diff options
| author | beck <> | 2016-07-16 16:14:28 +0000 |
|---|---|---|
| committer | beck <> | 2016-07-16 16:14:28 +0000 |
| commit | 78336a1536cbd5f8f9cdf9acafe89235a9c44b31 (patch) | |
| tree | daf9d721f38fd8de4a8c8f73532dba05a6a3694e /src/lib/libcrypto/ocsp | |
| parent | 192dbc22894bbc343ebfe1487e1179b38c13f7d8 (diff) | |
| download | openbsd-78336a1536cbd5f8f9cdf9acafe89235a9c44b31.tar.gz openbsd-78336a1536cbd5f8f9cdf9acafe89235a9c44b31.tar.bz2 openbsd-78336a1536cbd5f8f9cdf9acafe89235a9c44b31.zip | |
Clean up OCSP_check_validity() a bit more.
- Return on first failure rather than continuing.
- Don't compare times by comparing strings that possibly were not parsable as a time.
ok deraadt@
Diffstat (limited to 'src/lib/libcrypto/ocsp')
| -rw-r--r-- | src/lib/libcrypto/ocsp/ocsp_cl.c | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c index 5616ae1bb5..86baed8724 100644 --- a/src/lib/libcrypto/ocsp/ocsp_cl.c +++ b/src/lib/libcrypto/ocsp/ocsp_cl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ocsp_cl.c,v 1.10 2016/07/05 03:24:38 beck Exp $ */ | 1 | /* $OpenBSD: ocsp_cl.c,v 1.11 2016/07/16 16:14:28 beck Exp $ */ |
| 2 | /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL | 2 | /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL |
| 3 | * project. */ | 3 | * project. */ |
| 4 | 4 | ||
| @@ -330,7 +330,6 @@ int | |||
| 330 | OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, | 330 | OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, |
| 331 | ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec) | 331 | ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec) |
| 332 | { | 332 | { |
| 333 | int ret = 1; | ||
| 334 | time_t t_now, t_tmp; | 333 | time_t t_now, t_tmp; |
| 335 | struct tm tm_this, tm_next, tm_tmp; | 334 | struct tm tm_this, tm_next, tm_tmp; |
| 336 | 335 | ||
| @@ -347,7 +346,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, | |||
| 347 | V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) { | 346 | V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) { |
| 348 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, | 347 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, |
| 349 | OCSP_R_ERROR_IN_THISUPDATE_FIELD); | 348 | OCSP_R_ERROR_IN_THISUPDATE_FIELD); |
| 350 | ret = 0; | 349 | return 0; |
| 351 | } else { | 350 | } else { |
| 352 | t_tmp = t_now + nsec; | 351 | t_tmp = t_now + nsec; |
| 353 | if (gmtime_r(&t_tmp, &tm_tmp) == NULL) | 352 | if (gmtime_r(&t_tmp, &tm_tmp) == NULL) |
| @@ -355,7 +354,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, | |||
| 355 | if (asn1_tm_cmp(&tm_this, &tm_tmp) > 0) { | 354 | if (asn1_tm_cmp(&tm_this, &tm_tmp) > 0) { |
| 356 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, | 355 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, |
| 357 | OCSP_R_STATUS_NOT_YET_VALID); | 356 | OCSP_R_STATUS_NOT_YET_VALID); |
| 358 | ret = 0; | 357 | return 0; |
| 359 | } | 358 | } |
| 360 | 359 | ||
| 361 | /* | 360 | /* |
| @@ -369,20 +368,20 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, | |||
| 369 | if (asn1_tm_cmp(&tm_this, &tm_tmp) < 0) { | 368 | if (asn1_tm_cmp(&tm_this, &tm_tmp) < 0) { |
| 370 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, | 369 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, |
| 371 | OCSP_R_STATUS_TOO_OLD); | 370 | OCSP_R_STATUS_TOO_OLD); |
| 372 | ret = 0; | 371 | return 0; |
| 373 | } | 372 | } |
| 374 | } | 373 | } |
| 375 | } | 374 | } |
| 376 | 375 | ||
| 377 | if (!nextupd) | 376 | if (!nextupd) |
| 378 | return ret; | 377 | return 1; |
| 379 | 378 | ||
| 380 | /* Check nextUpdate is valid and not more than nsec in the past */ | 379 | /* Check nextUpdate is valid and not more than nsec in the past */ |
| 381 | if (asn1_time_parse(nextupd->data, nextupd->length, &tm_next, | 380 | if (asn1_time_parse(nextupd->data, nextupd->length, &tm_next, |
| 382 | V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) { | 381 | V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) { |
| 383 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, | 382 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, |
| 384 | OCSP_R_ERROR_IN_NEXTUPDATE_FIELD); | 383 | OCSP_R_ERROR_IN_NEXTUPDATE_FIELD); |
| 385 | ret = 0; | 384 | return 0; |
| 386 | } else { | 385 | } else { |
| 387 | t_tmp = t_now - nsec; | 386 | t_tmp = t_now - nsec; |
| 388 | if (gmtime_r(&t_tmp, &tm_tmp) == NULL) | 387 | if (gmtime_r(&t_tmp, &tm_tmp) == NULL) |
| @@ -390,16 +389,16 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, | |||
| 390 | if (asn1_tm_cmp(&tm_next, &tm_tmp) < 0) { | 389 | if (asn1_tm_cmp(&tm_next, &tm_tmp) < 0) { |
| 391 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, | 390 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, |
| 392 | OCSP_R_STATUS_EXPIRED); | 391 | OCSP_R_STATUS_EXPIRED); |
| 393 | ret = 0; | 392 | return 0; |
| 394 | } | 393 | } |
| 395 | } | 394 | } |
| 396 | 395 | ||
| 397 | /* Also don't allow nextUpdate to precede thisUpdate */ | 396 | /* Also don't allow nextUpdate to precede thisUpdate */ |
| 398 | if (ASN1_STRING_cmp(nextupd, thisupd) < 0) { | 397 | if (asn1_tm_cmp(&tm_next, &tm_this) < 0) { |
| 399 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, | 398 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, |
| 400 | OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE); | 399 | OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE); |
| 401 | ret = 0; | 400 | return 0; |
| 402 | } | 401 | } |
| 403 | 402 | ||
| 404 | return ret; | 403 | return 1; |
| 405 | } | 404 | } |