Avoid expensive RFC 3779 checks during cert verification - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	tb <>	2022-04-21 04:48:12 +0000
committer	tb <>	2022-04-21 04:48:12 +0000
commit	e21f6219beb8da2cd4f2c2c089d77590e75ccbd4 (patch)
tree	4480c2ae34abee044d787297e3befc8eb30fa3a2 /src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
parent	d880394c2473a731941d8185e47b5bd98d7b8215 (diff)
download	openbsd-e21f6219beb8da2cd4f2c2c089d77590e75ccbd4.tar.gz openbsd-e21f6219beb8da2cd4f2c2c089d77590e75ccbd4.tar.bz2 openbsd-e21f6219beb8da2cd4f2c2c089d77590e75ccbd4.zip

Avoid expensive RFC 3779 checks during cert verification

X509v3_{addr,asid}_is_canonical() check that the ipAddrBlocks and autonomousSysIds extension conform to RFC 3779. These checks are not cheap. Certs containing non-conformant extensions should not be considered valid, so mark them with EXFLAG_INVALID while caching the extension information in x509v3_cache_extensions(). This way the expensive check while walking the chains during X509_verify_cert() is replaced with a cheap check of the extension flags. This avoids a lot of superfluous work when validating numerous certs with similar chains against the same roots as is done in rpki-client. Issue noticed and fix suggested by claudio ok claudio inoguchi jsing

Diffstat (limited to 'src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: