diff options
| author | beck <> | 2024-04-08 23:46:21 +0000 |
|---|---|---|
| committer | beck <> | 2024-04-08 23:46:21 +0000 |
| commit | 6a993ea0b1a8e5ba915e093a2eca5dc9fba06c74 (patch) | |
| tree | a514bf75907bdd1906b32c4e2da374c0ea1ba065 /src/lib/libcrypto/x509/x509_vfy.c | |
| parent | 0164389f0b72283c34063736f590518874ffc3c8 (diff) | |
| download | openbsd-6a993ea0b1a8e5ba915e093a2eca5dc9fba06c74.tar.gz openbsd-6a993ea0b1a8e5ba915e093a2eca5dc9fba06c74.tar.bz2 openbsd-6a993ea0b1a8e5ba915e093a2eca5dc9fba06c74.zip | |
Remove notBefore and notAfter cacheing.
This cache was added because our time conversion used timegm()
and gmtime() which aren't very cheap. These calls were noticably
expensive when profiling things like rpki-client which do many
X.509 validations.
Now that we convert times using julien seconds from the unix
epoch, BoringSSL style, instead of a julien days from a
Byzantine date, we no longer use timegm() and gmtime().
Since the julien seconds calculaitons are cheap for conversion,
we don't need to bother caching this, it doesn't have a noticable
performance impact.
While we are at this correct a bug where
x509_verify_asn1_time_to_time_t was not NULL safe.
Tested for performance regressions by tb@ and job@
ok tb@ job@
Diffstat (limited to 'src/lib/libcrypto/x509/x509_vfy.c')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_vfy.c | 24 |
1 files changed, 3 insertions, 21 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 5399658639..501f5e5710 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_vfy.c,v 1.142 2024/03/02 10:40:05 tb Exp $ */ | 1 | /* $OpenBSD: x509_vfy.c,v 1.143 2024/04/08 23:46:21 beck Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1744,18 +1744,6 @@ verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err) | |||
| 1744 | return ctx->verify_cb(0, ctx); | 1744 | return ctx->verify_cb(0, ctx); |
| 1745 | } | 1745 | } |
| 1746 | 1746 | ||
| 1747 | |||
| 1748 | /* Mimic OpenSSL '0 for failure' ick */ | ||
| 1749 | static int | ||
| 1750 | time_t_bogocmp(time_t a, time_t b) | ||
| 1751 | { | ||
| 1752 | if (a == -1 || b == -1) | ||
| 1753 | return 0; | ||
| 1754 | if (a <= b) | ||
| 1755 | return -1; | ||
| 1756 | return 1; | ||
| 1757 | } | ||
| 1758 | |||
| 1759 | /* | 1747 | /* |
| 1760 | * Check certificate validity times. | 1748 | * Check certificate validity times. |
| 1761 | * | 1749 | * |
| @@ -1777,10 +1765,7 @@ x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) | |||
| 1777 | else | 1765 | else |
| 1778 | ptime = time(NULL); | 1766 | ptime = time(NULL); |
| 1779 | 1767 | ||
| 1780 | if (x->ex_flags & EXFLAG_SET) | 1768 | i = X509_cmp_time(X509_get_notBefore(x), &ptime); |
| 1781 | i = time_t_bogocmp(x->not_before, ptime); | ||
| 1782 | else | ||
| 1783 | i = X509_cmp_time(X509_get_notBefore(x), &ptime); | ||
| 1784 | 1769 | ||
| 1785 | if (i >= 0 && depth < 0) | 1770 | if (i >= 0 && depth < 0) |
| 1786 | return 0; | 1771 | return 0; |
| @@ -1791,10 +1776,7 @@ x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) | |||
| 1791 | X509_V_ERR_CERT_NOT_YET_VALID)) | 1776 | X509_V_ERR_CERT_NOT_YET_VALID)) |
| 1792 | return 0; | 1777 | return 0; |
| 1793 | 1778 | ||
| 1794 | if (x->ex_flags & EXFLAG_SET) | 1779 | i = X509_cmp_time_internal(X509_get_notAfter(x), &ptime, 1); |
| 1795 | i = time_t_bogocmp(x->not_after, ptime); | ||
| 1796 | else | ||
| 1797 | i = X509_cmp_time_internal(X509_get_notAfter(x), &ptime, 1); | ||
| 1798 | 1780 | ||
| 1799 | if (i <= 0 && depth < 0) | 1781 | if (i <= 0 && depth < 0) |
| 1800 | return 0; | 1782 | return 0; |