x509: do not tolerate invalid DER time

This effectively reverts !400 and ensures that we no longer tolerate invalid DER time. This complements the previous commit by Lili Quan and ensures we provide the --disable-strict-der-time backwards compatibility option. Resolves: #207 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2019-12-23 20:20:58 +0100
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2019-12-26 07:46:43 +0100
commit: 49d27a55031e72ade52984f5cd94e82e97b46228 (patch)
tree: 373f1d010011a93d7f246e79ce3de996d45d256a /lib/x509/common.h
parent: 58a45b8c2fbf2f0ff22e1c7c7762d0cb00855df9 (diff)
download: gnutls-49d27a55031e72ade52984f5cd94e82e97b46228.tar.gz
1 files changed, 3 insertions, 3 deletions
diff --git a/lib/x509/common.h b/lib/x509/common.h
index 5bbbdfaebd..d36c263a58 100644
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -279,10 +279,10 @@ int _gnutls_check_if_sorted(gnutls_x509_crt_t * crt, int nr);
 inline static int _asn1_strict_der_decode (asn1_node * element, const void *ider,
 		       int len, char *errorDescription)
 {
-#ifdef ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME
-# define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME|ASN1_DECODE_FLAG_STRICT_DER
-#else
+#if defined(STRICT_DER_TIME) || !defined(ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME)
 # define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_STRICT_DER
+#else
+# define _ASN1_DER_FLAGS (ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME|ASN1_DECODE_FLAG_STRICT_DER)
 #endif
 	return asn1_der_decoding2(element, ider, &len, _ASN1_DER_FLAGS, errorDescription);
 }
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-12-23 20:20:58 +0100
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-12-26 07:46:43 +0100
commit	49d27a55031e72ade52984f5cd94e82e97b46228 (patch)
tree	373f1d010011a93d7f246e79ce3de996d45d256a /lib/x509/common.h
parent	58a45b8c2fbf2f0ff22e1c7c7762d0cb00855df9 (diff)
download	gnutls-49d27a55031e72ade52984f5cd94e82e97b46228.tar.gz