From c00cceaa3f4cb953ab6fb73ed5a5f5e3cedabe85 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 7 Jun 2019 17:03:40 +0100 Subject: [PATCH 1/2] Move def'n of X.509 time-verif funcs to hdr if no time available --- include/mbedtls/x509.h | 16 ++++++++++++++++ library/x509.c | 16 +--------------- 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index b69dd71ad..c31847d92 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -250,6 +250,7 @@ int mbedtls_x509_dn_gets( char *buf, size_t size, const mbedtls_x509_name *dn ); */ int mbedtls_x509_serial_gets( char *buf, size_t size, const mbedtls_x509_buf *serial ); +#if defined(MBEDTLS_HAVE_TIME_DATE) /** * \brief Check a given mbedtls_x509_time against the system time * and tell if it's in the past. @@ -277,6 +278,7 @@ int mbedtls_x509_time_is_past( const mbedtls_x509_time *to ); * 0 otherwise. */ int mbedtls_x509_time_is_future( const mbedtls_x509_time *from ); +#endif /* MBEDTLS_HAVE_TIME_DATE */ /** * \brief Free a dynamic linked list presentation of an X.509 name @@ -301,6 +303,20 @@ static inline void mbedtls_x509_sequence_free( mbedtls_x509_sequence *seq ) mbedtls_asn1_sequence_free( (mbedtls_asn1_sequence*) seq ); } +#if !defined(MBEDTLS_HAVE_TIME_DATE) +static inline int mbedtls_x509_time_is_past( const mbedtls_x509_time *to ) +{ + ((void) to); + return( 0 ); +} + +static inline int mbedtls_x509_time_is_future( const mbedtls_x509_time *from ) +{ + ((void) from); + return( 0 ); +} +#endif /* !MBEDTLS_HAVE_TIME_DATE */ + #if defined(MBEDTLS_SELF_TEST) /** diff --git a/library/x509.c b/library/x509.c index 0d2b9efab..a6c658479 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1192,21 +1192,7 @@ int mbedtls_x509_time_is_future( const mbedtls_x509_time *from ) return( x509_check_time( from, &now ) ); } - -#else /* MBEDTLS_HAVE_TIME_DATE */ - -int mbedtls_x509_time_is_past( const mbedtls_x509_time *to ) -{ - ((void) to); - return( 0 ); -} - -int mbedtls_x509_time_is_future( const mbedtls_x509_time *from ) -{ - ((void) from); - return( 0 ); -} -#endif /* MBEDTLS_HAVE_TIME_DATE */ +#endif /* MBEDTLS_HAVE_TIME_DATE */ void mbedtls_x509_name_free( mbedtls_x509_name *name ) { From 6f61b7bb5c26b91d175edaf6e6378210bc10bb5d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 10 Jun 2019 11:12:33 +0100 Subject: [PATCH 2/2] Remove 'CRT fallback' during X.509 CRT verification if !TIME_DATE --- include/mbedtls/x509_crt.h | 3 +++ library/x509_crt.c | 25 +++++++++++++++++++++++-- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 3eee460fb..5212e6795 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -235,8 +235,11 @@ typedef struct /* for find_parent_in() */ mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */ + +#if defined(MBEDTLS_HAVE_TIME_DATE) mbedtls_x509_crt *fallback_parent; int fallback_signature_is_good; +#endif /* MBEDTLS_HAVE_TIME_DATE */ /* for find_parent() */ int parent_is_trusted; /* -1 if find_parent is not in progress */ diff --git a/library/x509_crt.c b/library/x509_crt.c index eb3ee990b..24ef0e655 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2844,8 +2844,13 @@ static int x509_crt_find_parent_in( mbedtls_x509_crt_restart_ctx *rs_ctx ) { int ret; - mbedtls_x509_crt *parent_crt, *fallback_parent; - int signature_is_good, fallback_signature_is_good; + mbedtls_x509_crt *parent_crt; + int signature_is_good; + +#if defined(MBEDTLS_HAVE_TIME_DATE) + mbedtls_x509_crt *fallback_parent; + int fallback_signature_is_good; +#endif /* MBEDTLS_HAVE_TIME_DATE */ #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) /* did we have something in progress? */ @@ -2853,21 +2858,27 @@ static int x509_crt_find_parent_in( { /* restore saved state */ parent_crt = rs_ctx->parent; +#if defined(MBEDTLS_HAVE_TIME_DATE) fallback_parent = rs_ctx->fallback_parent; fallback_signature_is_good = rs_ctx->fallback_signature_is_good; +#endif /* MBEDTLS_HAVE_TIME_DATE */ /* clear saved state */ rs_ctx->parent = NULL; +#if defined(MBEDTLS_HAVE_TIME_DATE) rs_ctx->fallback_parent = NULL; rs_ctx->fallback_signature_is_good = 0; +#endif /* MBEDTLS_HAVE_TIME_DATE */ /* resume where we left */ goto check_signature; } #endif +#if defined(MBEDTLS_HAVE_TIME_DATE) fallback_parent = NULL; fallback_signature_is_good = 0; +#endif /* MBEDTLS_HAVE_TIME_DATE */ for( parent_crt = candidates; parent_crt != NULL; parent_crt = parent_crt->next ) @@ -2918,8 +2929,10 @@ check_signature: { /* save state */ rs_ctx->parent = parent_crt; +#if defined(MBEDTLS_HAVE_TIME_DATE) rs_ctx->fallback_parent = fallback_parent; rs_ctx->fallback_signature_is_good = fallback_signature_is_good; +#endif /* MBEDTLS_HAVE_TIME_DATE */ return( ret ); } @@ -2934,11 +2947,13 @@ check_signature: /* optional time check */ if( !parent_valid ) { +#if defined(MBEDTLS_HAVE_TIME_DATE) if( fallback_parent == NULL ) { fallback_parent = parent_crt; fallback_signature_is_good = signature_is_good; } +#endif /* MBEDTLS_HAVE_TIME_DATE */ continue; } @@ -2953,8 +2968,12 @@ check_signature: } else { +#if defined(MBEDTLS_HAVE_TIME_DATE) *r_parent = fallback_parent; *r_signature_is_good = fallback_signature_is_good; +#else /* MBEDTLS_HAVE_TIME_DATE */ + *r_parent = NULL; +#endif /* !MBEDTLS_HAVE_TIME_DATE */ } return( 0 ); @@ -3643,8 +3662,10 @@ void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx ) mbedtls_pk_restart_init( &ctx->pk ); ctx->parent = NULL; +#if defined(MBEDTLS_HAVE_TIME_DATE) ctx->fallback_parent = NULL; ctx->fallback_signature_is_good = 0; +#endif /* MBEDTLS_HAVE_TIME_DATE */ ctx->parent_is_trusted = -1;