Avoid expensive RFC 3779 checks during cert verification - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	tb <>	2022-04-21 04:48:12 +0000
committer	tb <>	2022-04-21 04:48:12 +0000
commit	10d8ec22a81b906974b9ddc26f92c35523c5284c (patch)
tree	4480c2ae34abee044d787297e3befc8eb30fa3a2 /src/regress/lib
parent	45b8140d971deab0e2970c393ed60019bd1b94ba (diff)
download	openbsd-10d8ec22a81b906974b9ddc26f92c35523c5284c.tar.gz openbsd-10d8ec22a81b906974b9ddc26f92c35523c5284c.tar.bz2 openbsd-10d8ec22a81b906974b9ddc26f92c35523c5284c.zip

Avoid expensive RFC 3779 checks during cert verification

X509v3_{addr,asid}_is_canonical() check that the ipAddrBlocks and autonomousSysIds extension conform to RFC 3779. These checks are not cheap. Certs containing non-conformant extensions should not be considered valid, so mark them with EXFLAG_INVALID while caching the extension information in x509v3_cache_extensions(). This way the expensive check while walking the chains during X509_verify_cert() is replaced with a cheap check of the extension flags. This avoids a lot of superfluous work when validating numerous certs with similar chains against the same roots as is done in rpki-client. Issue noticed and fix suggested by claudio ok claudio inoguchi jsing

Diffstat (limited to 'src/regress/lib')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: