commit 50a5c53398b5ffc3cc997a8c7d432a025c8de2f3
author Paul Bakker <p.j.bakker@polarssl.org> Tue Jul 08 10:59:10 2014 +0200
committer Paul Bakker <p.j.bakker@polarssl.org> Tue Jul 08 10:59:10 2014 +0200
tree fc2d276027caa94a1e6fe6274e076b07ebb3f8f0
parent 0d844dd650536c19c13b67cbad82efcffd6a8d4a

Reject certs and CRLs from the future

library/x509parse.c

diff --git a/library/x509parse.c b/library/x509parse.c
index 8de0d98..16b0149 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -3275,6 +3275,9 @@
         if( x509parse_time_expired( &crl_list->next_update ) )
             flags |= BADCRL_EXPIRED;
 
+        if( x509parse_time_future( &crl_list->this_update ) )
+            flags |= BADCRL_FUTURE;
+
         /*
          * Check if certificate is revoked
          */
@@ -3358,6 +3361,9 @@
     if( x509parse_time_expired( &child->valid_to ) )
         *flags |= BADCERT_EXPIRED;
 
+    if( x509parse_time_future( &child->valid_from ) )
+        *flags |= BADCERT_FUTURE;
+
     /*
      * Child is the top of the chain. Check against the trust_ca list.
      */
@@ -3426,6 +3432,9 @@
         if( x509parse_time_expired( &trust_ca->valid_to ) )
             ca_flags |= BADCERT_EXPIRED;
 
+        if( x509parse_time_future( &trust_ca->valid_from ) )
+            ca_flags |= BADCERT_FUTURE;
+
         if( NULL != f_vrfy )
         {
             if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, &ca_flags ) ) != 0 )
@@ -3459,6 +3468,9 @@
     if( x509parse_time_expired( &child->valid_to ) )
         *flags |= BADCERT_EXPIRED;
 
+    if( x509parse_time_future( &child->valid_from ) )
+        *flags |= BADCERT_FUTURE;
+
     hash_id = child->sig_alg;
 
     x509_hash( child->tbs.p, child->tbs.len, hash_id, hash );