When looking for the issuer of a certificate, if the current candidate is

expired or not valid yet, continue looking; only return an expired certificate
if no valid certificates have been found.

OpenSSL PR #3359 via OpenSSL trunk.

6 files changed, 194 insertions, 26 deletions

diff --git a/src/lib/libcrypto/x509/x509_lcl.h b/src/lib/libcrypto/x509/x509_lcl.h
new file mode 100644
index 0000000000..b16df78ad7
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_lcl.h
@@ -0,0 +1,59 @@
+/* x509_lcl.h */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2013.
+ */
+/* ====================================================================
+ * Copyright (c) 2013 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
index 8d3e4f4dce..b522c88c25 100644
--- a/src/lib/libcrypto/x509/x509_lu.c
+++ b/src/lib/libcrypto/x509/x509_lu.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lu.c,v 1.16 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: x509_lu.c,v 1.17 2014/07/11 12:52:41 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,6 +62,7 @@
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "x509_lcl.h"
 
 X509_LOOKUP *
 X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
@@ -632,6 +633,8 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
         X509_NAME *xn;
         X509_OBJECT obj, *pobj;
         int i, ok, idx, ret;
+
+        *issuer = NULL;
         xn = X509_get_issuer_name(x);
         ok = X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj);
         if (ok != X509_LU_X509) {
@@ -649,8 +652,10 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
         }
         /* If certificate matches all OK */
         if (ctx->check_issued(ctx, x, obj.data.x509)) {
-                *issuer = obj.data.x509;
-                return 1;
+                if (x509_check_cert_time(ctx, obj.data.x509, 1)) {
+                        *issuer = obj.data.x509;
+                        return 1;
+                }
         }
         X509_OBJECT_free_contents(&obj);
 
@@ -670,13 +675,21 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
                                 break;
                         if (ctx->check_issued(ctx, x, pobj->data.x509)) {
                                 *issuer = pobj->data.x509;
-                                X509_OBJECT_up_ref_count(pobj);
                                 ret = 1;
-                                break;
+                                /*
+                                 * If times check, exit with match,
+                                 * otherwise keep looking. Leave last
+                                 * match in issuer so we return nearest
+                                 * match if no certificate time is OK.
+                                 */
+                                if (x509_check_cert_time(ctx, *issuer, 1))
+                                        break;
                         }
                 }
         }
         CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+        if (*issuer)
+                CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
         return ret;
 }
 
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index f7feb85f36..9d7a7d1228 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.33 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.34 2014/07/11 12:52:41 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -73,6 +73,7 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "x509_lcl.h"
 
 /* CRL score values */
 
@@ -408,14 +409,17 @@ static X509 *
 find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
 {
         int i;
-        X509 *issuer;
+        X509 *issuer, *rv = NULL;
 
         for (i = 0; i < sk_X509_num(sk); i++) {
                 issuer = sk_X509_value(sk, i);
-                if (ctx->check_issued(ctx, x, issuer))
-                        return issuer;
+                if (ctx->check_issued(ctx, x, issuer)) {
+                        rv = issuer;
+                        if (x509_check_cert_time(ctx, rv, 1))
+                                break;
+                }
         }
-        return NULL;
+        return rv;
 }
 
 /* Given a possible certificate and issuer check them */
@@ -1492,8 +1496,8 @@ check_policy(X509_STORE_CTX *ctx)
         return 1;
 }
 
-static int
-check_cert_time(X509_STORE_CTX *ctx, X509 *x)
+int
+x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
 {
         time_t *ptime;
         int i;
@@ -1505,6 +1509,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
 
         i = X509_cmp_time(X509_get_notBefore(x), ptime);
         if (i == 0) {
+                if (quiet)
+                        return 0;
                 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
                 ctx->current_cert = x;
                 if (!ctx->verify_cb(0, ctx))
@@ -1512,6 +1518,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
         }
 
         if (i > 0) {
+                if (quiet)
+                        return 0;
                 ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
                 ctx->current_cert = x;
                 if (!ctx->verify_cb(0, ctx))
@@ -1520,6 +1528,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
 
         i = X509_cmp_time(X509_get_notAfter(x), ptime);
         if (i == 0) {
+                if (quiet)
+                        return 0;
                 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
                 ctx->current_cert = x;
                 if (!ctx->verify_cb(0, ctx))
@@ -1527,6 +1537,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
         }
 
         if (i < 0) {
+                if (quiet)
+                        return 0;
                 ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
                 ctx->current_cert = x;
                 if (!ctx->verify_cb(0, ctx))
@@ -1597,7 +1609,7 @@ internal_verify(X509_STORE_CTX *ctx)
 
                 xs->valid = 1;
 
-                ok = check_cert_time(ctx, xs);
+                ok = x509_check_cert_time(ctx, xs, 0);
                 if (!ok)
                         goto end;
 
diff --git a/src/lib/libssl/src/crypto/x509/x509_lcl.h b/src/lib/libssl/src/crypto/x509/x509_lcl.h
new file mode 100644
index 0000000000..b16df78ad7
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509/x509_lcl.h
@@ -0,0 +1,59 @@
+/* x509_lcl.h */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2013.
+ */
+/* ====================================================================
+ * Copyright (c) 2013 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);
diff --git a/src/lib/libssl/src/crypto/x509/x509_lu.c b/src/lib/libssl/src/crypto/x509/x509_lu.c
index 8d3e4f4dce..b522c88c25 100644
--- a/src/lib/libssl/src/crypto/x509/x509_lu.c
+++ b/src/lib/libssl/src/crypto/x509/x509_lu.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lu.c,v 1.16 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: x509_lu.c,v 1.17 2014/07/11 12:52:41 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,6 +62,7 @@
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "x509_lcl.h"
 
 X509_LOOKUP *
 X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
@@ -632,6 +633,8 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
         X509_NAME *xn;
         X509_OBJECT obj, *pobj;
         int i, ok, idx, ret;
+
+        *issuer = NULL;
         xn = X509_get_issuer_name(x);
         ok = X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj);
         if (ok != X509_LU_X509) {
@@ -649,8 +652,10 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
         }
         /* If certificate matches all OK */
         if (ctx->check_issued(ctx, x, obj.data.x509)) {
-                *issuer = obj.data.x509;
-                return 1;
+                if (x509_check_cert_time(ctx, obj.data.x509, 1)) {
+                        *issuer = obj.data.x509;
+                        return 1;
+                }
         }
         X509_OBJECT_free_contents(&obj);
 
@@ -670,13 +675,21 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
                                 break;
                         if (ctx->check_issued(ctx, x, pobj->data.x509)) {
                                 *issuer = pobj->data.x509;
-                                X509_OBJECT_up_ref_count(pobj);
                                 ret = 1;
-                                break;
+                                /*
+                                 * If times check, exit with match,
+                                 * otherwise keep looking. Leave last
+                                 * match in issuer so we return nearest
+                                 * match if no certificate time is OK.
+                                 */
+                                if (x509_check_cert_time(ctx, *issuer, 1))
+                                        break;
                         }
                 }
         }
         CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+        if (*issuer)
+                CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
         return ret;
 }
 
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c
index f7feb85f36..9d7a7d1228 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.33 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.34 2014/07/11 12:52:41 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -73,6 +73,7 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "x509_lcl.h"
 
 /* CRL score values */
 
@@ -408,14 +409,17 @@ static X509 *
 find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
 {
         int i;
-        X509 *issuer;
+        X509 *issuer, *rv = NULL;
 
         for (i = 0; i < sk_X509_num(sk); i++) {
                 issuer = sk_X509_value(sk, i);
-                if (ctx->check_issued(ctx, x, issuer))
-                        return issuer;
+                if (ctx->check_issued(ctx, x, issuer)) {
+                        rv = issuer;
+                        if (x509_check_cert_time(ctx, rv, 1))
+                                break;
+                }
         }
-        return NULL;
+        return rv;
 }
 
 /* Given a possible certificate and issuer check them */
@@ -1492,8 +1496,8 @@ check_policy(X509_STORE_CTX *ctx)
         return 1;
 }
 
-static int
-check_cert_time(X509_STORE_CTX *ctx, X509 *x)
+int
+x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
 {
         time_t *ptime;
         int i;
@@ -1505,6 +1509,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
 
         i = X509_cmp_time(X509_get_notBefore(x), ptime);
         if (i == 0) {
+                if (quiet)
+                        return 0;
                 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
                 ctx->current_cert = x;
                 if (!ctx->verify_cb(0, ctx))
@@ -1512,6 +1518,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
         }
 
         if (i > 0) {
+                if (quiet)
+                        return 0;
                 ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
                 ctx->current_cert = x;
                 if (!ctx->verify_cb(0, ctx))
@@ -1520,6 +1528,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
 
         i = X509_cmp_time(X509_get_notAfter(x), ptime);
         if (i == 0) {
+                if (quiet)
+                        return 0;
                 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
                 ctx->current_cert = x;
                 if (!ctx->verify_cb(0, ctx))
@@ -1527,6 +1537,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
         }
 
         if (i < 0) {
+                if (quiet)
+                        return 0;
                 ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
                 ctx->current_cert = x;
                 if (!ctx->verify_cb(0, ctx))
@@ -1597,7 +1609,7 @@ internal_verify(X509_STORE_CTX *ctx)
 
                 xs->valid = 1;
 
-                ok = check_cert_time(ctx, xs);
+                ok = x509_check_cert_time(ctx, xs, 0);
                 if (!ok)
                         goto end;