diff options
Diffstat (limited to 'debian/patches/0004-validator-limit-the-amount-of-work-on-SHA1-in-NSEC3-.patch')
| -rw-r--r-- | debian/patches/0004-validator-limit-the-amount-of-work-on-SHA1-in-NSEC3-.patch | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/debian/patches/0004-validator-limit-the-amount-of-work-on-SHA1-in-NSEC3-.patch b/debian/patches/0004-validator-limit-the-amount-of-work-on-SHA1-in-NSEC3-.patch new file mode 100644 index 0000000..a72b7e5 --- /dev/null +++ b/debian/patches/0004-validator-limit-the-amount-of-work-on-SHA1-in-NSEC3-.patch @@ -0,0 +1,31 @@ +From: =?utf-8?b?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat@nic.cz> +Date: Mon, 12 Feb 2024 11:16:37 +0100 +Subject: validator: limit the amount of work on SHA1 in NSEC3 proofs + +--- + lib/dnssec/nsec3.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c +index e4d314b..4199f25 100644 +--- a/lib/dnssec/nsec3.c ++++ b/lib/dnssec/nsec3.c +@@ -146,6 +146,18 @@ static int closest_encloser_match(int *flags, const knot_rrset_t *nsec3, + const knot_dname_t *encloser = knot_wire_next_label(name, NULL); + *skipped = 1; + ++ /* Avoid doing too much work on SHA1, mitigating: ++ * CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU ++ * We log nothing here; it wouldn't be easy from this place ++ * and huge SNAME should be suspicious on its own. ++ */ ++ const int max_labels = knot_dname_labels(nsec3->owner, NULL) - 1 ++ + kr_nsec3_max_depth(¶ms); ++ for (int l = knot_dname_labels(encloser, NULL); l > max_labels; --l) { ++ encloser = knot_wire_next_label(encloser, NULL); ++ ++(*skipped); ++ } ++ + while(encloser) { + ret = hash_name(&name_hash, ¶ms, encloser); + if (ret != 0) |