From 8c045ef8e4a01177df2f76fa4040a951e42ae471 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 8 Apr 2014 11:55:03 +0200 Subject: [PATCH] Fix embarrassing X.509 bug introduced in 9533765 --- ChangeLog | 4 ++++ library/x509_crt.c | 3 +++ 2 files changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index 23f77629a..5fe77e4a0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,10 @@ Changes Security * Avoid potential timing leak in ecdsa_sign() by blinding modular division. (Found by Watson Ladd.) + * The notAfter date of some certificates was no longer checked since 1.3.5. + This affects certificates in the user-supplied chain except the top + certificate. If the user-supplied chain contains only one certificates, + it is not affected (ie, its notAfter date is properly checked). Bugfix * The length of various ClientKeyExchange messages was not properly checked. diff --git a/library/x509_crt.c b/library/x509_crt.c index d4ef82ef3..d9f25edf1 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1647,6 +1647,9 @@ static int x509_crt_verify_child( x509_crt *grandparent; const md_info_t *md_info; + if( x509_time_expired( &child->valid_to ) ) + *flags |= BADCERT_EXPIRED; + if( x509_time_future( &child->valid_from ) ) *flags |= BADCERT_FUTURE;