2
0
mirror of https://github.com/xcat2/xNBA.git synced 2024-11-28 12:19:46 +00:00

Have time check come after root certificate check

Thinking is that if the *CA* certificate is the certificate signing the server,
then they can say whatever they want.  Given the propensity of firmware
clocks to be off, this seems like a reasonably comfortable compromise.
This commit is contained in:
Jarrod Johnson 2014-03-07 16:15:29 -05:00
parent ab7d5e8983
commit 6962fae86e
2 changed files with 8 additions and 8 deletions

View File

@ -111,12 +111,12 @@ FILE_LICENCE ( GPL2_OR_LATER );
#undef AUTOBOOT_CMD /* Automatic booting */
#define NVO_CMD /* Non-volatile option storage commands */
#undef CONFIG_CMD /* Option configuration console */
#undef IFMGMT_CMD /* Interface management commands */
#define IFMGMT_CMD /* Interface management commands */
#undef IWMGMT_CMD /* Wireless interface management commands */
#undef FCMGMT_CMD /* Fibre Channel management commands */
#undef ROUTE_CMD /* Routing table management commands */
#define ROUTE_CMD /* Routing table management commands */
#define IMAGE_CMD /* Image management commands */
#undef DHCP_CMD /* DHCP management commands */
#define DHCP_CMD /* DHCP management commands */
#define SANBOOT_CMD /* SAN boot commands */
#undef MENU_CMD /* Menu commands */
#undef LOGIN_CMD /* Login command */
@ -125,7 +125,7 @@ FILE_LICENCE ( GPL2_OR_LATER );
#undef LOTEST_CMD /* Loopback testing commands */
#undef VLAN_CMD /* VLAN commands */
#undef PXE_CMD /* PXE commands */
#undef REBOOT_CMD /* Reboot command */
#define REBOOT_CMD /* Reboot command */
#define IMAGE_TRUST_CMD /* Image trust management commands */
#undef SYNC_CMD /* Sync command */
#undef NSLOOKUP_CMD /* DNS resolving command */

View File

@ -1310,10 +1310,6 @@ int x509_validate ( struct x509_certificate *cert,
if ( cert->valid )
return 0;
/* Fail if certificate is invalid at specified time */
if ( ( rc = x509_check_time ( cert, time ) ) != 0 )
return rc;
/* Succeed if certificate is a trusted root certificate */
if ( x509_check_root ( cert, root ) == 0 ) {
cert->valid = 1;
@ -1321,6 +1317,10 @@ int x509_validate ( struct x509_certificate *cert,
return 0;
}
/* Fail if certificate is invalid at specified time */
if ( ( rc = x509_check_time ( cert, time ) ) != 0 )
return rc;
/* Fail unless we have an issuer */
if ( ! issuer ) {
DBGC2 ( cert, "X509 %p \"%s\" has no issuer\n",