diff options
author | beck <> | 2016-06-27 15:42:33 +0000 |
---|---|---|
committer | beck <> | 2016-06-27 15:42:33 +0000 |
commit | a8c850455afd01722550b679df02cfc776fd403d (patch) | |
tree | 7ca80505c32e102c1aa239491f58c5630f396a64 | |
parent | 3a345cb82b973577003785646c3e165d4c154c88 (diff) | |
download | openbsd-OPENBSD_5_8.tar.gz openbsd-OPENBSD_5_8.tar.bz2 openbsd-OPENBSD_5_8.zip |
Incorrect/unneeded fix for 5.8OPENBSD_5_8
noticed by jsing@
-rw-r--r-- | src/lib/libssl/src/crypto/ocsp/ocsp_cl.c | 38 | ||||
-rw-r--r-- | src/lib/libssl/src/crypto/ocsp/ocsp_srv.c | 4 |
2 files changed, 9 insertions, 33 deletions
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c b/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c index 811101f385..d4f847023b 100644 --- a/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c +++ b/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ocsp_cl.c,v 1.8.6.1 2016/06/25 16:42:40 beck Exp $ */ | 1 | /* $OpenBSD: ocsp_cl.c,v 1.8.6.2 2016/06/27 15:42:31 beck Exp $ */ |
2 | /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL | 2 | /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL |
3 | * project. */ | 3 | * project. */ |
4 | 4 | ||
@@ -71,9 +71,6 @@ | |||
71 | #include <openssl/x509.h> | 71 | #include <openssl/x509.h> |
72 | #include <openssl/x509v3.h> | 72 | #include <openssl/x509v3.h> |
73 | 73 | ||
74 | int asn1_time_parse(const char *, size_t, struct tm *, int); | ||
75 | int asn1_tm_cmp(struct tm *, struct tm *); | ||
76 | |||
77 | /* Utility functions related to sending OCSP requests and extracting | 74 | /* Utility functions related to sending OCSP requests and extracting |
78 | * relevant information from the response. | 75 | * relevant information from the response. |
79 | */ | 76 | */ |
@@ -332,43 +329,25 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, | |||
332 | { | 329 | { |
333 | int ret = 1; | 330 | int ret = 1; |
334 | time_t t_now, t_tmp; | 331 | time_t t_now, t_tmp; |
335 | struct tm tm_this, tm_next, tm_tmp; | ||
336 | 332 | ||
337 | time(&t_now); | 333 | time(&t_now); |
338 | |||
339 | /* | ||
340 | * Times must explicitly be a GENERALIZEDTIME as per section | ||
341 | * 4.2.2.1 of RFC 6960 - It is invalid to accept other times | ||
342 | * (such as UTCTIME permitted/required by RFC 5280 for certificates) | ||
343 | */ | ||
344 | |||
345 | /* Check thisUpdate is valid and not more than nsec in the future */ | 334 | /* Check thisUpdate is valid and not more than nsec in the future */ |
346 | if (asn1_time_parse(thisupd->data, thisupd->length, &tm_this, | 335 | if (!ASN1_GENERALIZEDTIME_check(thisupd)) { |
347 | V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) { | ||
348 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, | 336 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, |
349 | OCSP_R_ERROR_IN_THISUPDATE_FIELD); | 337 | OCSP_R_ERROR_IN_THISUPDATE_FIELD); |
350 | ret = 0; | 338 | ret = 0; |
351 | } else { | 339 | } else { |
352 | t_tmp = t_now + nsec; | 340 | t_tmp = t_now + nsec; |
353 | if (gmtime_r(&t_tmp, &tm_tmp) == NULL) | 341 | if (X509_cmp_time(thisupd, &t_tmp) > 0) { |
354 | return 0; | ||
355 | if (asn1_tm_cmp(&tm_this, &tm_tmp) > 0) { | ||
356 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, | 342 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, |
357 | OCSP_R_STATUS_NOT_YET_VALID); | 343 | OCSP_R_STATUS_NOT_YET_VALID); |
358 | ret = 0; | 344 | ret = 0; |
359 | } | 345 | } |
360 | 346 | ||
361 | /* | 347 | /* If maxsec specified check thisUpdate is not more than maxsec in the past */ |
362 | * If maxsec specified check thisUpdate is not more than maxsec | ||
363 | * in the past | ||
364 | */ | ||
365 | if (maxsec >= 0) { | 348 | if (maxsec >= 0) { |
366 | t_tmp = t_now - maxsec; | 349 | t_tmp = t_now - maxsec; |
367 | if (gmtime_r(&t_tmp, &tm_tmp) == NULL) | 350 | if (X509_cmp_time(thisupd, &t_tmp) < 0) { |
368 | return 0; | ||
369 | if (gmtime_r(&t_tmp, &tm_tmp) == NULL) | ||
370 | return 0; | ||
371 | if (asn1_tm_cmp(&tm_this, &tm_tmp) < 0) { | ||
372 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, | 351 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, |
373 | OCSP_R_STATUS_TOO_OLD); | 352 | OCSP_R_STATUS_TOO_OLD); |
374 | ret = 0; | 353 | ret = 0; |
@@ -380,16 +359,13 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, | |||
380 | return ret; | 359 | return ret; |
381 | 360 | ||
382 | /* Check nextUpdate is valid and not more than nsec in the past */ | 361 | /* Check nextUpdate is valid and not more than nsec in the past */ |
383 | if (asn1_time_parse(nextupd->data, nextupd->length, &tm_next, | 362 | if (!ASN1_GENERALIZEDTIME_check(nextupd)) { |
384 | V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) { | ||
385 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, | 363 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, |
386 | OCSP_R_ERROR_IN_NEXTUPDATE_FIELD); | 364 | OCSP_R_ERROR_IN_NEXTUPDATE_FIELD); |
387 | ret = 0; | 365 | ret = 0; |
388 | } else { | 366 | } else { |
389 | t_tmp = t_now - nsec; | 367 | t_tmp = t_now - nsec; |
390 | if (gmtime_r(&t_tmp, &tm_tmp) == NULL) | 368 | if (X509_cmp_time(nextupd, &t_tmp) < 0) { |
391 | return 0; | ||
392 | if (asn1_tm_cmp(&tm_next, &tm_tmp) < 0) { | ||
393 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, | 369 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, |
394 | OCSP_R_STATUS_EXPIRED); | 370 | OCSP_R_STATUS_EXPIRED); |
395 | ret = 0; | 371 | ret = 0; |
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c b/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c index a215c4ac0e..be462141a4 100644 --- a/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c +++ b/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ocsp_srv.c,v 1.7.6.1 2016/06/25 16:42:40 beck Exp $ */ | 1 | /* $OpenBSD: ocsp_srv.c,v 1.7.6.2 2016/06/27 15:42:31 beck Exp $ */ |
2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
3 | * project 2001. | 3 | * project 2001. |
4 | */ | 4 | */ |
@@ -260,7 +260,7 @@ OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key, | |||
260 | } | 260 | } |
261 | 261 | ||
262 | if (!(flags & OCSP_NOTIME) && | 262 | if (!(flags & OCSP_NOTIME) && |
263 | !ASN1_GENERALIZEDTIME_set(brsp->tbsResponseData->producedAt, time(NULL))) | 263 | !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0)) |
264 | goto err; | 264 | goto err; |
265 | 265 | ||
266 | /* Right now, I think that not doing double hashing is the right | 266 | /* Right now, I think that not doing double hashing is the right |