Skip to content

verify_cert: enforce maximum number of signatures.#152

Merged
cpu merged 1 commit intorustls:mainfrom
cpu:cpu-path-build-sig-limit
Aug 21, 2023
Merged

verify_cert: enforce maximum number of signatures.#152
cpu merged 1 commit intorustls:mainfrom
cpu:cpu-path-build-sig-limit

Conversation

@cpu
Copy link
Member

@cpu cpu commented Aug 21, 2023

Pathbuilding complexity can be quadratic, particularly when the set of intermediates all have subjects matching a trust anchor. In these cases we need to bound the number of expensive signature validation operations that are performed to avoid a DoS on CPU usage.

This commit implements a simple maximum signature check limit inspired by the approach taken in the Golang x509 package. No more than 100 signatures will be evaluated while pathbuilding. This limit works in practice for Go when processing real world certificate chains and so should be appropriate for our use case as well.

Without the limit in place, the test_too_many_signatures unit test has very long runtime and quickly pegs my local CPU. With the limit in place the test returns the expected error quickly.

@cpu cpu self-assigned this Aug 21, 2023
@codecov
Copy link

codecov bot commented Aug 21, 2023
edited
Loading

Codecov Report

Merging #152 (abbb05f) into main (eb1a4dd) will increase coverage by 0.08%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main     #152      +/-   ##
==========================================
+ Coverage   96.46%   96.54%   +0.08%     
==========================================
  Files          15       15              
  Lines        4304     4376      +72     
==========================================
+ Hits         4152     4225      +73     
+ Misses        152      151       -1
Files Changed Coverage Δ
src/error.rs 55.10% <100.00%> (+0.93%) ⬆️
src/verify_cert.rs 97.31% <100.00%> (+0.70%) ⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@cpu cpu force-pushed the cpu-path-build-sig-limit branch from 981dc5b to b852857 Compare August 21, 2023 16:59
ctz
ctz approved these changes Aug 21, 2023
View reviewed changes
Copy link
Member

@ctz ctz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@cpu
verify_cert: enforce maximum number of signatures.
abbb05f 
Pathbuilding complexity can be quadratic, particularly when the set of
intermediates all have subjects matching a trust anchor. In these cases
we need to bound the number of expensive signature validation operations
that are performed to avoid a DoS on CPU usage.

This commit implements a simple maximum signature check limit inspired
by the approach taken in the Golang x509 package. No more than 100
signatures will be evaluated while pathbuilding. This limit works in
practice for Go when processing real world certificate chains and so
should be appropriate for our use case as well.
@cpu cpu force-pushed the cpu-path-build-sig-limit branch from b852857 to abbb05f Compare August 21, 2023 19:14
@cpu cpu added this pull request to the merge queue Aug 21, 2023
Merged via the queue into rustls:main with commit e473ee1 Aug 21, 2023
@cpu cpu deleted the cpu-path-build-sig-limit branch August 21, 2023 20:31
This was referenced Aug 31, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djc djc djc approved these changes

@ctz ctz ctz approved these changes

Assignees

@cpu cpu

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cpu @djc @ctz