openssl/test/recipes
David Benjamin 8545051c36 Guard against DoS in name constraints handling.
This guards against the name constraints check consuming large amounts
of CPU time when certificates in the presented chain contain an
excessive number of names (specifically subject email names or subject
alternative DNS names) and/or name constraints.

Name constraints checking compares the names presented in a certificate
against the name constraints included in a certificate higher up in the
chain using two nested for loops.

Move the name constraints check so that it happens after signature
verification so peers cannot exploit this using a chain with invalid
signatures. Also impose a hard limit on the number of name constraints
check loop iterations to further mitigate the issue.

Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4393)
2017-09-22 22:00:55 +02:00
..
04-test_pem_data Add AGL's "beer mug" PEM file as another test input 2017-02-28 21:23:26 +01:00
10-test_bn_data Move bn and evp test programs input data to their respective data dir 2017-06-15 19:46:24 +02:00
15-test_ecparam_data Improve testing of elliptic curve validation 2017-03-20 06:40:16 +01:00
30-test_evp_data Implement Aria GCM/CCM Modes and TLS cipher suites 2017-08-30 12:33:53 +02:00
90-test_store_data STORE tests: add PKCS#12 tests 2017-06-29 11:55:31 +02:00
95-test_external_krb5_data Add external krb5 test support 2017-04-18 19:10:25 +02:00
95-test_external_pyca_data Correct Oracle copyrights & clarify. 2017-06-15 15:50:50 +10:00
01-test_abort.t
01-test_sanity.t
01-test_symbol_presence.t
01-test_test.t Correct Oracle copyrights & clarify. 2017-06-15 15:50:50 +10:00
02-test_internal_ctype.t This has been added to avoid the situation where some host ctype.h functions 2017-08-22 09:45:25 +10:00
02-test_lhash.t Correct Oracle copyrights & clarify. 2017-06-15 15:50:50 +10:00
02-test_ordinals.t Reset executable bits on files where not needed. 2017-03-03 09:13:40 +01:00
02-test_stack.t Correct Oracle copyrights & clarify. 2017-06-15 15:50:50 +10:00
03-test_exdata.t Exdata test was never enabled. 2017-02-28 13:50:40 -05:00
03-test_internal_asn1.t test/recipes/03-test_internal_*: call setup() first. 2017-03-15 12:16:48 +01:00
03-test_internal_chacha.t Fix a few internals tests 2017-03-20 11:24:33 +01:00
03-test_internal_mdc2.t Split test/recipes/03_test_internal.t into individual tests 2017-03-10 20:18:56 +01:00
03-test_internal_modes.t test/recipes/03-test_internal_*: call setup() first. 2017-03-15 12:16:48 +01:00
03-test_internal_poly1305.t Fix a few internals tests 2017-03-20 11:24:33 +01:00
03-test_internal_siphash.t Fix a few internals tests 2017-03-20 11:24:33 +01:00
03-test_internal_ssl_cert_table.t Add sanity test for certificate table 2017-07-13 12:38:42 +01:00
03-test_internal_x509.t test/recipes/03-test_internal_*: call setup() first. 2017-03-15 12:16:48 +01:00
03-test_ui.t
04-test_asn1_encode.t Add a test of encoding and decoding LONG, INT32, UINT32, INT64 and UINT64 2017-04-04 11:29:23 +02:00
04-test_asn1_string_table.t Add test cases and docs for ASN1_STRING_TABLE_* functions 2017-07-26 20:06:51 +02:00
04-test_bioprint.t Convert more tests to framework 2017-04-18 14:50:00 -04:00
04-test_pem.t Add unit test for PEM_FLAG_ONLY_B64 2017-05-08 21:20:32 +02:00
05-test_bf.t
05-test_cast.t
05-test_des.t
05-test_hmac.t
05-test_idea.t
05-test_md2.t
05-test_mdc2.t
05-test_rand.t Switch from ossl_rand to DRBG rand 2017-08-03 09:23:28 -04:00
05-test_rc2.t
05-test_rc4.t Revert rc4test removal, it performs additional tests not in evptests.txt 2017-02-28 16:08:42 +00:00
05-test_rc5.t
10-test_bn.t Move bn and evp test programs input data to their respective data dir 2017-06-15 19:46:24 +02:00
10-test_exp.t
15-test_dh.t
15-test_dsa.t Fix tests of TEST tests, as it were 2017-05-04 12:08:48 -04:00
15-test_ec.t
15-test_ecdsa.t
15-test_ecparam.t File::Glob option ':bsd_glob' doesn't work everywhere, replace w/ a wrapper 2017-08-15 11:31:18 +02:00
15-test_genrsa.t Fix an endless loop in rsa_builtin_keygen. 2017-03-06 09:54:17 -05:00
15-test_rsa.t
15-test_rsapss.t Rather use -out parameter than redirect stdout 2017-03-14 17:21:24 +01:00
20-test_enc_more.t Correct Oracle copyrights & clarify. 2017-06-15 15:50:50 +10:00
20-test_enc.t Adapt 20-test_enc.t and 20-test_enc_more.t to use statusvar 2017-03-21 16:12:29 +01:00
20-test_passwd.t
25-test_crl.t Switch command-line utils to new nameopt API. 2017-04-25 12:37:17 -04:00
25-test_d2i.t
25-test_pkcs7.t
25-test_req.t Use randomness not entropy 2017-06-27 12:14:49 -04:00
25-test_sid.t
25-test_verify.t Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
25-test_x509.t Add test for -nameout output 2017-03-14 15:18:07 -04:00
30-test_afalg.t
30-test_engine.t
30-test_evp_extra.t
30-test_evp.t Move bn and evp test programs input data to their respective data dir 2017-06-15 19:46:24 +02:00
30-test_pbelu.t
30-test_pkey_meth_kdf.t Add PKEY_METHOD macro tests 2017-08-08 15:44:49 +01:00
30-test_pkey_meth.t
40-test_rehash.t File::Glob option ':bsd_glob' doesn't work everywhere, replace w/ a wrapper 2017-08-15 11:31:18 +02:00
60-test_x509_check_cert_pkey.t Fix no-dsa build again 2017-06-24 21:46:36 -05:00
60-test_x509_dup_cert.t Correct Oracle copyrights & clarify. 2017-06-15 15:50:50 +10:00
60-test_x509_store.t
60-test_x509_time.t
70-test_asyncio.t
70-test_bad_dtls.t
70-test_clienthello.t Add tests for the padding extension 2017-03-16 15:37:41 +00:00
70-test_comp.t Fix some copy&paste errors and update following review feedback 2017-05-09 17:02:48 +01:00
70-test_key_share.t Add test for no change following an HRR 2017-05-09 17:23:58 +01:00
70-test_packet.t
70-test_recordlen.t Add a test to check that we correctly handle record overflows 2017-03-06 20:07:40 +00:00
70-test_renegotiation.t Reset executable bits on files where not needed. 2017-03-03 09:13:40 +01:00
70-test_servername.t Make SSL_set_tlsext_host_name no effect from server side 2017-07-28 11:51:59 -04:00
70-test_sslcbcpadding.t
70-test_sslcertstatus.t Reset executable bits on files where not needed. 2017-03-03 09:13:40 +01:00
70-test_sslextension.t Don't run a CT specifc test if CT is disabled 2017-08-25 10:37:22 +01:00
70-test_sslmessages.t Update the tests for SNI changes 2017-08-31 15:02:58 +01:00
70-test_sslrecords.t Don't allow fragmented alerts 2017-05-17 10:40:04 +01:00
70-test_sslsessiontick.t Reset executable bits on files where not needed. 2017-03-03 09:13:40 +01:00
70-test_sslsigalgs.t Add tests for deprecated sigalgs with TLS 1.3 ClientHellos 2017-06-24 19:25:43 -05:00
70-test_sslsignature.t Reset executable bits on files where not needed. 2017-03-03 09:13:40 +01:00
70-test_sslskewith0p.t Reset executable bits on files where not needed. 2017-03-03 09:13:40 +01:00
70-test_sslversions.t Add a test for the TLSv1.3 downgrade mechanism 2017-03-24 14:07:11 +00:00
70-test_sslvertol.t Reset executable bits on files where not needed. 2017-03-03 09:13:40 +01:00
70-test_tls13cookie.t More TLSv1.3 cookie tests 2017-05-09 17:23:58 +01:00
70-test_tls13downgrade.t Add a test for the TLSv1.3 downgrade mechanism 2017-03-24 14:07:11 +00:00
70-test_tls13hrr.t Add some HRR tests 2017-03-16 14:20:38 +00:00
70-test_tls13kexmodes.t Update the tests for SNI changes 2017-08-31 15:02:58 +01:00
70-test_tls13messages.t Update the tests for SNI changes 2017-08-31 15:02:58 +01:00
70-test_tls13psk.t Update the tests for SNI changes 2017-08-31 15:02:58 +01:00
70-test_tlsextms.t
70-test_verify_extra.t
70-test_wpacket.t
80-test_ca.t Add random serial# support. 2017-08-22 09:00:04 -04:00
80-test_cipherbytes.t
80-test_cipherlist.t
80-test_ciphername.t Support converting cipher name to RFC name and vice versa 2017-07-21 07:20:14 +10:00
80-test_cms.t no-ec2m fixes 2017-08-10 16:48:47 +01:00
80-test_ct.t
80-test_dane.t
80-test_dtls_mtu.t
80-test_dtls.t
80-test_dtlsv1listen.t
80-test_ocsp.t Fix OCSP_basic_verify() cert chain construction in case bs->certs is NULL 2017-08-16 14:32:38 -04:00
80-test_pkcs12.t
80-test_ssl_new.t File::Glob option ':bsd_glob' doesn't work everywhere, replace w/ a wrapper 2017-08-15 11:31:18 +02:00
80-test_ssl_old.t Use randomness not entropy 2017-06-27 12:14:49 -04:00
80-test_ssl_test_ctx.t
80-test_sslcorrupt.t
80-test_tsa.t test/recipes/80-test_tsa.t: Don't trust 'OPENSSL_CONF' 2017-07-24 11:50:46 +02:00
80-test_x509aux.t
90-test_asn1_time.t Consolidate to a single asn1_time_from_tm() function 2017-08-04 11:24:03 +10:00
90-test_async.t
90-test_bio_enc.t
90-test_constant_time.t
90-test_gmdiff.t
90-test_ige.t
90-test_memleak.t
90-test_overhead.t
90-test_secmem.t
90-test_shlibload.t test/recipes/90-test_shlibload.t: Make sure to handle library renames 2017-07-07 11:31:03 +02:00
90-test_srp.t
90-test_sslapi.t
90-test_sslbuffers.t Add support to free/allocate SSL buffers 2017-07-26 11:42:17 -04:00
90-test_store.t Fix 90-test_store.t: using config() requires OpenSSL::Test::Utils 2017-09-04 12:52:32 +02:00
90-test_threads.t Reset executable bits on files where not needed. 2017-03-03 09:13:40 +01:00
90-test_time_offset.t Fix time offset calculation. 2017-05-02 10:38:54 +02:00
90-test_tls13encryption.t
90-test_tls13secrets.t
90-test_v3name.t
95-test_external_boringssl.t Rearrange test/recipes/95-test_*.t to use skip_all 2017-05-05 23:10:41 +02:00
95-test_external_krb5.t test/recipes/95-test_*.t : correct skip_all syntax 2017-05-06 10:29:16 +02:00
95-test_external_pyca.t test/recipes/95-test_*.t : correct skip_all syntax 2017-05-06 10:29:16 +02:00
99-test_ecstress.t Add ecstress test 2017-06-21 09:24:01 -04:00
99-test_fuzz.t File::Glob option ':bsd_glob' doesn't work everywhere, replace w/ a wrapper 2017-08-15 11:31:18 +02:00
ocsp-response.der
tconversion.pl Consolidate the locations where we have our internal perl modules 2017-08-15 11:30:47 +02:00