Commit 8c045ef8 authored by Manuel Pégourié-Gonnard's avatar Manuel Pégourié-Gonnard
Browse files

Fix embarrassing X.509 bug introduced in 9533765b

parent 95a0d118
......@@ -8,6 +8,10 @@ Changes
Security
* Avoid potential timing leak in ecdsa_sign() by blinding modular division.
(Found by Watson Ladd.)
* The notAfter date of some certificates was no longer checked since 1.3.5.
This affects certificates in the user-supplied chain except the top
certificate. If the user-supplied chain contains only one certificates,
it is not affected (ie, its notAfter date is properly checked).
Bugfix
* The length of various ClientKeyExchange messages was not properly checked.
......
......@@ -1647,6 +1647,9 @@ static int x509_crt_verify_child(
x509_crt *grandparent;
const md_info_t *md_info;
if( x509_time_expired( &child->valid_to ) )
*flags |= BADCERT_EXPIRED;
if( x509_time_future( &child->valid_from ) )
*flags |= BADCERT_FUTURE;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment