openssl

History

David Benjamin 8545051c36 Guard against DoS in name constraints handling. This guards against the name constraints check consuming large amounts of CPU time when certificates in the presented chain contain an excessive number of names (specifically subject email names or subject alternative DNS names) and/or name constraints. Name constraints checking compares the names presented in a certificate against the name constraints included in a certificate higher up in the chain using two nested for loops. Move the name constraints check so that it happens after signature verification so peers cannot exploit this using a chain with invalid signatures. Also impose a hard limit on the number of name constraints check loop iterations to further mitigate the issue. Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4393)		2017-09-22 22:00:55 +02:00
..
build.info	move x_pubkey.c to crypto/x509	2016-03-22 15:28:11 +00:00
by_dir.c	Avoid signed vs unsigned comparison error.	2017-09-15 09:05:43 +10:00
by_file.c	Avoid surpising password dialog in X509 file lookup.	2017-08-07 18:02:53 +02:00
t_crl.c	Switch command-line utils to new nameopt API.	2017-04-25 12:37:17 -04:00
t_req.c	Fix undefined behaviour when printing the X509 and CRL version	2017-01-15 22:21:08 +01:00
t_x509.c	Add missing braces.	2017-01-16 04:50:12 +01:00
x509_att.c	Add -Wundef to --strict-warnings options.	2017-02-24 09:21:59 +01:00
x509_cmp.c	This has been added to avoid the situation where some host ctype.h functions	2017-08-22 09:45:25 +10:00
x509_d2.c	Copyright consolidation 09/10	2016-05-17 14:53:16 -04:00
x509_def.c	Copyright consolidation 09/10	2016-05-17 14:53:16 -04:00
x509_err.c	make error tables const and separate header file	2017-06-07 15:12:03 -04:00
x509_ext.c	Add -Wundef to --strict-warnings options.	2017-02-24 09:21:59 +01:00
x509_lcl.h	Add support for custom signature parameters	2017-04-25 22:12:34 +01:00
x509_lu.c	Move the REF_PRINT support from e_os.h to internal/refcount.h.	2017-08-30 07:20:44 +10:00
x509_obj.c	Constify some X509_NAME, ASN1 printing code	2016-08-23 11:47:22 +02:00
x509_r2x.c	Copyright consolidation 09/10	2016-05-17 14:53:16 -04:00
x509_req.c	constify X509_REQ_get0_signature()	2016-08-19 12:47:31 +01:00
x509_set.c	Move the REF_PRINT support from e_os.h to internal/refcount.h.	2017-08-30 07:20:44 +10:00
x509_trs.c	Remove pointless free loop in X509_TRUST_cleanup()	2016-06-20 09:58:58 -04:00
x509_txt.c	OCSP Updates: error codes and multiple certificates	2017-04-12 14:41:10 -04:00
x509_v3.c	Add -Wundef to --strict-warnings options.	2017-02-24 09:21:59 +01:00
x509_vfy.c	Guard against DoS in name constraints handling.	2017-09-22 22:00:55 +02:00
x509_vpm.c	GH2176: Add X509_VERIFY_PARAM_get_time	2017-01-12 09:54:09 -05:00
x509cset.c	Move the REF_PRINT support from e_os.h to internal/refcount.h.	2017-08-30 07:20:44 +10:00
x509name.c	Add -Wundef to --strict-warnings options.	2017-02-24 09:21:59 +01:00
x509rset.c	Copyright consolidation 09/10	2016-05-17 14:53:16 -04:00
x509spki.c	Copyright consolidation 09/10	2016-05-17 14:53:16 -04:00
x509type.c	Use EVP_PKEY_X25519, EVP_PKEY_ED25519 instead of NIDs where appropriate.	2017-06-21 14:11:01 +01:00
x_all.c	Add -Wundef to --strict-warnings options.	2017-02-24 09:21:59 +01:00
x_attrib.c	Copyright consolidation 09/10	2016-05-17 14:53:16 -04:00
x_crl.c	X509_CRL_digest() - ensure precomputed sha1 hash before returning it	2017-01-28 20:07:04 +01:00
x_exten.c	Copyright consolidation 09/10	2016-05-17 14:53:16 -04:00
x_name.c	Fix error handling/cleanup	2017-09-07 16:01:07 -04:00
x_pubkey.c	Copyright consolidation 09/10	2016-05-17 14:53:16 -04:00
x_req.c	Copyright consolidation 09/10	2016-05-17 14:53:16 -04:00
x_x509.c	More updates following review feedback	2017-08-21 08:44:44 +01:00
x_x509a.c	Constify some inputs buffers	2016-08-23 11:47:22 +02:00