diff options
| author | beck <> | 2015-09-30 14:11:22 +0000 |
|---|---|---|
| committer | beck <> | 2015-09-30 14:11:22 +0000 |
| commit | 1b1e2736553669e186eb81ebacd225908e15106e (patch) | |
| tree | 8180f93cdb41e6ed354af4e2a2f99230b24b48ce | |
| parent | d504bbe07a26c46daaa2fe5bbcddf3c209ada5c6 (diff) | |
| download | openbsd-1b1e2736553669e186eb81ebacd225908e15106e.tar.gz openbsd-1b1e2736553669e186eb81ebacd225908e15106e.tar.bz2 openbsd-1b1e2736553669e186eb81ebacd225908e15106e.zip | |
Fix a bug in the regress, and be much more pedantic about what is allowed
per RFC 5380 in an X509. RFC 5280 states that all times before 2050 must
be specified as a UTCtime, not a Generalized time, and all times after must
be a UTC time. By extension this also means the smallest time allowed
per RFC 5280 is 500101000000Z and the largest is 99991231235959Z..
| -rw-r--r-- | src/regress/lib/libcrypto/asn1/rfc5280time.c | 68 |
1 files changed, 46 insertions, 22 deletions
diff --git a/src/regress/lib/libcrypto/asn1/rfc5280time.c b/src/regress/lib/libcrypto/asn1/rfc5280time.c index b74c5668d7..7ef4929e86 100644 --- a/src/regress/lib/libcrypto/asn1/rfc5280time.c +++ b/src/regress/lib/libcrypto/asn1/rfc5280time.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: rfc5280time.c,v 1.1 2015/09/29 04:54:23 beck Exp $ */ | 1 | /* $OpenBSD: rfc5280time.c,v 1.2 2015/09/30 14:11:22 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2015 Bob Beck <beck@opebsd.org> | 4 | * Copyright (c) 2015 Bob Beck <beck@opebsd.org> |
| @@ -79,34 +79,39 @@ struct rfc5280_time_test rfc5280_invtime_tests[] = { | |||
| 79 | { | 79 | { |
| 80 | .str = "aaaaaaaaaaaaaaZ", | 80 | .str = "aaaaaaaaaaaaaaZ", |
| 81 | }, | 81 | }, |
| 82 | }; | ||
| 83 | |||
| 84 | struct rfc5280_time_test rfc5280_gentime_tests[] = { | ||
| 85 | { | 82 | { |
| 83 | /* Must be a UTC time per RFC 5280*/ | ||
| 86 | .str = "19700101000000Z", | 84 | .str = "19700101000000Z", |
| 87 | .data = "19700101000000Z", | 85 | .data = "19700101000000Z", |
| 88 | .time = 0, | 86 | .time = 0, |
| 89 | }, | 87 | }, |
| 90 | { | 88 | { |
| 89 | /* (times before 2050 must be UTCTIME) Per RFC 5280 4.1.2.5 */ | ||
| 91 | .str = "20150923032700Z", | 90 | .str = "20150923032700Z", |
| 92 | .data = "20150923032700Z", | 91 | .data = "20150923032700Z", |
| 93 | .time = 1442978820, | 92 | .time = 1442978820, |
| 94 | }, | 93 | }, |
| 95 | { | 94 | { |
| 96 | .str = "20150922162712Z", | 95 | /* (times before 2050 must be UTCTIME) Per RFC 5280 4.1.2.5 */ |
| 97 | .data = "20150922162712Z", | 96 | .str = "00000101000000Z", |
| 98 | .time = 1442939232, | 97 | .data = "00000101000000Z", |
| 98 | .time = -62167219200, | ||
| 99 | }, | 99 | }, |
| 100 | { | 100 | { |
| 101 | .str = "20150922161212Z", | 101 | /* (times before 2050 must be UTCTIME) Per RFC 5280 4.1.2.5 */ |
| 102 | .data = "20150922161212Z", | 102 | .str = "20491231235959Z", |
| 103 | .time = 1442938332, | 103 | .data = "20491231235959Z", |
| 104 | .time = 2524607999, | ||
| 104 | }, | 105 | }, |
| 105 | { | 106 | { |
| 106 | .str = "20150923032700Z", | 107 | /* (times before 2050 must be UTCTIME) Per RFC 5280 4.1.2.5 */ |
| 107 | .data = "20150923032700Z", | 108 | .str = "19500101000000Z", |
| 108 | .time = 1442978820, | 109 | .data = "19500101000000Z", |
| 110 | .time = -631152000, | ||
| 109 | }, | 111 | }, |
| 112 | }; | ||
| 113 | |||
| 114 | struct rfc5280_time_test rfc5280_gentime_tests[] = { | ||
| 110 | { | 115 | { |
| 111 | /* Biggest RFC 5280 time */ | 116 | /* Biggest RFC 5280 time */ |
| 112 | .str = "99991231235959Z", | 117 | .str = "99991231235959Z", |
| @@ -114,15 +119,34 @@ struct rfc5280_time_test rfc5280_gentime_tests[] = { | |||
| 114 | .time = 253402300799, | 119 | .time = 253402300799, |
| 115 | }, | 120 | }, |
| 116 | { | 121 | { |
| 117 | /* Smallest RFC 5280 time */ | 122 | .str = "21600218104000Z", |
| 118 | .str = "00000101000000Z", | 123 | .data = "21600218104000Z", |
| 119 | .data = "00000101000000Z", | 124 | .time = 6000000000, |
| 120 | .time = -62167219200, | 125 | }, |
| 126 | { | ||
| 127 | /* Smallest RFC 5280 gen time */ | ||
| 128 | .str = "20500101000000Z", | ||
| 129 | .data = "20500101000000Z", | ||
| 130 | .time = 2524608000, | ||
| 121 | }, | 131 | }, |
| 122 | }; | 132 | }; |
| 123 | |||
| 124 | struct rfc5280_time_test rfc5280_utctime_tests[] = { | 133 | struct rfc5280_time_test rfc5280_utctime_tests[] = { |
| 125 | { | 134 | { |
| 135 | .str = "500101000000Z", | ||
| 136 | .data = "500101000000Z", | ||
| 137 | .time = -631152000, | ||
| 138 | }, | ||
| 139 | { | ||
| 140 | .str = "540226230640Z", | ||
| 141 | .data = "540226230640Z", | ||
| 142 | .time = -500000000, | ||
| 143 | }, | ||
| 144 | { | ||
| 145 | .str = "491231235959Z", | ||
| 146 | .data = "491231235959Z", | ||
| 147 | .time = 2524607999, | ||
| 148 | }, | ||
| 149 | { | ||
| 126 | .str = "700101000000Z", | 150 | .str = "700101000000Z", |
| 127 | .data = "700101000000Z", | 151 | .data = "700101000000Z", |
| 128 | .time = 0, | 152 | .time = 0, |
| @@ -247,14 +271,14 @@ rfc5280_gentime_test(int test_no, struct rfc5280_time_test *att) | |||
| 247 | if (asn1_compare_str(test_no, gt, att->str) != 0) | 271 | if (asn1_compare_str(test_no, gt, att->str) != 0) |
| 248 | goto done; | 272 | goto done; |
| 249 | 273 | ||
| 250 | if ((i = X509_cmp_time(gt, &att->time) != -1)) { | 274 | if ((i = X509_cmp_time(gt, &att->time)) != -1) { |
| 251 | fprintf(stderr, "FAIL: test %i - X509_cmp_time failed - returned %d compared to %lld\n", | 275 | fprintf(stderr, "FAIL: test %i - X509_cmp_time failed - returned %d compared to %lld\n", |
| 252 | test_no, i, att->time); | 276 | test_no, i, att->time); |
| 253 | goto done; | 277 | goto done; |
| 254 | } | 278 | } |
| 255 | 279 | ||
| 256 | att->time--; | 280 | att->time--; |
| 257 | if ((i = X509_cmp_time(gt, &att->time) != 1)) { | 281 | if ((i = X509_cmp_time(gt, &att->time)) != 1) { |
| 258 | fprintf(stderr, "FAIL: test %i - X509_cmp_time failed - returned %d compared to %lld\n", | 282 | fprintf(stderr, "FAIL: test %i - X509_cmp_time failed - returned %d compared to %lld\n", |
| 259 | test_no, i, att->time); | 283 | test_no, i, att->time); |
| 260 | goto done; | 284 | goto done; |
| @@ -299,14 +323,14 @@ rfc5280_utctime_test(int test_no, struct rfc5280_time_test *att) | |||
| 299 | if (asn1_compare_str(test_no, ut, att->str) != 0) | 323 | if (asn1_compare_str(test_no, ut, att->str) != 0) |
| 300 | goto done; | 324 | goto done; |
| 301 | 325 | ||
| 302 | if ((i = X509_cmp_time(ut, &att->time) != -1)) { | 326 | if ((i = X509_cmp_time(ut, &att->time)) != -1) { |
| 303 | fprintf(stderr, "FAIL: test %i - X509_cmp_time failed - returned %d compared to %lld\n", | 327 | fprintf(stderr, "FAIL: test %i - X509_cmp_time failed - returned %d compared to %lld\n", |
| 304 | test_no, i, att->time); | 328 | test_no, i, att->time); |
| 305 | goto done; | 329 | goto done; |
| 306 | } | 330 | } |
| 307 | 331 | ||
| 308 | att->time--; | 332 | att->time--; |
| 309 | if ((i = X509_cmp_time(ut, &att->time) != 1)) { | 333 | if ((i = X509_cmp_time(ut, &att->time)) != 1) { |
| 310 | fprintf(stderr, "FAIL: test %i - X509_cmp_time failed - returned %d compared to %lld\n", | 334 | fprintf(stderr, "FAIL: test %i - X509_cmp_time failed - returned %d compared to %lld\n", |
| 311 | test_no, i, att->time); | 335 | test_no, i, att->time); |
| 312 | goto done; | 336 | goto done; |