crypto/x509: CPU denial of service in chain validation

Question

crypto/x509: CPU denial of service in chain validation

dmitshur opened this issue 6 years ago · 7 comments

Package crypto/x509 parses and validates X.509-encoded keys and certificates. It's supposed to handle certificate chains provided by an attacker with reasonable resource use.

The crypto/x509 package does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients verifying certificates are affected.

Thanks to Netflix for discovering and reporting this issue.

This issue is CVE-2018-16875.

Answer 1 · 2018-12-13T22:23:11.000Z

Fixed in Go 1.11.3 by df52396.
Fixed in Go 1.10.6 by 0a4a37f.

Answer 2 · 2018-12-13T23:48:21.000Z

Change https://golang.org/cl/154105 mentions this issue: crypto/x509: limit number of signature checks for each verification

Answer 3 · 2019-01-31T11:02:13.000Z

I am experiencing failure in tls.RequireAndVerifyClientCert with otherwise previously valid combination of CA - Client Certificate.

The TLS server, compiled with go1.11.2 happily accepts the client certificate validated against the CA.

However the TLS server, compiled with go1.11.3, raises a tls: failed to verify client's certificate: x509: certificate signed by unknown authority.

Are there known incompatibilities caused by this patch when evaluating CAs for inclusion incertPool.AppendCertsFromPEM or verified with a tls.Config using ClientAuth: tls.RequireAndVerifyClientCert ?

Answer 4 · 2019-01-31T11:27:21.000Z

The issue appeared to be linked to changes in func (s *CertPool) findPotentialParents(cert *Certificate) []int.

My certificate has an AuthorityKeyId, however the certificate pool only has the byName map filled.

The previous logic reverted to finding candidates by name if none were found by AuthorityKeyId, the new code does not.

Answer 5 · 2019-01-31T16:35:13.000Z

/cc @FiloSottile Can you tell if the above is a problem with the fix? If you need more information, let's ask @abarisani to make a new issue report, and reference this closed issue in it.

Answer 6 · 2019-02-04T23:12:40.000Z

Change https://golang.org/cl/161097 mentions this issue: crypto/x509: consider parents by Subject if AKID has no match

Answer 7 · 2019-02-25T21:34:46.000Z

Change https://golang.org/cl/163739 mentions this issue: [release-branch.go1.11] crypto/x509: consider parents by Subject if AKID has no match