yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-06-07 05:46:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix bug in MBEDTLS_X509_CRT_REMOVE_TIME

Browse source 
When looking for a parent, all candidates were considered time-invalid due to
the #ifdef incorrectly including the `parent_valid = 1` line.

When MBEDTLS_HAVE_TIME_DATE is unset the time-validity of certificates is
never checked and always treated as valid. This is usually achieved by proper
usage of mbedtls_x509_time_is_past() and mbedtls_x509_time_is_future() (and
their definition when we don't HAVE_TIME_DATE).

Here the calls to these functions needs to be guarded by
MBEDTLS_X509_CRT_REMOVE_TIME as they access struct members whose presence is
controlled by this option. But the "valid" branch should still always be taken.

(Note: MBEDTLS_X509_CRT_REMOVE_TIME being set forces MBEDTLS_HAVE_TIME_DATE to
be unset, as enforce by check_config.h.)

This bug was found by `all.sh test_baremetal` - no need for a new test.
This commit is contained in:
Manuel Pégourié-Gonnard 2019-07-30 16:03:06 +02:00
parent 80eaddfc36
commit f1358acdc7
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
library/x509_crt.c
View file

@ -2972,10 +2972,10 @@ check_signature:
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME) #if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
if( !mbedtls_x509_time_is_past( &parent->valid_to ) && if( !mbedtls_x509_time_is_past( &parent->valid_to ) &&
!mbedtls_x509_time_is_future( &parent->valid_from ) ) !mbedtls_x509_time_is_future( &parent->valid_from ) )
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
{ {
parent_valid = 1; parent_valid = 1;
} }
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
/* basic parenting skills (name, CA bit, key usage) */ /* basic parenting skills (name, CA bit, key usage) */
if( x509_crt_check_parent( child_sig, parent, top ) == 0 ) if( x509_crt_check_parent( child_sig, parent, top ) == 0 )