From 416dc034670a539b170caa09dfbc066c15842c9a Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Thu, 30 Jun 2022 00:38:53 -0400 Subject: [PATCH 1/9] mbedtls_x509_time_cmp() compare mbedtls_x509_time Signed-off-by: Glenn Strauss --- ChangeLog.d/mbedtls_x509_time.txt | 2 + include/mbedtls/x509.h | 12 +++++ library/x509.c | 77 +++++++++++-------------------- 3 files changed, 42 insertions(+), 49 deletions(-) create mode 100644 ChangeLog.d/mbedtls_x509_time.txt diff --git a/ChangeLog.d/mbedtls_x509_time.txt b/ChangeLog.d/mbedtls_x509_time.txt new file mode 100644 index 000000000..3eacc29a1 --- /dev/null +++ b/ChangeLog.d/mbedtls_x509_time.txt @@ -0,0 +1,2 @@ +Features + * Improve mbedtls_x509_time performance and reduce memory use. diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index df6d7623a..ac8ff9ad3 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -366,6 +366,18 @@ static inline mbedtls_x509_name *mbedtls_x509_dn_get_next( */ int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *serial); +/** + * \brief Compare pair of mbedtls_x509_time. + * + * \param t1 mbedtls_x509_time to compare + * \param t2 mbedtls_x509_time to compare + * + * \return < 0 if t1 is before t2 + * 0 if t1 equals t2 + * > 0 if t1 is after t2 + */ +int mbedtls_x509_time_cmp(const mbedtls_x509_time *t1, const mbedtls_x509_time *t2); + /** * \brief Check a given mbedtls_x509_time against the system time * and tell if it's in the past. diff --git a/library/x509.c b/library/x509.c index 6e16c4c27..031a3f0e3 100644 --- a/library/x509.c +++ b/library/x509.c @@ -994,6 +994,32 @@ int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name) return 0; } +int mbedtls_x509_time_cmp(const mbedtls_x509_time *t1, + const mbedtls_x509_time *t2) +{ + if (t1->year != t2->year) { + return t1->year - t2->year; + } + + if (t1->mon != t2->mon) { + return t1->mon - t2->mon; + } + + if (t1->day != t2->day) { + return t1->day - t2->day; + } + + if (t1->hour != t2->hour) { + return t1->hour - t2->hour; + } + + if (t1->min != t2->min) { + return t1->min - t2->min; + } + + return t1->sec - t2->sec; +} + #if defined(MBEDTLS_HAVE_TIME_DATE) /* * Set the time structure to the current time. @@ -1022,53 +1048,6 @@ static int x509_get_current_time(mbedtls_x509_time *now) return ret; } -/* - * Return 0 if before <= after, 1 otherwise - */ -static int x509_check_time(const mbedtls_x509_time *before, const mbedtls_x509_time *after) -{ - if (before->year > after->year) { - return 1; - } - - if (before->year == after->year && - before->mon > after->mon) { - return 1; - } - - if (before->year == after->year && - before->mon == after->mon && - before->day > after->day) { - return 1; - } - - if (before->year == after->year && - before->mon == after->mon && - before->day == after->day && - before->hour > after->hour) { - return 1; - } - - if (before->year == after->year && - before->mon == after->mon && - before->day == after->day && - before->hour == after->hour && - before->min > after->min) { - return 1; - } - - if (before->year == after->year && - before->mon == after->mon && - before->day == after->day && - before->hour == after->hour && - before->min == after->min && - before->sec > after->sec) { - return 1; - } - - return 0; -} - int mbedtls_x509_time_is_past(const mbedtls_x509_time *to) { mbedtls_x509_time now; @@ -1077,7 +1056,7 @@ int mbedtls_x509_time_is_past(const mbedtls_x509_time *to) return 1; } - return x509_check_time(&now, to); + return mbedtls_x509_time_cmp(to, &now) < 0; } int mbedtls_x509_time_is_future(const mbedtls_x509_time *from) @@ -1088,7 +1067,7 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from) return 1; } - return x509_check_time(from, &now); + return mbedtls_x509_time_cmp(from, &now) > 0; } #else /* MBEDTLS_HAVE_TIME_DATE */ From 5aef2971e659ee5f6a7362a7cda3290e07c501cd Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Thu, 30 Jun 2022 04:38:02 -0400 Subject: [PATCH 2/9] mbedtls_x509_time_cmp() perf faster comparison of mbedtls_x509_time values with valid ranges per elt Signed-off-by: Glenn Strauss --- library/x509.c | 28 +++++++++------------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/library/x509.c b/library/x509.c index 031a3f0e3..ba800377c 100644 --- a/library/x509.c +++ b/library/x509.c @@ -997,27 +997,17 @@ int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name) int mbedtls_x509_time_cmp(const mbedtls_x509_time *t1, const mbedtls_x509_time *t2) { - if (t1->year != t2->year) { - return t1->year - t2->year; + int x; + + x = (((t1->year << 9) | (t1->mon << 5) | (t1->day)) - + ((t2->year << 9) | (t2->mon << 5) | (t2->day))); + if (x != 0) { + return x; } - if (t1->mon != t2->mon) { - return t1->mon - t2->mon; - } - - if (t1->day != t2->day) { - return t1->day - t2->day; - } - - if (t1->hour != t2->hour) { - return t1->hour - t2->hour; - } - - if (t1->min != t2->min) { - return t1->min - t2->min; - } - - return t1->sec - t2->sec; + x = (((t1->hour << 12) | (t1->min << 6) | (t1->sec)) - + ((t2->hour << 12) | (t2->min << 6) | (t2->sec))); + return x; } #if defined(MBEDTLS_HAVE_TIME_DATE) From 61d99304daf501fb1aed23960905447190b8bcd4 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Thu, 30 Jun 2022 05:25:56 -0400 Subject: [PATCH 3/9] mbedtls_x509_time_gmtime() to fill struct w/ time Signed-off-by: Glenn Strauss --- include/mbedtls/x509.h | 13 +++++++++++++ library/x509.c | 13 ++++++------- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index ac8ff9ad3..ef6b098f2 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -378,6 +378,19 @@ int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *ser */ int mbedtls_x509_time_cmp(const mbedtls_x509_time *t1, const mbedtls_x509_time *t2); +#if defined(MBEDTLS_HAVE_TIME_DATE) +/** + * \brief Fill mbedtls_x509_time with provided mbedtls_time_t. + * + * \param tt mbedtls_time_t to convert + * \param now mbedtls_x509_time to fill with converted mbedtls_time_t + * + * \return \c 0 on success + * \return A non-zero return value on failure. + */ +int mbedtls_x509_time_gmtime(mbedtls_time_t tt, mbedtls_x509_time *now); +#endif /* MBEDTLS_HAVE_TIME_DATE */ + /** * \brief Check a given mbedtls_x509_time against the system time * and tell if it's in the past. diff --git a/library/x509.c b/library/x509.c index ba800377c..2e58462b8 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1011,17 +1011,11 @@ int mbedtls_x509_time_cmp(const mbedtls_x509_time *t1, } #if defined(MBEDTLS_HAVE_TIME_DATE) -/* - * Set the time structure to the current time. - * Return 0 on success, non-zero on failure. - */ -static int x509_get_current_time(mbedtls_x509_time *now) +int mbedtls_x509_time_gmtime(mbedtls_time_t tt, mbedtls_x509_time *now) { struct tm *lt, tm_buf; - mbedtls_time_t tt; int ret = 0; - tt = mbedtls_time(NULL); lt = mbedtls_platform_gmtime_r(&tt, &tm_buf); if (lt == NULL) { @@ -1038,6 +1032,11 @@ static int x509_get_current_time(mbedtls_x509_time *now) return ret; } +static int x509_get_current_time(mbedtls_x509_time *now) +{ + return mbedtls_x509_time_gmtime(mbedtls_time(NULL), now); +} + int mbedtls_x509_time_is_past(const mbedtls_x509_time *to) { mbedtls_x509_time now; From 811eeb21d8c37311b6441bb14735fb77de0caa9c Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Thu, 30 Jun 2022 05:28:50 -0400 Subject: [PATCH 4/9] mbedtls_x509_time_gmtime() read struct directly Signed-off-by: Glenn Strauss --- library/x509.c | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/library/x509.c b/library/x509.c index 2e58462b8..567299690 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1013,23 +1013,19 @@ int mbedtls_x509_time_cmp(const mbedtls_x509_time *t1, #if defined(MBEDTLS_HAVE_TIME_DATE) int mbedtls_x509_time_gmtime(mbedtls_time_t tt, mbedtls_x509_time *now) { - struct tm *lt, tm_buf; - int ret = 0; + struct tm tm; - lt = mbedtls_platform_gmtime_r(&tt, &tm_buf); - - if (lt == NULL) { - ret = -1; - } else { - now->year = lt->tm_year + 1900; - now->mon = lt->tm_mon + 1; - now->day = lt->tm_mday; - now->hour = lt->tm_hour; - now->min = lt->tm_min; - now->sec = lt->tm_sec; + if (mbedtls_platform_gmtime_r(&tt, &tm) == NULL) { + return -1; } - return ret; + now->year = tm.tm_year + 1900; + now->mon = tm.tm_mon + 1; + now->day = tm.tm_mday; + now->hour = tm.tm_hour; + now->min = tm.tm_min; + now->sec = tm.tm_sec; + return 0; } static int x509_get_current_time(mbedtls_x509_time *now) From 4b2a6e8df3f9a79baf90ae1387076136d07b4a26 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Thu, 30 Jun 2022 12:17:58 -0400 Subject: [PATCH 5/9] Reuse time when verifying certificate chain Replace mbedtls_x509_time_is_past(), mbedtls_x509_time_is_future() Signed-off-by: Glenn Strauss --- ChangeLog.d/mbedtls_x509_time.txt | 1 + library/x509_crt.c | 45 ++++++++++++++++++++++--------- 2 files changed, 34 insertions(+), 12 deletions(-) diff --git a/ChangeLog.d/mbedtls_x509_time.txt b/ChangeLog.d/mbedtls_x509_time.txt index 3eacc29a1..557f1910d 100644 --- a/ChangeLog.d/mbedtls_x509_time.txt +++ b/ChangeLog.d/mbedtls_x509_time.txt @@ -1,2 +1,3 @@ Features * Improve mbedtls_x509_time performance and reduce memory use. + * Reduce syscalls to time() during certificate verification. diff --git a/library/x509_crt.c b/library/x509_crt.c index 9b3414a49..43e1aa280 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2021,7 +2021,8 @@ int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_ */ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, mbedtls_x509_crl *crl_list, - const mbedtls_x509_crt_profile *profile) + const mbedtls_x509_crt_profile *profile, + const mbedtls_x509_time *now) { int flags = 0; unsigned char hash[MBEDTLS_MD_MAX_SIZE]; @@ -2099,16 +2100,20 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, break; } +#if defined(MBEDTLS_HAVE_TIME_DATE) /* * Check for validity of CRL (Do not drop out) */ - if (mbedtls_x509_time_is_past(&crl_list->next_update)) { + if (mbedtls_x509_time_cmp(&crl_list->next_update, now) < 0) { flags |= MBEDTLS_X509_BADCRL_EXPIRED; } - if (mbedtls_x509_time_is_future(&crl_list->this_update)) { + if (mbedtls_x509_time_cmp(&crl_list->this_update, now) > 0) { flags |= MBEDTLS_X509_BADCRL_FUTURE; } +#else + ((void) now); +#endif /* * Check if certificate is revoked @@ -2266,7 +2271,8 @@ static int x509_crt_find_parent_in( int top, unsigned path_cnt, unsigned self_cnt, - mbedtls_x509_crt_restart_ctx *rs_ctx) + mbedtls_x509_crt_restart_ctx *rs_ctx, + const mbedtls_x509_time *now) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_x509_crt *parent, *fallback_parent; @@ -2329,9 +2335,10 @@ check_signature: continue; } +#if defined(MBEDTLS_HAVE_TIME_DATE) /* optional time check */ - if (mbedtls_x509_time_is_past(&parent->valid_to) || - mbedtls_x509_time_is_future(&parent->valid_from)) { + if (mbedtls_x509_time_cmp(&parent->valid_to, now) < 0 || /* past */ + mbedtls_x509_time_cmp(&parent->valid_from, now) > 0) { /* future */ if (fallback_parent == NULL) { fallback_parent = parent; fallback_signature_is_good = signature_is_good; @@ -2339,6 +2346,9 @@ check_signature: continue; } +#else + ((void) now); +#endif *r_parent = parent; *r_signature_is_good = signature_is_good; @@ -2384,7 +2394,8 @@ static int x509_crt_find_parent( int *signature_is_good, unsigned path_cnt, unsigned self_cnt, - mbedtls_x509_crt_restart_ctx *rs_ctx) + mbedtls_x509_crt_restart_ctx *rs_ctx, + const mbedtls_x509_time *now) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_x509_crt *search_list; @@ -2405,7 +2416,7 @@ static int x509_crt_find_parent( ret = x509_crt_find_parent_in(child, search_list, parent, signature_is_good, *parent_is_trusted, - path_cnt, self_cnt, rs_ctx); + path_cnt, self_cnt, rs_ctx, now); #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { @@ -2526,6 +2537,13 @@ static int x509_crt_verify_chain( int signature_is_good; unsigned self_cnt; mbedtls_x509_crt *cur_trust_ca = NULL; + mbedtls_x509_time now; + +#if defined(MBEDTLS_HAVE_TIME_DATE) + if (mbedtls_x509_time_gmtime(mbedtls_time(NULL), &now) != 0) { + return MBEDTLS_ERR_X509_FATAL_ERROR; + } +#endif #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) /* resume if we had an operation in progress */ @@ -2556,14 +2574,16 @@ static int x509_crt_verify_chain( ver_chain->len++; flags = &cur->flags; +#if defined(MBEDTLS_HAVE_TIME_DATE) /* Check time-validity (all certificates) */ - if (mbedtls_x509_time_is_past(&child->valid_to)) { + if (mbedtls_x509_time_cmp(&child->valid_to, &now) < 0) { *flags |= MBEDTLS_X509_BADCERT_EXPIRED; } - if (mbedtls_x509_time_is_future(&child->valid_from)) { + if (mbedtls_x509_time_cmp(&child->valid_from, &now) > 0) { *flags |= MBEDTLS_X509_BADCERT_FUTURE; } +#endif /* Stop here for trusted roots (but not for trusted EE certs) */ if (child_is_trusted) { @@ -2614,7 +2634,8 @@ find_parent: /* Look for a parent in trusted CAs or up the chain */ ret = x509_crt_find_parent(child, cur_trust_ca, &parent, &parent_is_trusted, &signature_is_good, - ver_chain->len - 1, self_cnt, rs_ctx); + ver_chain->len - 1, self_cnt, rs_ctx, + &now); #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { @@ -2663,7 +2684,7 @@ find_parent: #if defined(MBEDTLS_X509_CRL_PARSE_C) /* Check trusted CA's CRL for the given crt */ - *flags |= x509_crt_verifycrl(child, parent, ca_crl, profile); + *flags |= x509_crt_verifycrl(child, parent, ca_crl, profile, &now); #else (void) ca_crl; #endif From 06c31fcd9f69c39584111f056b82edc7e177259d Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Thu, 30 Jun 2022 13:07:55 -0400 Subject: [PATCH 6/9] x509_parse_time() perf Signed-off-by: Glenn Strauss --- library/x509.c | 139 +++++++++++++++++++------------------------------ 1 file changed, 54 insertions(+), 85 deletions(-) diff --git a/library/x509.c b/library/x509.c index 567299690..63dbd3a01 100644 --- a/library/x509.c +++ b/library/x509.c @@ -565,117 +565,79 @@ error: return ret; } -static int x509_parse_int(unsigned char **p, size_t n, int *res) +static int x509_date_is_valid(const mbedtls_x509_time *t) { - *res = 0; - - for (; n > 0; --n) { - if ((**p < '0') || (**p > '9')) { + unsigned int d; + switch (t->mon) { + case 1: case 3: case 5: case 7: case 8: case 10: case 12: + d = 31; + break; + case 4: case 6: case 9: case 11: + d = 30; + break; + case 2: + d = (unsigned int) t->year; + d = ((d & 3) || (!(d % 100) && (d % 400))) ? 28 : 29; + break; + default: return MBEDTLS_ERR_X509_INVALID_DATE; - } + } - *res *= 10; - *res += (*(*p)++ - '0'); + if ((unsigned int) (t->day - 1) >= d || /*(1 - days in month)*/ + /*(unsigned int)( t->mon - 1 ) >= 12 ||*//*(1 - 12) checked above*/ + (unsigned int) t->year > 9999 || /*(0 - 9999)*/ + (unsigned int) t->hour > 23 || /*(0 - 23)*/ + (unsigned int) t->min > 59 || /*(0 - 59)*/ + (unsigned int) t->sec > 59) { /*(0 - 59)*/ + return MBEDTLS_ERR_X509_INVALID_DATE; } return 0; } -static int x509_date_is_valid(const mbedtls_x509_time *t) +static int x509_parse2_int(const unsigned char *p) { - int ret = MBEDTLS_ERR_X509_INVALID_DATE; - int month_len; - - CHECK_RANGE(0, 9999, t->year); - CHECK_RANGE(0, 23, t->hour); - CHECK_RANGE(0, 59, t->min); - CHECK_RANGE(0, 59, t->sec); - - switch (t->mon) { - case 1: case 3: case 5: case 7: case 8: case 10: case 12: - month_len = 31; - break; - case 4: case 6: case 9: case 11: - month_len = 30; - break; - case 2: - if ((!(t->year % 4) && t->year % 100) || - !(t->year % 400)) { - month_len = 29; - } else { - month_len = 28; - } - break; - default: - return ret; - } - CHECK_RANGE(1, month_len, t->day); - - return 0; + uint32_t d1 = p[0] - '0'; + uint32_t d2 = p[1] - '0'; + return (d1 < 10 && d2 < 10) ? (int) (d1 * 10 + d2) : -1; } /* * Parse an ASN1_UTC_TIME (yearlen=2) or ASN1_GENERALIZED_TIME (yearlen=4) * field. */ -static int x509_parse_time(unsigned char **p, size_t len, size_t yearlen, - mbedtls_x509_time *tm) +static int x509_parse_time(const unsigned char *p, mbedtls_x509_time *tm, + size_t yearlen) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + int x; /* - * Minimum length is 10 or 12 depending on yearlen + * Parse year, month, day, hour, minute, second */ - if (len < yearlen + 8) { + tm->year = x509_parse2_int(p); + if (tm->year < 0) { return MBEDTLS_ERR_X509_INVALID_DATE; } - len -= yearlen + 8; - /* - * Parse year, month, day, hour, minute - */ - CHECK(x509_parse_int(p, yearlen, &tm->year)); - if (2 == yearlen) { - if (tm->year < 50) { - tm->year += 100; + if (4 == yearlen) { + x = tm->year * 100; + p += 2; + tm->year = x509_parse2_int(p); + if (tm->year < 0) { + return MBEDTLS_ERR_X509_INVALID_DATE; } - - tm->year += 1900; - } - - CHECK(x509_parse_int(p, 2, &tm->mon)); - CHECK(x509_parse_int(p, 2, &tm->day)); - CHECK(x509_parse_int(p, 2, &tm->hour)); - CHECK(x509_parse_int(p, 2, &tm->min)); - - /* - * Parse seconds if present - */ - if (len >= 2) { - CHECK(x509_parse_int(p, 2, &tm->sec)); - len -= 2; } else { - return MBEDTLS_ERR_X509_INVALID_DATE; + x = (tm->year < 50) ? 2000 : 1900; } + tm->year += x; - /* - * Parse trailing 'Z' if present - */ - if (1 == len && 'Z' == **p) { - (*p)++; - len--; - } + tm->mon = x509_parse2_int(p + 2); + tm->day = x509_parse2_int(p + 4); + tm->hour = x509_parse2_int(p + 6); + tm->min = x509_parse2_int(p + 8); + tm->sec = x509_parse2_int(p + 10); - /* - * We should have parsed all characters at this point - */ - if (0 != len) { - return MBEDTLS_ERR_X509_INVALID_DATE; - } - - CHECK(x509_date_is_valid(tm)); - - return 0; + return x509_date_is_valid(tm); } /* @@ -713,7 +675,14 @@ int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end, return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE, ret); } - return x509_parse_time(p, len, year_len, tm); + /* len is 12 or 14 depending on year_len, plus optional trailing 'Z' */ + if (len != year_len + 10 && + !(len == year_len + 11 && (*p)[(len - 1)] == 'Z')) { + return MBEDTLS_ERR_X509_INVALID_DATE; + } + + (*p) += len; + return x509_parse_time(*p - len, tm, year_len); } int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig) From cdf5283dadf394e657daaeab296618a19d8657eb Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 5 Jul 2023 09:58:03 +0100 Subject: [PATCH 7/9] Rename variables to more descriptive names Signed-off-by: David Horstmann --- library/x509.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/library/x509.c b/library/x509.c index 63dbd3a01..d72a0c5c6 100644 --- a/library/x509.c +++ b/library/x509.c @@ -567,23 +567,26 @@ error: static int x509_date_is_valid(const mbedtls_x509_time *t) { - unsigned int d; + unsigned int month_days; + unsigned int year; switch (t->mon) { case 1: case 3: case 5: case 7: case 8: case 10: case 12: - d = 31; + month_days = 31; break; case 4: case 6: case 9: case 11: - d = 30; + month_days = 30; break; case 2: - d = (unsigned int) t->year; - d = ((d & 3) || (!(d % 100) && (d % 400))) ? 28 : 29; + year = (unsigned int) t->year; + month_days = ((year & 3) || (!(year % 100) + && (year % 400))) + ? 28 : 29; break; default: return MBEDTLS_ERR_X509_INVALID_DATE; } - if ((unsigned int) (t->day - 1) >= d || /*(1 - days in month)*/ + if ((unsigned int) (t->day - 1) >= month_days || /*(1 - days in month)*/ /*(unsigned int)( t->mon - 1 ) >= 12 ||*//*(1 - 12) checked above*/ (unsigned int) t->year > 9999 || /*(0 - 9999)*/ (unsigned int) t->hour > 23 || /*(0 - 23)*/ From b1d27bcd69b56276ab5b40bc0b73df14e00897a9 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 5 Jul 2023 10:00:31 +0100 Subject: [PATCH 8/9] Improve comment formatting Signed-off-by: David Horstmann --- library/x509.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/library/x509.c b/library/x509.c index d72a0c5c6..46990a793 100644 --- a/library/x509.c +++ b/library/x509.c @@ -586,12 +586,12 @@ static int x509_date_is_valid(const mbedtls_x509_time *t) return MBEDTLS_ERR_X509_INVALID_DATE; } - if ((unsigned int) (t->day - 1) >= month_days || /*(1 - days in month)*/ - /*(unsigned int)( t->mon - 1 ) >= 12 ||*//*(1 - 12) checked above*/ - (unsigned int) t->year > 9999 || /*(0 - 9999)*/ - (unsigned int) t->hour > 23 || /*(0 - 23)*/ - (unsigned int) t->min > 59 || /*(0 - 59)*/ - (unsigned int) t->sec > 59) { /*(0 - 59)*/ + if ((unsigned int) (t->day - 1) >= month_days || /* (1 - days in month) */ + /* (unsigned int)( t->mon - 1 ) >= 12 || */ /* (1 - 12) checked above */ + (unsigned int) t->year > 9999 || /* (0 - 9999) */ + (unsigned int) t->hour > 23 || /* (0 - 23) */ + (unsigned int) t->min > 59 || /* (0 - 59) */ + (unsigned int) t->sec > 59) { /* (0 - 59) */ return MBEDTLS_ERR_X509_INVALID_DATE; } From 3ae1c4c0f73fb13f15a362095ec7075534ec5050 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 5 Jul 2023 11:15:08 +0100 Subject: [PATCH 9/9] Fix formatting of explanatory commented code Signed-off-by: David Horstmann --- library/x509.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/x509.c b/library/x509.c index 46990a793..017514c37 100644 --- a/library/x509.c +++ b/library/x509.c @@ -587,7 +587,7 @@ static int x509_date_is_valid(const mbedtls_x509_time *t) } if ((unsigned int) (t->day - 1) >= month_days || /* (1 - days in month) */ - /* (unsigned int)( t->mon - 1 ) >= 12 || */ /* (1 - 12) checked above */ + /* (unsigned int) (t->mon - 1) >= 12 || */ /* (1 - 12) checked above */ (unsigned int) t->year > 9999 || /* (0 - 9999) */ (unsigned int) t->hour > 23 || /* (0 - 23) */ (unsigned int) t->min > 59 || /* (0 - 59) */