wildcard dnssec test fails
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Tue Jan 2 10:49:26 UTC 2018
Hi Viktor,
On 20/12/17 09:15, Viktor Dukhovni via Unbound-users wrote:
> On Tue, Dec 19, 2017 at 06:08:50AM +0000, Viktor Dukhovni wrote:
>
>> The original coded uses non-portable undefined overflow behaviour
>> for signed integer arithmetic. The compiler is free to replace
>> "incep - expi > 0" with "incep > expi". The intermediate "var"
>> may in some cases avoid the problem, but this is still brittle
>> under optimization. To avoid non-deterministic behaviour unsigned
>> arithmetic must be used:
>>
>> uint32_t incep;
>> uint32_t expi;
>>
>> /*
>> * In serial number arithmetic a > b iff as unsigned integers mod 2^32
>> * we have (a - b) < (b - a)
>> */
>> if ((incep - expi) < (expi - incep)) {
>> ... fail ...
>> }
>>
>> The same code should be used for SOA comparisons.
>
> I should perhaps note that in the RFC1982 definition of sequence
> space arithmetic, two points that are diametrically opposite on
> the circle are not comparable.
>
> Since such ambiguity should be a failure case, a more precisely
> correct condition is
>
> if ((incep - expi) <= (expi - incep)) {
> ... fail ...
> }
>
> Note that this now also includes incep == expi, which should never
> be the case for RRSIGs, and so for RRSIG failure makes sense for
> both equal and diametrically opposite values. When comparing SOA
> serials for AXFR (perhaps not something unbound ever needs to do),
> a pair of equal values would of course be treated differently than
> a pair or diametrically opposite values.
>
Yes you are correct, I have put in a fix in the code. The fix is based
on code that is present in NSD (that uses unsigned numbers as you suggest).
Thank you for pointing this out, it is much better to use -O2 with clang.
Best regards, Wouter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180102/b948a7cc/attachment.bin>
More information about the Unbound-users
mailing list