verify_cert: bound name constraint comparisons. #160
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Enforcing name constraints during path building is quadratic with the number of names, and the number of name constraints. To avoid the possibility of excessive CPU consumption enforcing name constraints TLS libraries typically enforce a maximum number of comparisons while evaluating a constrained certificate against subsequent certificate names. In this commit we adopt the same limit as the default limit used by Go's `x509` package[0], bounding comparisons for a single constrained certificate to 250,000 comparisons. This is done per-constrained certificate and not overall path-building operation, but the number of constrained certificates that can be included in a path is constrained elsewhere (e.g. by Rustls imposing a 64KB limit to the entire chain). Other users of this library should consider similar countermeasures. [0]: https://github.com/golang/go/blob/9aaf5234bf652fc788782fc04a06044879b5957a/src/crypto/x509/verify.go#L588-L591
Codecov Report
@@ Coverage Diff @@
## main #160 +/- ##
=======================================
Coverage 96.54% 96.55%
=======================================
Files 15 15
Lines 4376 4388 +12
=======================================
+ Hits 4225 4237 +12
Misses 151 151
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
Imposing this limit within webpki seems reasonable, but perhaps better as a follow-up separate from this item of work. |
|
Reworking this locally. Will reopen with a better implementation shortly. |
|
Reworked as #165 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Enforcing name constraints during path building is quadratic with the number of names, and the number of name constraints. To avoid the possibility of excessive CPU consumption enforcing name constraints TLS libraries typically enforce a maximum number of comparisons while evaluating a constrained certificate against subsequent certificate names. Note that unlike #152 the possible runtime of crafted certificate chains within the limits imposed by Rustls/webpki prior to this commit is O(seconds) and not O(hours+), making this a less grave concern generally.
In this commit we adopt the same limit as the default limit used by Go's
x509package, bounding comparisons for a single constrained certificate to 250,000 comparisons.This is done per-constrained certificate and not for the overall path-building operation, but the number of constrained certificates that can be included in a path is constrained elsewhere (e.g. by Rustls imposing a 64KB limit to the entire chain). Other users of this library should consider similar countermeasures.