From 49d27a55031e72ade52984f5cd94e82e97b46228 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Mon, 23 Dec 2019 20:20:58 +0100
Subject: x509: do not tolerate invalid DER time

This effectively reverts !400 and ensures that we no longer tolerate
invalid DER time. This complements the previous commit by Lili Quan
and ensures we provide the --disable-strict-der-time backwards compatibility
option.

Resolves: #207

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 m4/hooks.m4 | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'm4/hooks.m4')

diff --git a/m4/hooks.m4 b/m4/hooks.m4
index 34a5b38eb9..49367bd1da 100644
--- a/m4/hooks.m4
+++ b/m4/hooks.m4
@@ -144,6 +144,20 @@ LIBTASN1_MINIMUM=4.9
     AC_MSG_WARN([C99 macros not supported. This may affect compiling.])
   ])
 
+  ac_strict_der_time=yes
+  AC_MSG_CHECKING([whether to disable strict DER time encodings for backwards compatibility])
+  AC_ARG_ENABLE(strict-der-time,
+    AS_HELP_STRING([--disable-strict-der-time],
+                   [allow non compliant DER time values]),
+    ac_strict_der_time=$enableval)
+  if test x$ac_strict_der_time != xno; then
+   AC_MSG_RESULT(no)
+   AC_DEFINE([STRICT_DER_TIME], 1, [force strict DER time constraints])
+  else
+   AC_MSG_RESULT(yes)
+  fi
+  AM_CONDITIONAL(STRICT_DER_TIME, test "$ac_strict_der_time" != "no")
+
   ac_allow_sha1=no
   AC_MSG_CHECKING([whether to allow SHA1 as an acceptable hash for cert digital signatures])
   AC_ARG_ENABLE(sha1-support,
-- 
cgit v1.2.1