Impact
Checking name constraints in X.509 certificates is quadratic in the number of names and name constraints. An attacker who presented a certificate chain which contained a very large number of names in the SubjectAlternativeName, signed by a CA certificate which contained a large number of name constraints, could cause a denial of service.
The POC used a certificate containing 32K domain names, signed by a certificate with 32K name constraints. In affected versions, verifying such a certificate could take several minutes.
Patches
The problem has been addressed in Botan 3.5.0 in the following ways
- During path validation, the entire chain of signatures up to a trust root is checked prior to checking other parameters such as name constraints. This change requires an attacker to get a trusted CA to sign such a certificate chain. #4045
- Optimize name constraint processing. The original implementation of name constraints was less efficient than it could have been. These optimizations reduce the cost of verifying the POC from minutes to about 3 seconds. #4047
- Optimize SubjectAlternativeName parsing. Simply parsing the certificate with 32K names was quite expensive due to an accidentally quadratic algorithm during parsing. #4034
- During name constraint checking, check that the product of names and name constraints is less than 2**20. If this bound is exceeded, the certificate is rejected immediately. #4186
A partial backport has also been applied and is included in Botan 2.19.5:
- #4045 was backported to
release-2 in #4052
- The product of names and name constraints is checked. However the optimization patches could not be applied in Botan 2 as they rely on features added in C++17. As a consequence the product is limited to 2**12. #4187
If your application relies on processing or verifying X.509 certificates (this includes almost all uses of TLS) upgrading to Botan 3 is highly recommended.
Workarounds
Prior to verifying a certificate, check the total quantity of name constraints associated with a certificate. If this seems excessive (say over 128) reject the certificate immediately.
Credit
This issue was found and reported by Bing Shi.
References
OpenSSL had a similar vulnerability which was addressed in openssl/openssl@8545051 using a similar check on the product of names and name constraints.
Impact
Checking name constraints in X.509 certificates is quadratic in the number of names and name constraints. An attacker who presented a certificate chain which contained a very large number of names in the SubjectAlternativeName, signed by a CA certificate which contained a large number of name constraints, could cause a denial of service.
The POC used a certificate containing 32K domain names, signed by a certificate with 32K name constraints. In affected versions, verifying such a certificate could take several minutes.
Patches
The problem has been addressed in Botan 3.5.0 in the following ways
A partial backport has also been applied and is included in Botan 2.19.5:
release-2in #4052If your application relies on processing or verifying X.509 certificates (this includes almost all uses of TLS) upgrading to Botan 3 is highly recommended.
Workarounds
Prior to verifying a certificate, check the total quantity of name constraints associated with a certificate. If this seems excessive (say over 128) reject the certificate immediately.
Credit
This issue was found and reported by Bing Shi.
References
OpenSSL had a similar vulnerability which was addressed in openssl/openssl@8545051 using a similar check on the product of names and name constraints.