CVE-2020-36425: Always revoke certificate on CRL by raoulstrackx · Pull Request #3433 · Mbed-TLS/mbedtls

Conversation

raoulstrackx added a commit to raoulstrackx/rust-mbedtls that referenced this pull request

Jun 16, 2020

A bug in the ARMmbed mbedtls library only revokes certificates when a time source is available. We temporarily disable the following test, until patch Mbed-TLS/mbedtls#3433 lands and we use the updated library

raoulstrackx changed the title When no time source available, always revoke certificate on CRL Always revoke certificate on CRL

Jun 16, 2020

mpg requested changes Jun 24, 2020

* A CRL’s “revocationDate” entry field is on longer checked to be in the

past. This brings the implementation in line with RFC 5280. Note that

this also is a security fix in environments where the local clock cannot

be trusted (e.g., in an Intel SGX enclave). Reported by Raoul Strackx &

mpg requested changes Jun 25, 2020

mpg added the needs-review

Every commit must be reviewed by at least two team members,

label

Jun 25, 2020

mpg requested changes Jun 26, 2020

This was referenced

Aug 14, 2020

RFC5280 does not state that the `revocationDate` should be checked.

In addition, when no time source is available (i.e., when MBEDTLS_HAVE_TIME_DATE is not defined), `mbedtls_x509_time_is_past` always returns 0. This results in the CRL not being checked at all.

https://tools.ietf.org/html/rfc5280 Signed-off-by: Raoul Strackx [email protected]

mpg approved these changes Aug 17, 2020

mpg added the needs-review

Every commit must be reviewed by at least two team members,

label

Aug 18, 2020