wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
openssl/test/certs
History
David Benjamin 8545051c36 Guard against DoS in name constraints handling. 
This guards against the name constraints check consuming large amounts
of CPU time when certificates in the presented chain contain an
excessive number of names (specifically subject email names or subject
alternative DNS names) and/or name constraints.

Name constraints checking compares the names presented in a certificate
against the name constraints included in a certificate higher up in the
chain using two nested for loops.

Move the name constraints check so that it happens after signature
verification so peers cannot exploit this using a chain with invalid
signatures. Also impose a hard limit on the number of name constraints
check loop iterations to further mitigate the issue.

Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4393)
2017-09-22 22:00:55 +02:00
..
alt1-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
alt1-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
alt2-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
alt2-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
alt3-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
alt3-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
bad-pc3-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad-pc3-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad-pc4-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad-pc4-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad-pc6-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad-pc6-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad.key Add test for CVE-2015-1793 2015-07-07 21:57:11 +01:00
bad.pem Add test for CVE-2015-1793 2015-07-07 21:57:11 +01:00
badalt1-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt1-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt2-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt2-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt3-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt3-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt4-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt4-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt5-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt5-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt6-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt6-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt7-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt7-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt8-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt8-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt9-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt9-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt10-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt10-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ca+anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
ca+clientAuth.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ca+serverAuth.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ca-anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
ca-cert-768.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ca-cert-768i.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ca-cert-md5-any.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ca-cert-md5.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ca-cert.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ca-cert2.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ca-clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
ca-expired.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ca-key-768.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ca-key.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ca-key2.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ca-name2.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ca-nonbc.pem Require intermediate CAs to have basicConstraints CA:true. 2016-03-29 20:54:34 -04:00
ca-nonca.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ca-root2.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ca-serverAuth.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
cca+anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
cca+clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
cca+serverAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
cca-anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
cca-cert.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
cca-clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
cca-serverAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
client-ed25519-cert.pem Add Ed25519 EE certificates 2017-06-21 14:11:01 +01:00
client-ed25519-key.pem Add Ed25519 EE certificates 2017-06-21 14:11:01 +01:00
croot+anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
croot+clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
croot+serverAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
croot-anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
croot-cert.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
croot-clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
croot-serverAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
cyrillic.msb Add test for -nameout output 2017-03-14 15:18:07 -04:00
cyrillic.pem Add test for -nameout output 2017-03-14 15:18:07 -04:00
cyrillic.utf8 Add test for -nameout output 2017-03-14 15:18:07 -04:00
cyrillic_crl.pem Switch command-line utils to new nameopt API. 2017-04-25 12:37:17 -04:00
cyrillic_crl.utf8 Switch command-line utils to new nameopt API. 2017-04-25 12:37:17 -04:00
dhp2048.pem Add DH parameters, DSA cert and key 2017-02-17 16:33:12 +00:00
ee+clientAuth.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ee+serverAuth.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ee-cert-768.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ee-cert-768i.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ee-cert-md5.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ee-cert.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ee-cert2.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ee-client-chain.pem Update client authentication tests 2016-06-03 11:59:46 +02:00
ee-client.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ee-clientAuth.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ee-ecdsa-client-chain.pem Add ECDSA client certificates 2017-02-16 16:43:44 +00:00
ee-ecdsa-key.pem Add ECDSA client certificates 2017-02-16 16:43:44 +00:00
ee-ed25519.pem Add Ed25519 verify test. 2017-05-30 20:38:20 +01:00
ee-expired.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ee-key-768.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ee-key.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ee-name2.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
ee-pss-sha1-cert.pem Add certificates with PSS signatures 2017-04-25 22:12:34 +01:00
ee-pss-sha256-cert.pem Add certificates with PSS signatures 2017-04-25 22:12:34 +01:00
ee-serverAuth.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
embeddedSCTs1-key.pem Add SSL tests for certificates with embedded SCTs 2017-04-12 19:08:57 +02:00
embeddedSCTs1.pem Tests for parsing and printing certificates containing SCTs 2016-02-25 13:59:11 -05:00
embeddedSCTs1.sct Tests for parsing and printing certificates containing SCTs 2016-02-25 13:59:11 -05:00
embeddedSCTs1_issuer.pem CT policy validation 2016-03-01 20:03:25 +00:00
embeddedSCTs3.pem Tests for parsing and printing certificates containing SCTs 2016-02-25 13:59:11 -05:00
embeddedSCTs3.sct Tests for parsing and printing certificates containing SCTs 2016-02-25 13:59:11 -05:00
embeddedSCTs3_issuer.pem CT policy validation 2016-03-01 20:03:25 +00:00
interCA.key Add test for CVE-2015-1793 2015-07-07 21:57:11 +01:00
interCA.pem Add test for CVE-2015-1793 2015-07-07 21:57:11 +01:00
leaf.key Add test for CVE-2015-1793 2015-07-07 21:57:11 +01:00
leaf.pem Add test for CVE-2015-1793 2015-07-07 21:57:11 +01:00
many-constraints.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
many-names1.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
many-names2.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
many-names3.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
mkcert.sh Cleanup some copyright stuff 2017-06-30 21:56:44 -04:00
nca+anyEKU.pem Add tests for non-ca trusted roots and intermediates 2016-01-31 21:24:16 -05:00
nca+serverAuth.pem Add tests for non-ca trusted roots and intermediates 2016-01-31 21:24:16 -05:00
ncca-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca1-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca1-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca2-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca2-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca3-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca3-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
nroot+anyEKU.pem Add tests for non-ca trusted roots and intermediates 2016-01-31 21:24:16 -05:00
nroot+serverAuth.pem Add tests for non-ca trusted roots and intermediates 2016-01-31 21:24:16 -05:00
p256-server-cert.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
p256-server-key.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
p384-root-key.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
p384-root.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
p384-server-cert.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
p384-server-key.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
pathlen.pem Add some accessor API's 2016-06-08 11:37:06 -04:00
pc1-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
pc1-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
pc2-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
pc2-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
pc5-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
pc5-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
root+anyEKU.pem Check chain extensions also for trusted certificates 2016-01-31 21:23:23 -05:00
root+clientAuth.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
root+serverAuth.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
root-anyEKU.pem Check chain extensions also for trusted certificates 2016-01-31 21:23:23 -05:00
root-cert-768.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
root-cert-md5.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
root-cert.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
root-cert2.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
root-clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
root-ed25519.pem Add Ed25519 verify test. 2017-05-30 20:38:20 +01:00
root-key-768.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
root-key.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
root-key2.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
root-name2.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
root-nonca.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
root-noserver.pem More X509_verify_cert() tests via verify(1). 2016-01-20 19:04:11 -05:00
root-serverAuth.pem Commit pre-generated test_verify certs 2016-01-20 19:03:14 -05:00
root2+clientAuth.pem Check chain extensions also for trusted certificates 2016-01-31 21:23:23 -05:00
root2+serverAuth.pem Check chain extensions also for trusted certificates 2016-01-31 21:23:23 -05:00
root2-serverAuth.pem Check chain extensions also for trusted certificates 2016-01-31 21:23:23 -05:00
rootCA.key Add test for CVE-2015-1793 2015-07-07 21:57:11 +01:00
rootCA.pem Add test for CVE-2015-1793 2015-07-07 21:57:11 +01:00
rootcert.pem More X509_verify_cert() tests via verify(1). 2016-01-20 19:04:11 -05:00
rootkey.pem More X509_verify_cert() tests via verify(1). 2016-01-20 19:04:11 -05:00
roots.pem Add test for CVE-2015-1793 2015-07-07 21:57:11 +01:00
sca+anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sca+clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sca+serverAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sca-anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sca-cert.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sca-clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sca-serverAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
server-cecdsa-cert.pem EC certificate with compression point 2017-02-24 23:52:22 +00:00
server-cecdsa-key.pem EC certificate with compression point 2017-02-24 23:52:22 +00:00
server-dsa-cert.pem Add DH parameters, DSA cert and key 2017-02-17 16:33:12 +00:00
server-dsa-key.pem Add DH parameters, DSA cert and key 2017-02-17 16:33:12 +00:00
server-ecdsa-cert.pem add ECDSA test server certificate 2017-01-15 00:23:33 +00:00
server-ecdsa-key.pem add ECDSA test server certificate 2017-01-15 00:23:33 +00:00
server-ed25519-cert.pem Add Ed25519 EE certificates 2017-06-21 14:11:01 +01:00
server-ed25519-key.pem Add Ed25519 EE certificates 2017-06-21 14:11:01 +01:00
server-pss-cert.pem Add RSA-PSS test certificates 2017-09-20 12:50:23 +01:00
server-pss-key.pem Add RSA-PSS test certificates 2017-09-20 12:50:23 +01:00
server-trusted.pem More X509_verify_cert() tests via verify(1). 2016-01-20 19:04:11 -05:00
servercert.pem More X509_verify_cert() tests via verify(1). 2016-01-20 19:04:11 -05:00
serverkey.pem More X509_verify_cert() tests via verify(1). 2016-01-20 19:04:11 -05:00
setup.sh Add certificates with PSS signatures 2017-04-25 22:12:34 +01:00
some-names1.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
some-names2.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
some-names3.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
sroot+anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sroot+clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sroot+serverAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sroot-anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sroot-cert.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sroot-clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sroot-serverAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
subinterCA-ss.pem Add test for CVE-2015-1793 2015-07-07 21:57:11 +01:00
subinterCA.key Add test for CVE-2015-1793 2015-07-07 21:57:11 +01:00
subinterCA.pem Add test for CVE-2015-1793 2015-07-07 21:57:11 +01:00
untrusted.pem Add test for CVE-2015-1793 2015-07-07 21:57:11 +01:00
wrongcert.pem More X509_verify_cert() tests via verify(1). 2016-01-20 19:04:11 -05:00
wrongkey.pem More X509_verify_cert() tests via verify(1). 2016-01-20 19:04:11 -05:00
x509-check-key.pem Add test cases for X509_check_private_key 2017-06-06 17:50:06 +01:00
x509-check.csr Add test cases for X509_check_private_key 2017-06-06 17:50:06 +01:00