Merge branch 'iotssl-1071-ca-flags'

Fixes a regression introduced by an earlier commit that modified x509_crt_verify_top() to ensure that valid certificates that are after past or future valid in the chain are processed. However the change introduced a change in behaviour that caused the verification flags MBEDTLS_X509_BADCERT_EXPIRED and MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in the verification regardless of the cause. The fix maintains both behaviours: * Ensure that valid certificates after future and past are verified * Ensure that the correct verification flags are set.
2026-01-03 13:15:42 +01:00 · 2017-02-27 19:06:05 +00:00 · 2017-02-27 19:06:05 +00:00 · fc794ff2b7
commit fc794ff2b7
parent 0278a38f10 9f430c15d8
5 changed files with 88 additions and 12 deletions
--- a/5
+++ b/5
@ -13,6 +13,11 @@ Security
     Introduced by interoperability fix for #513.

 Bugfix
+   * Fix output certificate verification flags set by x509_crt_verify_top() when
+     traversing a chain of trusted CA. The issue would cause both flags,
+     MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be
+     set when the verification conditions are not met regardless of the cause.
+     Found by Harm Verhagen and inestlerode. #665 #561
   * Fix the redefinition of macro ssl_set_bio to an undefined symbol
     mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
     Found by omlib-lin. #673