From 8a8445415fc515cb2953ef88ba272511248d12ab Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 19 Feb 2016 15:58:21 +0000 Subject: [PATCH] X509: Fix bug triggered by future CA among trusted Fix an issue that caused valid certificates being rejected whenever an expired or not yet valid version of the trusted certificate was before the valid version in the trusted certificate list. --- ChangeLog | 7 +++++++ library/x509_crt.c | 16 ++++++++++------ 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3b7c3abbe..9c23c4178 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,12 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS 1.3.x + +Bugfix + * Fix an issue that caused valid certificates being rejected whenever an + expired or not yet valid version of the trusted certificate was before the + valid version in the trusted certificate list. + = mbed TLS 1.3.17 branch 2016-06-28 Security diff --git a/library/x509_crt.c b/library/x509_crt.c index 5a15c74fd..b7c73df1d 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1823,6 +1823,16 @@ static int x509_crt_verify_top( continue; } + if( x509_time_expired( &trust_ca->valid_to ) ) + { + continue; + } + + if( x509_time_future( &trust_ca->valid_from ) ) + { + continue; + } + if( pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk, child->sig_md, hash, md_info->size, child->sig.p, child->sig.len ) != 0 ) @@ -1854,12 +1864,6 @@ static int x509_crt_verify_top( ((void) ca_crl); #endif - if( x509_time_expired( &trust_ca->valid_to ) ) - ca_flags |= BADCERT_EXPIRED; - - if( x509_time_future( &trust_ca->valid_from ) ) - ca_flags |= BADCERT_FUTURE; - if( NULL != f_vrfy ) { if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,