Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v0.100.2 prep #154

Merged
merged 4 commits into from
Aug 22, 2023
Merged

v0.100.2 prep #154

merged 4 commits into from
Aug 22, 2023
+110 −24

Conversation

cpu
Copy link
Member

@cpu cpu commented Aug 21, 2023

0.100.2 release prep

This branch targets a base of rel-0.100 to prepare a point release in the v0.100.x series.

Proposed release notes

  • certificate path building and verification is now capped at 100 signature validation operations to avoid the risk of CPU usage denial-of-service attack when validating crafted certificate chains producing quadratic runtime. This risk affected both clients, as well as servers that verified client certificates.

verify_cert: enforce maximum number of signatures.

Pathbuilding complexity can be quadratic, particularly when the set of intermediates all have subjects matching a trust anchor. In these cases we need to bound the number of expensive signature validation operations that are performed to avoid a DoS on CPU usage.

This commit implements a simple maximum signature check limit inspired by the approach taken in the Golang x509 package. No more than 100 signatures will be evaluated while pathbuilding. This limit works in practice for Go when processing real world certificate chains and so should be appropriate for our use case as well.

Cargo: version 0.100.1 -> 0.100.2

Bumps the Cargo version.

@cpu cpu self-assigned this Aug 21, 2023
@codecov
Copy link

codecov bot commented Aug 21, 2023
edited
Loading

Codecov Report

Merging #154 (2b282aa) into rel-0.100 (abb0c03) will increase coverage by 0.42%.
The diff coverage is 98.71%.

❗ Current head 2b282aa differs from pull request most recent head 04bf875. Consider uploading reports for the commit 04bf875 to get more accurate results

@@              Coverage Diff              @@
##           rel-0.100     #154      +/-   ##
=============================================
+ Coverage      94.17%   94.59%   +0.42%     
=============================================
  Files             14       13       -1     
  Lines           2505     2573      +68     
=============================================
+ Hits            2359     2434      +75     
+ Misses           146      139       -7
Files Changed Coverage Δ
src/error.rs 25.00% <ø> (ø)
src/end_entity.rs 52.30% <50.00%> (-0.08%) ⬇️
src/verify_cert.rs 95.07% <100.00%> (+5.22%) ⬆️

... and 2 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@cpu
Copy link
Member Author

cpu commented Aug 21, 2023

ci / clippy (pull_request) Failing after 20s

This is caused by adding the new signature count argument to the v0.100 validation APIs:

error: this function has too many arguments (8/7)
--> src/verify_cert.rs:20:1

We can either ignore this clippy finding, or backport the ChainOpts struct we use in the v0.101+ API.

cpu added 2 commits August 22, 2023 08:26
@cpu @ctz
verify_cert: enforce maximum number of signatures.
c375641 
Pathbuilding complexity can be quadratic, particularly when the set of
intermediates all have subjects matching a trust anchor. In these cases
we need to bound the number of expensive signature validation operations
that are performed to avoid a DoS on CPU usage.

This commit implements a simple maximum signature check limit inspired
by the approach taken in the Golang x509 package. No more than 100
signatures will be evaluated while pathbuilding. This limit works in
practice for Go when processing real world certificate chains and so
should be appropriate for our use case as well.
@cpu @ctz
Cargo: version 0.100.1 -> 0.100.2
09dd2a5
@djc
Copy link
Member

djc commented Aug 22, 2023

Do we want to give this an MSRV bump?

djc
djc approved these changes Aug 22, 2023
View reviewed changes
@ctz
Copy link
Member

ctz commented Aug 22, 2023

Yes just working out what the minimum bump possible is :(

djc
djc approved these changes Aug 22, 2023
View reviewed changes
@ctz
Bump MSRV to 1.60
04bf875 
This is the minimum of once_cell 1.18.0 (selected via ring ->
web-sys -> wasm-bindgen -> wasm-bindgen-macro -> wasm-bindgen-macro-support ->
wasm-bindgen-backend -> once_cell).
@ctz ctz merged commit c8b8214 into rustls:rel-0.100 Aug 22, 2023
@cpu cpu deleted the cpu-v0.100.2 branch November 30, 2023 19:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ctz ctz

@djc djc

Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cpu @djc @ctz