= SEQUENCE {
mechTypes [0] MechTypeList,
reqFlags [1] ContextFlags OPTIONAL,
mechToken [2] OCTET STRING OPTIONAL,
mechListMIC [3] OCTET STRING OPTIONAL
}
NegTokenResp ::= SEQUENCE {
negState [0] ENUMERATED {
accept-completed (0),
accept-incomplete (1),
reject (2),
request-mic (3)
} OPTIONAL,
supportedMech [1] MechType OPTIONAL,
responseToken [2] OCTET STRING OPTIONAL,
mechListMIC [3] OCTET STRING OPTIONAL
}
NegotiationToken ::= CHOICE {
negTokenInit [0] NegTokenInit,
negTokenResp [1] NegTokenResp
}
END
Reference in a new issue View git blame Copy permalink