Fix embarrassing X.509 bug introduced in 9533765
This commit is contained in:
parent
95a0d118a9
commit
8c045ef8e4
2 changed files with 7 additions and 0 deletions
|
@ -8,6 +8,10 @@ Changes
|
|||
Security
|
||||
* Avoid potential timing leak in ecdsa_sign() by blinding modular division.
|
||||
(Found by Watson Ladd.)
|
||||
* The notAfter date of some certificates was no longer checked since 1.3.5.
|
||||
This affects certificates in the user-supplied chain except the top
|
||||
certificate. If the user-supplied chain contains only one certificates,
|
||||
it is not affected (ie, its notAfter date is properly checked).
|
||||
|
||||
Bugfix
|
||||
* The length of various ClientKeyExchange messages was not properly checked.
|
||||
|
|
|
@ -1647,6 +1647,9 @@ static int x509_crt_verify_child(
|
|||
x509_crt *grandparent;
|
||||
const md_info_t *md_info;
|
||||
|
||||
if( x509_time_expired( &child->valid_to ) )
|
||||
*flags |= BADCERT_EXPIRED;
|
||||
|
||||
if( x509_time_future( &child->valid_from ) )
|
||||
*flags |= BADCERT_FUTURE;
|
||||
|
||||
|
|
Loading…
Reference in a new issue