mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-02 19:14:14 +01:00
12 lines
704 B
Plaintext
12 lines
704 B
Plaintext
|
Security
|
||
|
* When checking X.509 CRLs, a certificate was only considered as revoked if
|
||
|
its revocationDate was in the past according to the local clock if
|
||
|
available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
|
||
|
certificates were never considered as revoked. On builds with
|
||
|
MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
|
||
|
example, an untrusted OS attacking a secure enclave) could prevent
|
||
|
revocation of certificates via CRLs. Fixed by no longer checking the
|
||
|
revocationDate field, in accordance with RFC 5280. Reported by
|
||
|
yuemonangong in #3340. Reported independently and fixed by
|
||
|
Raoul Strackx and Jethro Beekman in #3433.
|