openssl/test/certs
David Benjamin 8545051c36 Guard against DoS in name constraints handling.
This guards against the name constraints check consuming large amounts
of CPU time when certificates in the presented chain contain an
excessive number of names (specifically subject email names or subject
alternative DNS names) and/or name constraints.

Name constraints checking compares the names presented in a certificate
against the name constraints included in a certificate higher up in the
chain using two nested for loops.

Move the name constraints check so that it happens after signature
verification so peers cannot exploit this using a chain with invalid
signatures. Also impose a hard limit on the number of name constraints
check loop iterations to further mitigate the issue.

Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4393)
2017-09-22 22:00:55 +02:00
..
alt1-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
alt1-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
alt2-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
alt2-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
alt3-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
alt3-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
bad-pc3-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad-pc3-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad-pc4-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad-pc4-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad-pc6-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad-pc6-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad.key
bad.pem
badalt1-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt1-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt2-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt2-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt3-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt3-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt4-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt4-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt5-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt5-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt6-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt6-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt7-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt7-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt8-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt8-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt9-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt9-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt10-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt10-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ca-anyEKU.pem
ca-cert2.pem
ca-cert-768.pem
ca-cert-768i.pem
ca-cert-md5-any.pem
ca-cert-md5.pem
ca-cert.pem
ca-clientAuth.pem
ca-expired.pem
ca-key2.pem
ca-key-768.pem
ca-key.pem
ca-name2.pem
ca-nonbc.pem
ca-nonca.pem
ca-root2.pem
ca-serverAuth.pem
ca+anyEKU.pem
ca+clientAuth.pem
ca+serverAuth.pem
cca-anyEKU.pem
cca-cert.pem
cca-clientAuth.pem
cca-serverAuth.pem
cca+anyEKU.pem
cca+clientAuth.pem
cca+serverAuth.pem
client-ed25519-cert.pem Add Ed25519 EE certificates 2017-06-21 14:11:01 +01:00
client-ed25519-key.pem Add Ed25519 EE certificates 2017-06-21 14:11:01 +01:00
croot-anyEKU.pem
croot-cert.pem
croot-clientAuth.pem
croot-serverAuth.pem
croot+anyEKU.pem
croot+clientAuth.pem
croot+serverAuth.pem
cyrillic_crl.pem Switch command-line utils to new nameopt API. 2017-04-25 12:37:17 -04:00
cyrillic_crl.utf8 Switch command-line utils to new nameopt API. 2017-04-25 12:37:17 -04:00
cyrillic.msb Add test for -nameout output 2017-03-14 15:18:07 -04:00
cyrillic.pem Add test for -nameout output 2017-03-14 15:18:07 -04:00
cyrillic.utf8 Add test for -nameout output 2017-03-14 15:18:07 -04:00
dhp2048.pem Add DH parameters, DSA cert and key 2017-02-17 16:33:12 +00:00
ee-cert2.pem
ee-cert-768.pem
ee-cert-768i.pem
ee-cert-md5.pem
ee-cert.pem
ee-client-chain.pem Update client authentication tests 2016-06-03 11:59:46 +02:00
ee-client.pem
ee-clientAuth.pem
ee-ecdsa-client-chain.pem Add ECDSA client certificates 2017-02-16 16:43:44 +00:00
ee-ecdsa-key.pem Add ECDSA client certificates 2017-02-16 16:43:44 +00:00
ee-ed25519.pem Add Ed25519 verify test. 2017-05-30 20:38:20 +01:00
ee-expired.pem
ee-key-768.pem
ee-key.pem
ee-name2.pem
ee-pss-sha1-cert.pem Add certificates with PSS signatures 2017-04-25 22:12:34 +01:00
ee-pss-sha256-cert.pem Add certificates with PSS signatures 2017-04-25 22:12:34 +01:00
ee-serverAuth.pem
ee+clientAuth.pem
ee+serverAuth.pem
embeddedSCTs1_issuer.pem
embeddedSCTs1-key.pem Add SSL tests for certificates with embedded SCTs 2017-04-12 19:08:57 +02:00
embeddedSCTs1.pem
embeddedSCTs1.sct
embeddedSCTs3_issuer.pem
embeddedSCTs3.pem
embeddedSCTs3.sct
interCA.key
interCA.pem
leaf.key
leaf.pem
many-constraints.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
many-names1.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
many-names2.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
many-names3.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
mkcert.sh Cleanup some copyright stuff 2017-06-30 21:56:44 -04:00
nca+anyEKU.pem
nca+serverAuth.pem
ncca1-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca1-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca2-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca2-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca3-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca3-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
nroot+anyEKU.pem
nroot+serverAuth.pem
p256-server-cert.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
p256-server-key.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
p384-root-key.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
p384-root.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
p384-server-cert.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
p384-server-key.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
pathlen.pem Add some accessor API's 2016-06-08 11:37:06 -04:00
pc1-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
pc1-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
pc2-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
pc2-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
pc5-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
pc5-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
root2-serverAuth.pem
root2+clientAuth.pem
root2+serverAuth.pem
root-anyEKU.pem
root-cert2.pem
root-cert-768.pem
root-cert-md5.pem
root-cert.pem
root-clientAuth.pem
root-ed25519.pem Add Ed25519 verify test. 2017-05-30 20:38:20 +01:00
root-key2.pem
root-key-768.pem
root-key.pem
root-name2.pem
root-nonca.pem
root-noserver.pem
root-serverAuth.pem
root+anyEKU.pem
root+clientAuth.pem
root+serverAuth.pem
rootCA.key
rootCA.pem
rootcert.pem
rootkey.pem
roots.pem
sca-anyEKU.pem
sca-cert.pem
sca-clientAuth.pem
sca-serverAuth.pem
sca+anyEKU.pem
sca+clientAuth.pem
sca+serverAuth.pem
server-cecdsa-cert.pem EC certificate with compression point 2017-02-24 23:52:22 +00:00
server-cecdsa-key.pem EC certificate with compression point 2017-02-24 23:52:22 +00:00
server-dsa-cert.pem Add DH parameters, DSA cert and key 2017-02-17 16:33:12 +00:00
server-dsa-key.pem Add DH parameters, DSA cert and key 2017-02-17 16:33:12 +00:00
server-ecdsa-cert.pem add ECDSA test server certificate 2017-01-15 00:23:33 +00:00
server-ecdsa-key.pem add ECDSA test server certificate 2017-01-15 00:23:33 +00:00
server-ed25519-cert.pem Add Ed25519 EE certificates 2017-06-21 14:11:01 +01:00
server-ed25519-key.pem Add Ed25519 EE certificates 2017-06-21 14:11:01 +01:00
server-pss-cert.pem Add RSA-PSS test certificates 2017-09-20 12:50:23 +01:00
server-pss-key.pem Add RSA-PSS test certificates 2017-09-20 12:50:23 +01:00
server-trusted.pem
servercert.pem
serverkey.pem
setup.sh Add certificates with PSS signatures 2017-04-25 22:12:34 +01:00
some-names1.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
some-names2.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
some-names3.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
sroot-anyEKU.pem
sroot-cert.pem
sroot-clientAuth.pem
sroot-serverAuth.pem
sroot+anyEKU.pem
sroot+clientAuth.pem
sroot+serverAuth.pem
subinterCA-ss.pem
subinterCA.key
subinterCA.pem
untrusted.pem
wrongcert.pem
wrongkey.pem
x509-check-key.pem Add test cases for X509_check_private_key 2017-06-06 17:50:06 +01:00
x509-check.csr Add test cases for X509_check_private_key 2017-06-06 17:50:06 +01:00