From 35c681a1695c265cfb82b8dfd77e6994102e18a1 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Fri, 17 Feb 2017 11:33:56 +0100
Subject: x509/time: refuse importing certificates with invalid Time fields

That will refuse to import certificates which their time field
is not in GMT, or contain fractional seconds.

Resolves: #169

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/x509/x509.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 07e8be08c7..a96e23c770 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -451,6 +451,14 @@ int _gnutls_check_cert_sanity(gnutls_x509_crt_t cert)
 		}
 	}
 
+	if (gnutls_x509_crt_get_expiration_time(cert) == -1 ||
+	    gnutls_x509_crt_get_activation_time(cert) == -1) {
+		gnutls_assert();
+		_gnutls_debug_log("error: invalid expiration or activation time in certificate\n");
+		result = GNUTLS_E_X509_CERTIFICATE_ERROR;
+		goto cleanup;
+	}
+
 	result = 0;
 
  cleanup:
-- 
cgit v1.2.1