Commit c72d6425 authored by Janos Follath's avatar Janos Follath Committed by Simon Butcher

X509: Fix bug triggered by future CA among trusted

Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
parent 884b4fc2
...@@ -11,6 +11,9 @@ Bugfix ...@@ -11,6 +11,9 @@ Bugfix
* Fix issue in Makefile that prevented building using armar. #386 * Fix issue in Makefile that prevented building using armar. #386
* Fix memory leak that occured only when ECJPAKE was enabled and ECDHE and * Fix memory leak that occured only when ECJPAKE was enabled and ECDHE and
ECDSA was disabled in config.h . The leak didn't occur by default. ECDSA was disabled in config.h . The leak didn't occur by default.
* Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
Changes Changes
* On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5, * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
......
...@@ -1932,6 +1932,16 @@ static int x509_crt_verify_top( ...@@ -1932,6 +1932,16 @@ static int x509_crt_verify_top(
continue; continue;
} }
if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
{
continue;
}
if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
{
continue;
}
if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk, if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
child->sig_md, hash, mbedtls_md_get_size( md_info ), child->sig_md, hash, mbedtls_md_get_size( md_info ),
child->sig.p, child->sig.len ) != 0 ) child->sig.p, child->sig.len ) != 0 )
...@@ -1967,12 +1977,6 @@ static int x509_crt_verify_top( ...@@ -1967,12 +1977,6 @@ static int x509_crt_verify_top(
((void) ca_crl); ((void) ca_crl);
#endif #endif
if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED;
if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
ca_flags |= MBEDTLS_X509_BADCERT_FUTURE;
if( NULL != f_vrfy ) if( NULL != f_vrfy )
{ {
if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment