Fix bug in MBEDTLS_X509_CRT_REMOVE_TIME

When looking for a parent, all candidates were considered time-invalid due to the #ifdef incorrectly including the `parent_valid = 1` line. When MBEDTLS_HAVE_TIME_DATE is unset the time-validity of certificates is never checked and always treated as valid. This is usually achieved by proper usage of mbedtls_x509_time_is_past() and mbedtls_x509_time_is_future() (and their definition when we don't HAVE_TIME_DATE). Here the calls to these functions needs to be guarded by MBEDTLS_X509_CRT_REMOVE_TIME as they access struct members whose presence is controlled by this option. But the "valid" branch should still always be taken. (Note: MBEDTLS_X509_CRT_REMOVE_TIME being set forces MBEDTLS_HAVE_TIME_DATE to be unset, as enforce by check_config.h.) This bug was found by `all.sh test_baremetal` - no need for a new test.
2025-02-02 11:41:02 +00:00 · 2019-07-30 16:03:06 +02:00 · 2019-07-30 16:03:06 +02:00 · f1358acdc7
parent 80eaddfc36
commit f1358acdc7
1 changed files with 1 additions and 1 deletions
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -2972,10 +2972,10 @@ check_signature:
 #if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
            if( !mbedtls_x509_time_is_past( &parent->valid_to ) &&
                !mbedtls_x509_time_is_future( &parent->valid_from ) )
+#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
            {
                parent_valid = 1;
            }
-#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */

            /* basic parenting skills (name, CA bit, key usage) */
            if( x509_crt_check_parent( child_sig, parent, top ) == 0 )