From 50a5c53398b5ffc3cc997a8c7d432a025c8de2f3 Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Tue, 8 Jul 2014 10:59:10 +0200
Subject: [PATCH] Reject certs and CRLs from the future

---
 ChangeLog               |  1 +
 include/polarssl/x509.h |  3 +++
 library/x509parse.c     | 12 ++++++++++++
 3 files changed, 16 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 513f9f5c9..f1fc690fc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,7 @@ Security
    * Forbid change of server certificate during renegotiation to prevent
      "triple handshake" attack when authentication mode is optional (the
      attack was already impossible when authentication is required).
+   * Check notBefore timestamp of certificates and CRLs from the future.
 
 Bugfix
    * Fixed X.509 hostname comparison (with non-regular characters)
diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h
index 9cc757b58..1dbc40d2b 100644
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h
@@ -80,6 +80,9 @@
 #define BADCERT_MISSING             0x40  /**< Certificate was missing. */
 #define BADCERT_SKIP_VERIFY         0x80  /**< Certificate verification was skipped. */
 #define BADCERT_OTHER             0x0100  /**< Other reason (can be used by verify callback) */
+#define BADCERT_FUTURE            0x0200  /**< The certificate validity starts in the future. */
+#define BADCRL_FUTURE             0x0400  /**< The CRL is from the future */
+
 /* \} name */
 /* \} addtogroup x509_module */
 
diff --git a/library/x509parse.c b/library/x509parse.c
index 8de0d9815..16b014920 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -3275,6 +3275,9 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca,
         if( x509parse_time_expired( &crl_list->next_update ) )
             flags |= BADCRL_EXPIRED;
 
+        if( x509parse_time_future( &crl_list->this_update ) )
+            flags |= BADCRL_FUTURE;
+
         /*
          * Check if certificate is revoked
          */
@@ -3358,6 +3361,9 @@ static int x509parse_verify_top(
     if( x509parse_time_expired( &child->valid_to ) )
         *flags |= BADCERT_EXPIRED;
 
+    if( x509parse_time_future( &child->valid_from ) )
+        *flags |= BADCERT_FUTURE;
+
     /*
      * Child is the top of the chain. Check against the trust_ca list.
      */
@@ -3426,6 +3432,9 @@ static int x509parse_verify_top(
         if( x509parse_time_expired( &trust_ca->valid_to ) )
             ca_flags |= BADCERT_EXPIRED;
 
+        if( x509parse_time_future( &trust_ca->valid_from ) )
+            ca_flags |= BADCERT_FUTURE;
+
         if( NULL != f_vrfy )
         {
             if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, &ca_flags ) ) != 0 )
@@ -3459,6 +3468,9 @@ static int x509parse_verify_child(
     if( x509parse_time_expired( &child->valid_to ) )
         *flags |= BADCERT_EXPIRED;
 
+    if( x509parse_time_future( &child->valid_from ) )
+        *flags |= BADCERT_FUTURE;
+
     hash_id = child->sig_alg;
 
     x509_hash( child->tbs.p, child->tbs.len, hash_id, hash );