mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-18 13:44:20 +08:00
Code Issues Packages Projects Releases Wiki Activity
3ba70235be
openssl/test/certs
History
David Benjamin 8545051c36 Guard against DoS in name constraints handling. 
This guards against the name constraints check consuming large amounts
of CPU time when certificates in the presented chain contain an
excessive number of names (specifically subject email names or subject
alternative DNS names) and/or name constraints.

Name constraints checking compares the names presented in a certificate
against the name constraints included in a certificate higher up in the
chain using two nested for loops.

Move the name constraints check so that it happens after signature
verification so peers cannot exploit this using a chain with invalid
signatures. Also impose a hard limit on the number of name constraints
check loop iterations to further mitigate the issue.

Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4393)
2017-09-22 22:00:55 +02:00
..
alt1-cert.pem
alt1-key.pem
alt2-cert.pem
alt2-key.pem
alt3-cert.pem
alt3-key.pem
bad-pc3-cert.pem
bad-pc3-key.pem
bad-pc4-cert.pem
bad-pc4-key.pem
bad-pc6-cert.pem
bad-pc6-key.pem
bad.key
bad.pem
badalt1-cert.pem
badalt1-key.pem
badalt2-cert.pem
badalt2-key.pem
badalt3-cert.pem
badalt3-key.pem
badalt4-cert.pem
badalt4-key.pem
badalt5-cert.pem
badalt5-key.pem
badalt6-cert.pem
badalt6-key.pem
badalt7-cert.pem
badalt7-key.pem
badalt8-cert.pem
badalt8-key.pem
badalt9-cert.pem
badalt9-key.pem
badalt10-cert.pem
badalt10-key.pem
ca-anyEKU.pem
ca-cert2.pem
ca-cert-768.pem
ca-cert-768i.pem
ca-cert-md5-any.pem
ca-cert-md5.pem
ca-cert.pem
ca-clientAuth.pem
ca-expired.pem
ca-key2.pem
ca-key-768.pem
ca-key.pem
ca-name2.pem
ca-nonbc.pem
ca-nonca.pem
ca-root2.pem
ca-serverAuth.pem
ca+anyEKU.pem
ca+clientAuth.pem
ca+serverAuth.pem
cca-anyEKU.pem
cca-cert.pem
cca-clientAuth.pem
cca-serverAuth.pem
cca+anyEKU.pem
cca+clientAuth.pem
cca+serverAuth.pem
client-ed25519-cert.pem Add Ed25519 EE certificates 2017-06-21 14:11:01 +01:00
client-ed25519-key.pem Add Ed25519 EE certificates 2017-06-21 14:11:01 +01:00
croot-anyEKU.pem
croot-cert.pem
croot-clientAuth.pem
croot-serverAuth.pem
croot+anyEKU.pem
croot+clientAuth.pem
croot+serverAuth.pem
cyrillic_crl.pem
cyrillic_crl.utf8
cyrillic.msb
cyrillic.pem
cyrillic.utf8
dhp2048.pem
ee-cert2.pem
ee-cert-768.pem
ee-cert-768i.pem
ee-cert-md5.pem
ee-cert.pem
ee-client-chain.pem
ee-client.pem
ee-clientAuth.pem
ee-ecdsa-client-chain.pem
ee-ecdsa-key.pem
ee-ed25519.pem
ee-expired.pem
ee-key-768.pem
ee-key.pem
ee-name2.pem
ee-pss-sha1-cert.pem
ee-pss-sha256-cert.pem
ee-serverAuth.pem
ee+clientAuth.pem
ee+serverAuth.pem
embeddedSCTs1_issuer.pem
embeddedSCTs1-key.pem
embeddedSCTs1.pem
embeddedSCTs1.sct
embeddedSCTs3_issuer.pem
embeddedSCTs3.pem
embeddedSCTs3.sct
interCA.key
interCA.pem
leaf.key
leaf.pem
many-constraints.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
many-names1.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
many-names2.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
many-names3.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
mkcert.sh Cleanup some copyright stuff 2017-06-30 21:56:44 -04:00
nca+anyEKU.pem
nca+serverAuth.pem
ncca1-cert.pem
ncca1-key.pem
ncca2-cert.pem
ncca2-key.pem
ncca3-cert.pem
ncca3-key.pem
ncca-cert.pem
ncca-key.pem
nroot+anyEKU.pem
nroot+serverAuth.pem
p256-server-cert.pem
p256-server-key.pem
p384-root-key.pem
p384-root.pem
p384-server-cert.pem
p384-server-key.pem
pathlen.pem
pc1-cert.pem
pc1-key.pem
pc2-cert.pem
pc2-key.pem
pc5-cert.pem
pc5-key.pem
root2-serverAuth.pem
root2+clientAuth.pem
root2+serverAuth.pem
root-anyEKU.pem
root-cert2.pem
root-cert-768.pem
root-cert-md5.pem
root-cert.pem
root-clientAuth.pem
root-ed25519.pem
root-key2.pem
root-key-768.pem
root-key.pem
root-name2.pem
root-nonca.pem
root-noserver.pem
root-serverAuth.pem
root+anyEKU.pem
root+clientAuth.pem
root+serverAuth.pem
rootCA.key
rootCA.pem
rootcert.pem
rootkey.pem
roots.pem
sca-anyEKU.pem
sca-cert.pem
sca-clientAuth.pem
sca-serverAuth.pem
sca+anyEKU.pem
sca+clientAuth.pem
sca+serverAuth.pem
server-cecdsa-cert.pem
server-cecdsa-key.pem
server-dsa-cert.pem
server-dsa-key.pem
server-ecdsa-cert.pem
server-ecdsa-key.pem
server-ed25519-cert.pem Add Ed25519 EE certificates 2017-06-21 14:11:01 +01:00
server-ed25519-key.pem Add Ed25519 EE certificates 2017-06-21 14:11:01 +01:00
server-pss-cert.pem Add RSA-PSS test certificates 2017-09-20 12:50:23 +01:00
server-pss-key.pem Add RSA-PSS test certificates 2017-09-20 12:50:23 +01:00
server-trusted.pem
servercert.pem
serverkey.pem
setup.sh
some-names1.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
some-names2.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
some-names3.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
sroot-anyEKU.pem
sroot-cert.pem
sroot-clientAuth.pem
sroot-serverAuth.pem
sroot+anyEKU.pem
sroot+clientAuth.pem
sroot+serverAuth.pem
subinterCA-ss.pem
subinterCA.key
subinterCA.pem
untrusted.pem
wrongcert.pem
wrongkey.pem
x509-check-key.pem
x509-check.csr