commit 9533765b252ed3f86adba4152c8900a86933ce96
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Mon Mar 10 13:15:18 2014 +0100
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu Mar 13 19:25:06 2014 +0100
tree bb8bac3cd453efba408a74eeeb651b9eb36952fb
parent 6304f786e05bb57a63f9905e504376686a017357

Reject certs and CRLs from the future

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index d18e117..4668cdf 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1255,6 +1255,9 @@
         if( x509_time_expired( &crl_list->next_update ) )
             flags |= BADCRL_EXPIRED;
 
+        if( x509_time_future( &crl_list->this_update ) )
+            flags |= BADCRL_FUTURE;
+
         /*
          * Check if certificate is revoked
          */
@@ -1340,6 +1343,9 @@
     if( x509_time_expired( &child->valid_to ) )
         *flags |= BADCERT_EXPIRED;
 
+    if( x509_time_future( &child->valid_from ) )
+        *flags |= BADCERT_FUTURE;
+
     /*
      * Child is the top of the chain. Check against the trust_ca list.
      */
@@ -1420,6 +1426,9 @@
         if( x509_time_expired( &trust_ca->valid_to ) )
             ca_flags |= BADCERT_EXPIRED;
 
+        if( x509_time_future( &trust_ca->valid_from ) )
+            ca_flags |= BADCERT_FUTURE;
+
         if( NULL != f_vrfy )
         {
             if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, &ca_flags ) ) != 0 )
@@ -1451,8 +1460,8 @@
     x509_crt *grandparent;
     const md_info_t *md_info;
 
-    if( x509_time_expired( &child->valid_to ) )
-        *flags |= BADCERT_EXPIRED;
+    if( x509_time_future( &child->valid_from ) )
+        *flags |= BADCERT_FUTURE;
 
     md_info = md_info_from_type( child->sig_md );
     if( md_info == NULL )