Correctly handle leap year in x509_date_is_valid()

This patch ensures that invalid dates on leap years with 100 or 400
years intervals are handled correctly.
This commit is contained in:
Andres AG 2016-11-21 15:38:02 +00:00 committed by Simon Butcher
parent ea111c5501
commit 7c02d13746
3 changed files with 28 additions and 3 deletions

View file

@ -11,6 +11,9 @@ Bugfix
* Parse signature algorithm extension when renegotiating. Previously, * Parse signature algorithm extension when renegotiating. Previously,
renegotiated handshakes would only accept signatures using SHA-1 renegotiated handshakes would only accept signatures using SHA-1
regardless of the peer's preferences, or fail if SHA-1 was disabled. regardless of the peer's preferences, or fail if SHA-1 was disabled.
* Fix leap year calculation in x509_date_is_valid() to ensure that invalid
dates on leap years with 100 and 400 intervals are handled correctly. Found
by Nicholas Wilson. #694
= mbed TLS 1.3.21 branch released 2017-08-10 = mbed TLS 1.3.21 branch released 2017-08-10

View file

@ -499,6 +499,7 @@ static int x509_parse_int( unsigned char **p, size_t n, int *res )
static int x509_date_is_valid(const x509_time *t) static int x509_date_is_valid(const x509_time *t)
{ {
int ret = POLARSSL_ERR_X509_INVALID_DATE; int ret = POLARSSL_ERR_X509_INVALID_DATE;
int month_len;
CHECK_RANGE( 0, 9999, t->year ); CHECK_RANGE( 0, 9999, t->year );
CHECK_RANGE( 0, 23, t->hour ); CHECK_RANGE( 0, 23, t->hour );
@ -508,17 +509,22 @@ static int x509_date_is_valid(const x509_time *t)
switch( t->mon ) switch( t->mon )
{ {
case 1: case 3: case 5: case 7: case 8: case 10: case 12: case 1: case 3: case 5: case 7: case 8: case 10: case 12:
CHECK_RANGE( 1, 31, t->day ); month_len = 31;
break; break;
case 4: case 6: case 9: case 11: case 4: case 6: case 9: case 11:
CHECK_RANGE( 1, 30, t->day ); month_len = 30;
break; break;
case 2: case 2:
CHECK_RANGE( 1, 28 + (t->year % 4 == 0), t->day ); if( ( !( t->year % 4 ) && t->year % 100 ) ||
!( t->year % 400 ) )
month_len = 29;
else
month_len = 28;
break; break;
default: default:
return( ret ); return( ret );
} }
CHECK_RANGE( 1, month_len, t->day );
return( 0 ); return( 0 );
} }

View file

@ -1546,3 +1546,19 @@ x509_get_time:ASN1_UTC_TIME:"001130236012Z":POLARSSL_ERR_X509_INVALID_DATE:0:0:0
X509 Get time (UTC invalid sec) X509 Get time (UTC invalid sec)
depends_on:POLARSSL_X509_USE_C depends_on:POLARSSL_X509_USE_C
x509_get_time:ASN1_UTC_TIME:"001130235960Z":POLARSSL_ERR_X509_INVALID_DATE:0:0:0:0:0:0 x509_get_time:ASN1_UTC_TIME:"001130235960Z":POLARSSL_ERR_X509_INVALID_DATE:0:0:0:0:0:0
X509 Get time (Generalized Time invalid leap year multiple of 4 and 100)
depends_on:POLARSSL_X509_USE_C
x509_get_time:ASN1_GENERALIZED_TIME:"19000229000000Z":POLARSSL_ERR_X509_INVALID_DATE:0:0:0:0:0:0
X509 Get time (Generalized Time year multiple of 4 and not multiple of 100)
depends_on:POLARSSL_X509_USE_C
x509_get_time:ASN1_GENERALIZED_TIME:"19920229000000Z":0:1992:2:29:0:0:0
X509 Get time (Generalized Time year multiple of 400)
depends_on:POLARSSL_X509_USE_C
x509_get_time:ASN1_GENERALIZED_TIME:"20000229000000Z":0:2000:2:29:0:0:0
X509 Get time (Generalized Time invalid leap year not multiple of 4, 100 or 400)
depends_on:POLARSSL_X509_USE_C
x509_get_time:ASN1_GENERALIZED_TIME:"19910229000000Z":POLARSSL_ERR_X509_INVALID_DATE:0:0:0:0:0:0