Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verify_cert: enforce maximum number of signatures. #152

Merged
merged 1 commit into from
Aug 21, 2023
Merged

verify_cert: enforce maximum number of signatures. #152

merged 1 commit into from
Aug 21, 2023

Conversation

cpu
Copy link
Member

@cpu cpu commented Aug 21, 2023

Pathbuilding complexity can be quadratic, particularly when the set of intermediates all have subjects matching a trust anchor. In these cases we need to bound the number of expensive signature validation operations that are performed to avoid a DoS on CPU usage.

This commit implements a simple maximum signature check limit inspired by the approach taken in the Golang x509 package. No more than 100 signatures will be evaluated while pathbuilding. This limit works in practice for Go when processing real world certificate chains and so should be appropriate for our use case as well.

Without the limit in place, the test_too_many_signatures unit test has very long runtime and quickly pegs my local CPU. With the limit in place the test returns the expected error quickly.

@cpu cpu self-assigned this Aug 21, 2023
@codecov
Copy link

codecov bot commented Aug 21, 2023
edited
Loading

Codecov Report

Merging #152 (abbb05f) into main (eb1a4dd) will increase coverage by 0.08%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main     #152      +/-   ##
==========================================
+ Coverage   96.46%   96.54%   +0.08%     
==========================================
  Files          15       15              
  Lines        4304     4376      +72     
==========================================
+ Hits         4152     4225      +73     
+ Misses        152      151       -1
Files Changed Coverage Δ
src/error.rs 55.10% <100.00%> (+0.93%) ⬆️
src/verify_cert.rs 97.31% <100.00%> (+0.70%) ⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

ctz
ctz approved these changes Aug 21, 2023
View reviewed changes
Copy link
Member

@ctz ctz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

src/error.rs Outdated Show resolved Hide resolved
src/verify_cert.rs Outdated Show resolved Hide resolved
@cpu
verify_cert: enforce maximum number of signatures.
abbb05f 
Pathbuilding complexity can be quadratic, particularly when the set of
intermediates all have subjects matching a trust anchor. In these cases
we need to bound the number of expensive signature validation operations
that are performed to avoid a DoS on CPU usage.

This commit implements a simple maximum signature check limit inspired
by the approach taken in the Golang x509 package. No more than 100
signatures will be evaluated while pathbuilding. This limit works in
practice for Go when processing real world certificate chains and so
should be appropriate for our use case as well.
@cpu cpu added this pull request to the merge queue Aug 21, 2023
Merged via the queue into rustls:main with commit e473ee1 Aug 21, 2023
24 checks passed
@cpu cpu deleted the cpu-path-build-sig-limit branch August 21, 2023 20:31
This was referenced Aug 31, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djc djc djc approved these changes

@ctz ctz ctz approved these changes

Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cpu @djc @ctz