Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
BC
public
external
mbedtls
Commits
9533765b
Commit
9533765b
authored
Mar 10, 2014
by
Manuel Pégourié-Gonnard
Browse files
Reject certs and CRLs from the future
parent
6304f786
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
56 additions
and
6 deletions
+56
-6
ChangeLog
ChangeLog
+1
-0
include/polarssl/x509.h
include/polarssl/x509.h
+2
-0
library/x509_crt.c
library/x509_crt.c
+11
-2
tests/data_files/server5-expired.crt
tests/data_files/server5-expired.crt
+14
-0
tests/suites/test_suite_x509parse.data
tests/suites/test_suite_x509parse.data
+28
-4
No files found.
ChangeLog
View file @
9533765b
...
...
@@ -18,6 +18,7 @@ Security
* Forbid change of server certificate during renegotiation to prevent
"triple handshake" attack when authentication mode is optional (the
attack was already impossible when authentication is required).
* Check notBefore timestamp of certificates and CRLs from the future.
Bugfix
* ecp_gen_keypair() does more tries to prevent failure because of
...
...
include/polarssl/x509.h
View file @
9533765b
...
...
@@ -78,6 +78,8 @@
#define BADCERT_MISSING 0x40
/**< Certificate was missing. */
#define BADCERT_SKIP_VERIFY 0x80
/**< Certificate verification was skipped. */
#define BADCERT_OTHER 0x0100
/**< Other reason (can be used by verify callback) */
#define BADCERT_FUTURE 0x0200
/**< The certificate validity starts in the future. */
#define BADCRL_FUTURE 0x0400
/**< The CRL is from the future */
/* \} name */
/* \} addtogroup x509_module */
...
...
library/x509_crt.c
View file @
9533765b
...
...
@@ -1255,6 +1255,9 @@ static int x509_crt_verifycrl( x509_crt *crt, x509_crt *ca,
if
(
x509_time_expired
(
&
crl_list
->
next_update
)
)
flags
|=
BADCRL_EXPIRED
;
if
(
x509_time_future
(
&
crl_list
->
this_update
)
)
flags
|=
BADCRL_FUTURE
;
/*
* Check if certificate is revoked
*/
...
...
@@ -1340,6 +1343,9 @@ static int x509_crt_verify_top(
if
(
x509_time_expired
(
&
child
->
valid_to
)
)
*
flags
|=
BADCERT_EXPIRED
;
if
(
x509_time_future
(
&
child
->
valid_from
)
)
*
flags
|=
BADCERT_FUTURE
;
/*
* Child is the top of the chain. Check against the trust_ca list.
*/
...
...
@@ -1420,6 +1426,9 @@ static int x509_crt_verify_top(
if
(
x509_time_expired
(
&
trust_ca
->
valid_to
)
)
ca_flags
|=
BADCERT_EXPIRED
;
if
(
x509_time_future
(
&
trust_ca
->
valid_from
)
)
ca_flags
|=
BADCERT_FUTURE
;
if
(
NULL
!=
f_vrfy
)
{
if
(
(
ret
=
f_vrfy
(
p_vrfy
,
trust_ca
,
path_cnt
+
1
,
&
ca_flags
)
)
!=
0
)
...
...
@@ -1451,8 +1460,8 @@ static int x509_crt_verify_child(
x509_crt
*
grandparent
;
const
md_info_t
*
md_info
;
if
(
x509_time_
expi
re
d
(
&
child
->
valid_
to
)
)
*
flags
|=
BADCERT_
EXPI
RE
D
;
if
(
x509_time_
futu
re
(
&
child
->
valid_
from
)
)
*
flags
|=
BADCERT_
FUTU
RE
;
md_info
=
md_info_from_type
(
child
->
sig_md
);
if
(
md_info
==
NULL
)
...
...
tests/data_files/server5-expired.crt
0 → 100644
View file @
9533765b
-----BEGIN CERTIFICATE-----
MIICHjCCAaWgAwIBAgIBHjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
MDQwMzEwMTIwOTMwWhcNMTQwMzA4MTIwOTMwWjA0MQswCQYDVQQGEwJOTDERMA8G
A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
CCqGSM49BAMCA2cAMGQCMCDxvDmhlrEk0r4hqCwvQDxWEoXPbbD1gglfLT3BsGpu
XHUQ1W2HwB3o/7N5I13BBgIwcmG17zyNIOkYiyExYtPCZCpbofEMpRY5qWG0K6YL
fN08jSzyFt6kbO4ak0D6tC5Q
-----END CERTIFICATE-----
tests/suites/test_suite_x509parse.data
View file @
9533765b
...
...
@@ -194,22 +194,38 @@ X509 Time Future #6
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C
x509_time_future:"data_files/test-ca2.crt":"valid_to":1
X509 Certificate verification #1 (Revoked Cert, Expired CRL)
X509 Certificate verification #1 (Revoked Cert, Expired CRL
, no CN
)
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCRL_EXPIRED:"NULL"
X509 Certificate verification #1a (Revoked Cert, Future CRL, no CN)
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_ECP_C:
x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCRL_FUTURE:"NULL"
X509 Certificate verification #2 (Revoked Cert, Expired CRL)
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Server 1":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCRL_EXPIRED:"NULL"
X509 Certificate verification #3 (Revoked Cert, Expired CRL, CN Mismatch)
X509 Certificate verification #2a (Revoked Cert, Future CRL)
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_ECP_C:
x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"localhost":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCRL_FUTURE:"NULL"
X509 Certificate verification #3 (Revoked Cert, Future CRL, CN Mismatch)
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Wrong CN":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCRL_EXPIRED | BADCERT_CN_MISMATCH:"NULL"
X509 Certificate verification #3a (Revoked Cert, Expired CRL, CN Mismatch)
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_ECP_C:
x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"Wrong CN":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCRL_FUTURE | BADCERT_CN_MISMATCH:"NULL"
X509 Certificate verification #4 (Valid Cert, Expired CRL)
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCRL_EXPIRED:"NULL"
X509 Certificate verification #4a (Revoked Cert, Future CRL)
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_ECP_C:
x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCRL_FUTURE:"NULL"
X509 Certificate verification #5 (Revoked Cert)
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED:"NULL"
...
...
@@ -223,8 +239,16 @@ depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V1
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Wrong CN":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCERT_CN_MISMATCH:"NULL"
X509 Certificate verification #8 (Valid Cert)
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_ECP_C:
x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"NULL"
X509 Certificate verification #8a (Expired Cert)
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_ECP_C:
x509_verify:"data_files/server5-expired.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_EXPIRED:"NULL"
X509 Certificate verification #8b (Future Cert)
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_ECP_C:
x509_verify:"data_files/server5-future.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_FUTURE:"NULL"
X509 Certificate verification #9 (Not trusted Cert)
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment