Fix embarrassing X.509 bug introduced in 9533765b

8c045ef8 · Manuel Pégourié-Gonnard · 95a0d118 · 8c045ef8 · 8c045ef8
Commit 8c045ef8 authored Apr 08, 2014 by Manuel Pégourié-Gonnard
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

ChangeLog ChangeLog +4 -0

library/x509_crt.c library/x509_crt.c +3 -0

No files found.
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,10 @@ Changes
 Security
   * Avoid potential timing leak in ecdsa_sign() by blinding modular division.
     (Found by Watson Ladd.)
+   * The notAfter date of some certificates was no longer checked since 1.3.5.
+     This affects certificates in the user-supplied chain except the top
+     certificate. If the user-supplied chain contains only one certificates,
+     it is not affected (ie, its notAfter date is properly checked).

 Bugfix
   * The length of various ClientKeyExchange messages was not properly checked.

--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1647,6 +1647,9 @@ static int x509_crt_verify_child(
    x509_crt *grandparent;
    const md_info_t *md_info;

+    if( x509_time_expired( &child->valid_to ) )
+        *flags |= BADCERT_EXPIRED;
+
    if( x509_time_future( &child->valid_from ) )
        *flags |= BADCERT_FUTURE;