Guard against DoS in name constraints handling.
This guards against the name constraints check consuming large amounts of CPU time when certificates in the presented chain contain an excessive number of names (specifically subject email names or subject alternative DNS names) and/or name constraints. Name constraints checking compares the names presented in a certificate against the name constraints included in a certificate higher up in the chain using two nested for loops. Move the name constraints check so that it happens after signature verification so peers cannot exploit this using a chain with invalid signatures. Also impose a hard limit on the number of name constraints check loop iterations to further mitigate the issue. Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer. Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NAndy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4393)
Showing
test/certs/many-constraints.pem
0 → 100644
test/certs/many-names1.pem
0 → 100644
此差异已折叠。
test/certs/many-names2.pem
0 → 100644
test/certs/many-names3.pem
0 → 100644
此差异已折叠。
test/certs/some-names1.pem
0 → 100644
test/certs/some-names2.pem
0 → 100644
test/certs/some-names3.pem
0 → 100644
想要评论请 注册 或 登录