yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-06-06 01:38:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Reject certs and CRLs from the future

Browse source
This commit is contained in:
Paul Bakker 2014-07-08 10:59:10 +02:00
parent 0d844dd650
commit 50a5c53398
3 changed files with 16 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
ChangeLog
View file

@ -8,6 +8,7 @@ Security
* Forbid change of server certificate during renegotiation to prevent * Forbid change of server certificate during renegotiation to prevent
"triple handshake" attack when authentication mode is optional (the "triple handshake" attack when authentication mode is optional (the
attack was already impossible when authentication is required). attack was already impossible when authentication is required).
* Check notBefore timestamp of certificates and CRLs from the future.
Bugfix Bugfix
* Fixed X.509 hostname comparison (with non-regular characters) * Fixed X.509 hostname comparison (with non-regular characters)

3
include/polarssl/x509.h
View file

@ -80,6 +80,9 @@
#define BADCERT_MISSING 0x40 /**< Certificate was missing. */ #define BADCERT_MISSING 0x40 /**< Certificate was missing. */
#define BADCERT_SKIP_VERIFY 0x80 /**< Certificate verification was skipped. */ #define BADCERT_SKIP_VERIFY 0x80 /**< Certificate verification was skipped. */
#define BADCERT_OTHER 0x0100 /**< Other reason (can be used by verify callback) */ #define BADCERT_OTHER 0x0100 /**< Other reason (can be used by verify callback) */
#define BADCERT_FUTURE 0x0200 /**< The certificate validity starts in the future. */
#define BADCRL_FUTURE 0x0400 /**< The CRL is from the future */
/* \} name */ /* \} name */
/* \} addtogroup x509_module */ /* \} addtogroup x509_module */

12
library/x509parse.c
View file

@ -3275,6 +3275,9 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca,
if( x509parse_time_expired( &crl_list->next_update ) ) if( x509parse_time_expired( &crl_list->next_update ) )
flags |= BADCRL_EXPIRED; flags |= BADCRL_EXPIRED;
if( x509parse_time_future( &crl_list->this_update ) )
flags |= BADCRL_FUTURE;
/* /*
* Check if certificate is revoked * Check if certificate is revoked
*/ */
@ -3358,6 +3361,9 @@ static int x509parse_verify_top(
if( x509parse_time_expired( &child->valid_to ) ) if( x509parse_time_expired( &child->valid_to ) )
*flags |= BADCERT_EXPIRED; *flags |= BADCERT_EXPIRED;
if( x509parse_time_future( &child->valid_from ) )
*flags |= BADCERT_FUTURE;
/* /*
* Child is the top of the chain. Check against the trust_ca list. * Child is the top of the chain. Check against the trust_ca list.
*/ */
@ -3426,6 +3432,9 @@ static int x509parse_verify_top(
if( x509parse_time_expired( &trust_ca->valid_to ) ) if( x509parse_time_expired( &trust_ca->valid_to ) )
ca_flags |= BADCERT_EXPIRED; ca_flags |= BADCERT_EXPIRED;
if( x509parse_time_future( &trust_ca->valid_from ) )
ca_flags |= BADCERT_FUTURE;
if( NULL != f_vrfy ) if( NULL != f_vrfy )
{ {
if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, &ca_flags ) ) != 0 ) if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, &ca_flags ) ) != 0 )
@ -3459,6 +3468,9 @@ static int x509parse_verify_child(
if( x509parse_time_expired( &child->valid_to ) ) if( x509parse_time_expired( &child->valid_to ) )
*flags |= BADCERT_EXPIRED; *flags |= BADCERT_EXPIRED;
if( x509parse_time_future( &child->valid_from ) )
*flags |= BADCERT_FUTURE;
hash_id = child->sig_alg; hash_id = child->sig_alg;
x509_hash( child->tbs.p, child->tbs.len, hash_id, hash ); x509_hash( child->tbs.p, child->tbs.len, hash_id, hash );