Commit 9655e459 authored by Manuel Pégourié-Gonnard's avatar Manuel Pégourié-Gonnard Committed by Paul Bakker
Browse files

Reject certificates with times not in UTC

parent 0776a437
......@@ -17,6 +17,7 @@ Changes
* pk_verify() now returns a specific error code when the signature is valid
but shorter than the supplied length.
* Use UTC time to check certificate validity.
* Reject certificates with times not in UTC, per RFC 5280.
Security
* Avoid potential timing leak in ecdsa_sign() by blinding modular division.
......
......@@ -274,7 +274,7 @@ int x509_get_time( unsigned char **p, const unsigned char *end,
memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
len : sizeof( date ) - 1 );
if( sscanf( date, "%2d%2d%2d%2d%2d%2d",
if( sscanf( date, "%2d%2d%2d%2d%2d%2dZ",
&time->year, &time->mon, &time->day,
&time->hour, &time->min, &time->sec ) < 5 )
return( POLARSSL_ERR_X509_INVALID_DATE );
......@@ -298,7 +298,7 @@ int x509_get_time( unsigned char **p, const unsigned char *end,
memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
len : sizeof( date ) - 1 );
if( sscanf( date, "%4d%2d%2d%2d%2d%2d",
if( sscanf( date, "%4d%2d%2d%2d%2d%2dZ",
&time->year, &time->mon, &time->day,
&time->hour, &time->min, &time->sec ) < 5 )
return( POLARSSL_ERR_X509_INVALID_DATE );
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment