mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-23 13:25:28 +00:00
X509: Fix bug triggered by future CA among trusted
Fix an issue that caused valid certificates being rejected whenever an expired or not yet valid version of the trusted certificate was before the valid version in the trusted certificate list.
This commit is contained in:
parent
aeff929a5a
commit
8a8445415f
|
@ -1,5 +1,12 @@
|
|||
mbed TLS ChangeLog (Sorted per branch, date)
|
||||
|
||||
= mbed TLS 1.3.x
|
||||
|
||||
Bugfix
|
||||
* Fix an issue that caused valid certificates being rejected whenever an
|
||||
expired or not yet valid version of the trusted certificate was before the
|
||||
valid version in the trusted certificate list.
|
||||
|
||||
= mbed TLS 1.3.17 branch 2016-06-28
|
||||
|
||||
Security
|
||||
|
|
|
@ -1823,6 +1823,16 @@ static int x509_crt_verify_top(
|
|||
continue;
|
||||
}
|
||||
|
||||
if( x509_time_expired( &trust_ca->valid_to ) )
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
if( x509_time_future( &trust_ca->valid_from ) )
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
if( pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
|
||||
child->sig_md, hash, md_info->size,
|
||||
child->sig.p, child->sig.len ) != 0 )
|
||||
|
@ -1854,12 +1864,6 @@ static int x509_crt_verify_top(
|
|||
((void) ca_crl);
|
||||
#endif
|
||||
|
||||
if( x509_time_expired( &trust_ca->valid_to ) )
|
||||
ca_flags |= BADCERT_EXPIRED;
|
||||
|
||||
if( x509_time_future( &trust_ca->valid_from ) )
|
||||
ca_flags |= BADCERT_FUTURE;
|
||||
|
||||
if( NULL != f_vrfy )
|
||||
{
|
||||
if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,
|
||||
|
|
Loading…
Reference in a new issue