From 040c56488815a46e52afd1a4882c0f9b6e68a338 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Mon, 10 Jun 2019 11:14:24 +0100
Subject: [PATCH] Fix certificate validity checking logic to work with
 !TIME_DATE

If MBEDTLS_HAVE_TIME_DATE is undefined, the functions
`mbedtls_x509_time_is_past()` and `mbedtls_x509_time_is_future()`
are still defined but return `0` (that is, no time is seen to in
the past or future). To maintain functional correctness, this
means that these functions have to be called in a way where
the condition being checked for is the erroneous one: Concretely,
one shouldn't check that a CRT's `validFrom` is in the past,
or that its `validTo` is in the future, because that would
fail if !MBEDTLS_HAVE_TIME_DATE. Instead, one should check
that `validFrom` is NOT in the future, and `validTo` is NOT
in the past. That was the logic previously, but an uncautious
change during transition to X.509 on-demand parsing has
changed it. This commit fixes this.
---
 library/x509_crt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/library/x509_crt.c b/library/x509_crt.c
index b5ad86715..45768ca87 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -2849,8 +2849,8 @@ check_signature:
             if( ret != 0 )
                 return( MBEDTLS_ERR_X509_FATAL_ERROR );
 
-            if( mbedtls_x509_time_is_past( &parent->valid_from ) &&
-                mbedtls_x509_time_is_future( &parent->valid_to ) )
+            if( !mbedtls_x509_time_is_past( &parent->valid_to ) &&
+                !mbedtls_x509_time_is_future( &parent->valid_from ) )
             {
                 parent_valid = 1;
             }