Cache sha512 hash and parsed not_before and not_after with X509 cert.

Replace sha1 hash use with sha512 for certificate comparisons internal to the library. use the cached sha512 for the validator's verification cache. Reduces our recomputation of hashes, and heavy use of time1 time conversion functions noticed bu claudio@ in rpki client. ok jsing@ tb@
author: beck <> 2021-11-04 23:52:34 +0000
committer: beck <> 2021-11-04 23:52:34 +0000
commit: 244374d8dda906a87c40f39a8ed949cf07a1c8f3 (patch)
tree: 3ca9bd91a3930e5f3e28873aa362dffdb8cf6227 /src/lib/libcrypto/x509/x509_vfy.c
parent: b866948734d2d995d78efdc04fb93574782722fa (diff)
download: openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.tar.gz
openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.tar.bz2
openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.zip
1 files changed, 35 insertions, 21 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 664474139c..3b0d6dfa35 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.93 2021/11/01 20:53:08 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.94 2021/11/04 23:52:34 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1843,6 +1843,18 @@ verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err)
        return ctx->verify_cb(0, ctx);
 }
+/* Mimic OpenSSL '0 for failure' ick */
+static int
+time_t_bogocmp(time_t a, time_t b)
+{
+        if (a == -1 || b == -1)
+                return 0;
+        if (a <= b)
+                return -1;
+        return 1;
+}
 /*
 * Check certificate validity times.
 *
@@ -1854,17 +1866,21 @@ verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err)
 int
 x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
 {
-        time_t *ptime;
+        time_t ptime;
        int i;
        if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
-                ptime = &ctx->param->check_time;
+                ptime = ctx->param->check_time;
        else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
                return 1;
        else
-                ptime = NULL;
+                ptime = time(NULL);
+        if (x->ex_flags & EXFLAG_SET)
+                i = time_t_bogocmp(x->not_before, ptime);
+        else
+                i = X509_cmp_time(X509_get_notBefore(x), &ptime);
-        i = X509_cmp_time(X509_get_notBefore(x), ptime);
        if (i >= 0 && depth < 0)
                return 0;
        if (i == 0 && !verify_cb_cert(ctx, x, depth,
@@ -1874,7 +1890,11 @@ x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
            X509_V_ERR_CERT_NOT_YET_VALID))
                return 0;
-        i = X509_cmp_time_internal(X509_get_notAfter(x), ptime, 1);
+        if (x->ex_flags & EXFLAG_SET)
+                i = time_t_bogocmp(x->not_after, ptime);
+        else
+                i = X509_cmp_time_internal(X509_get_notAfter(x), &ptime, 1);
        if (i <= 0 && depth < 0)
                return 0;
        if (i == 0 && !verify_cb_cert(ctx, x, depth,
@@ -1883,6 +1903,7 @@ x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
        if (i < 0 && !verify_cb_cert(ctx, x, depth,
            X509_V_ERR_CERT_HAS_EXPIRED))
                return 0;
        return 1;
 }
@@ -1994,30 +2015,23 @@ X509_cmp_current_time(const ASN1_TIME *ctm)
 * 0 on error.
 */
 static int
-X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, int clamp_notafter)
+X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, int is_notafter)
 {
-        time_t compare;
+        time_t compare, cert_time;
-        struct tm tm1, tm2;
-        int ret = 0;
        if (cmp_time == NULL)
                compare = time(NULL);
        else
                compare = *cmp_time;
-        memset(&tm1, 0, sizeof(tm1));
+        if ((cert_time = x509_verify_asn1_time_to_time_t(ctm, is_notafter)) ==
+            -1)
+                return 0; /* invalid time */
-        if (!x509_verify_asn1_time_to_tm(ctm, &tm1, clamp_notafter))
+        if (cert_time <= compare)
-                goto out; /* invalid time */
+                return -1; /* 0 is used for error, so map same to less than */
-        if (gmtime_r(&compare, &tm2) == NULL)
+        return 1;
-                goto out;
-        ret = ASN1_time_tm_cmp(&tm1, &tm2);
-        if (ret == 0)
-                ret = -1; /* 0 is used for error, so map same to less than */
- out:
-        return (ret);
 }
 int
author	beck <>	2021-11-04 23:52:34 +0000
committer	beck <>	2021-11-04 23:52:34 +0000
commit	244374d8dda906a87c40f39a8ed949cf07a1c8f3 (patch)
tree	3ca9bd91a3930e5f3e28873aa362dffdb8cf6227 /src/lib/libcrypto/x509/x509_vfy.c
parent	b866948734d2d995d78efdc04fb93574782722fa (diff)
download	openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.tar.gz openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.tar.bz2 openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.zip