[OA-14] mbedTLS: relax x509 date/time format check

some CA provides certificates that do not fully follow the RFC in terms of date format. This patch relaxes the constrains in mbedTLS so that also not sully compliant certificates can be accepted. Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2024-09-20 04:02:15 +02:00 · 2017-11-03 12:09:48 +08:00 · 2017-11-03 12:09:48 +08:00 · 19e33c4ebe
commit 19e33c4ebe
parent f3cf64516f
2 changed files with 48 additions and 1 deletions
--- a/deps/mbedtls/build-mbedtls
+++ b/deps/mbedtls/build-mbedtls
@ -31,6 +31,11 @@ else

    # enable MD4 (needed for NTLM auth)
    perl -pi -e 's/^\/\/// if /#define MBEDTLS_MD4_C/' include/mbedtls/config.h
+
+    # apply pre-generated patches
+    for file in $O3/core/deps/mbedtls/patches/*.patch; do
+        patch -p1 <$file
+    done
 fi

 # compiler vars
@ -48,7 +53,8 @@ SRC=$(pwd)
 cd library
 rm -f *.o
 for c in *.c ; do
-    CMD="$CC -I../include $PLATFORM_FLAGS $OTHER_COMPILER_FLAGS $LIB_OPT_LEVEL $LIB_FPIC -c $c"
+    CMD="$CC -I../include -DMBEDTLS_RELAXED_X509_DATE \
+         $PLATFORM_FLAGS $OTHER_COMPILER_FLAGS $LIB_OPT_LEVEL $LIB_FPIC -c $c"
    echo $CMD
    $CMD
 done
--- a/deps/mbedtls/patches/0001-mbedtls-relaxed-x509-date-format.patch
+++ b/deps/mbedtls/patches/0001-mbedtls-relaxed-x509-date-format.patch
@ -0,0 +1,41 @@
+diff -urw mbedtls-2.6.0.orig/library/x509.c mbedtls-2.6.0/library/x509.c
+--- mbedtls-2.6.0.orig/library/x509.c	2017-11-03 11:46:21.403848065 +0800
+++ mbedtls-2.6.0/library/x509.c	2017-11-03 11:58:46.259817520 +0800
+@@ -559,13 +559,20 @@
+     /*
+      * Parse seconds if present
+      */
+-    if ( len >= 2 )
+    if ( len >= 2 && **p >= '0' && **p <= '9' )
+     {
+         CHECK( x509_parse_int( p, 2, &tm->sec ) );
+         len -= 2;
+     }
+     else
+    {
+#if defined(MBEDTLS_RELAXED_X509_DATE)
+	/* if relaxed mode, allow seconds to be absent */
+	tm->sec = 0;
+#else
+         return ( MBEDTLS_ERR_X509_INVALID_DATE );
+#endif
+    }
+ 
+     /*
+      * Parse trailing 'Z' if present
+@@ -575,6 +582,15 @@
+         (*p)++;
+         len--;
+     }
+#if defined(MBEDTLS_RELAXED_X509_DATE)
+    else if ( len == 5 && **p == '+' )
+    {
+	int tz; /* throwaway timezone */
+	(*p)++;
+	CHECK( x509_parse_int( p, 4, &tz ) );
+	return 0;
+    }
+#endif
+ 
+     /*
+      * We should have parsed all characters at this point