From 855ec587a46d5e27b7a13ecade7f1a880d42f76a Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 19 Feb 2016 15:58:21 +0000 Subject: [PATCH] X509: Fix bug triggered by future CA among trusted Fix an issue that caused valid certificates being rejected whenever an expired or not yet valid version of the trusted certificate was before the valid version in the trusted certificate list. --- ChangeLog | 3 +++ library/x509_crt.c | 16 ++++++++++------ 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index a875347c9..7073804c2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,9 @@ Bugfix * Fix issue in Makefile that prevented building using armar. #386 * Fix memory leak that occured only when ECJPAKE was enabled and ECDHE and ECDSA was disabled in config.h . The leak didn't occur by default. + * Fix an issue that caused valid certificates being rejected whenever an + expired or not yet valid version of the trusted certificate was before the + valid version in the trusted certificate list. Changes * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5, diff --git a/library/x509_crt.c b/library/x509_crt.c index 3eaf5bc14..334b8ef51 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1932,6 +1932,16 @@ static int x509_crt_verify_top( continue; } + if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) ) + { + continue; + } + + if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) ) + { + continue; + } + if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk, child->sig_md, hash, mbedtls_md_get_size( md_info ), child->sig.p, child->sig.len ) != 0 ) @@ -1967,12 +1977,6 @@ static int x509_crt_verify_top( ((void) ca_crl); #endif - if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) ) - ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED; - - if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) ) - ca_flags |= MBEDTLS_X509_BADCERT_FUTURE; - if( NULL != f_vrfy ) { if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,