diff options
| author | beck <> | 2015-10-19 16:32:37 +0000 |
|---|---|---|
| committer | beck <> | 2015-10-19 16:32:37 +0000 |
| commit | 6aaacba0f3b85544831ba081481b2846d94927ac (patch) | |
| tree | 1e81ee793319364cca7f490012f1e9ab19b2063d /src/lib/libcrypto/x509 | |
| parent | 72f238d6c9f2c670520af9c52a336dfeccdefcdb (diff) | |
| download | openbsd-6aaacba0f3b85544831ba081481b2846d94927ac.tar.gz openbsd-6aaacba0f3b85544831ba081481b2846d94927ac.tar.bz2 openbsd-6aaacba0f3b85544831ba081481b2846d94927ac.zip | |
Stop supporing "legcay" time formats that OpenSSL supports. Rewrite the
utctime and gentime wrappers accordingly. Along with some other cleanup.
this also removes the need for timegm.
ok bcook@ sthen@ jsing@
Diffstat (limited to 'src/lib/libcrypto/x509')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_lcl.h | 1 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509/x509_vfy.c | 45 |
2 files changed, 24 insertions, 22 deletions
diff --git a/src/lib/libcrypto/x509/x509_lcl.h b/src/lib/libcrypto/x509/x509_lcl.h index 0c1c130d5c..9ffdd01e61 100644 --- a/src/lib/libcrypto/x509/x509_lcl.h +++ b/src/lib/libcrypto/x509/x509_lcl.h | |||
| @@ -58,3 +58,4 @@ | |||
| 58 | 58 | ||
| 59 | int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet); | 59 | int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet); |
| 60 | int asn1_time_parse(const char *, size_t, struct tm *, int); | 60 | int asn1_time_parse(const char *, size_t, struct tm *, int); |
| 61 | int asn1_tm_cmp(struct tm *tm1, struct tm *tm2); | ||
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index c48143f351..159d60b034 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_vfy.c,v 1.46 2015/10/02 15:04:45 beck Exp $ */ | 1 | /* $OpenBSD: x509_vfy.c,v 1.47 2015/10/19 16:32:37 beck Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1648,8 +1648,9 @@ int | |||
| 1648 | X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) | 1648 | X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) |
| 1649 | { | 1649 | { |
| 1650 | time_t time1, time2; | 1650 | time_t time1, time2; |
| 1651 | struct tm tm1; | 1651 | struct tm tm1, tm2; |
| 1652 | int ret = 0; | 1652 | int ret = 0; |
| 1653 | int type; | ||
| 1653 | 1654 | ||
| 1654 | if (cmp_time == NULL) | 1655 | if (cmp_time == NULL) |
| 1655 | time2 = time(NULL); | 1656 | time2 = time(NULL); |
| @@ -1658,9 +1659,15 @@ X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) | |||
| 1658 | 1659 | ||
| 1659 | memset(&tm1, 0, sizeof(tm1)); | 1660 | memset(&tm1, 0, sizeof(tm1)); |
| 1660 | 1661 | ||
| 1661 | if (asn1_time_parse(ctm->data, ctm->length, &tm1, 0) == -1) | 1662 | if ((type = asn1_time_parse(ctm->data, ctm->length, &tm1, 0)) == -1) |
| 1662 | goto out; /* invalid time */ | 1663 | goto out; /* invalid time */ |
| 1663 | 1664 | ||
| 1665 | /* RFC 5280 section 4.1.2.5 */ | ||
| 1666 | if (tm1.tm_year < 150 && type != V_ASN1_UTCTIME) | ||
| 1667 | goto out; | ||
| 1668 | if (tm1.tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME) | ||
| 1669 | goto out; | ||
| 1670 | |||
| 1664 | /* | 1671 | /* |
| 1665 | * Defensively fail if the time string is not representable as | 1672 | * Defensively fail if the time string is not representable as |
| 1666 | * a time_t. A time_t must be sane if you care about times after | 1673 | * a time_t. A time_t must be sane if you care about times after |
| @@ -1669,10 +1676,12 @@ X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) | |||
| 1669 | if ((time1 = timegm(&tm1)) == -1) | 1676 | if ((time1 = timegm(&tm1)) == -1) |
| 1670 | goto out; | 1677 | goto out; |
| 1671 | 1678 | ||
| 1672 | if (time1 <= time2) | 1679 | if (gmtime_r(&time2, &tm2) == NULL) |
| 1673 | ret = -1; | 1680 | goto out; |
| 1674 | else | 1681 | |
| 1675 | ret = 1; | 1682 | ret = asn1_tm_cmp(&tm1, &tm2); |
| 1683 | if (ret == 0) | ||
| 1684 | ret = -1; /* 0 is used for error, so map same to less than */ | ||
| 1676 | out: | 1685 | out: |
| 1677 | return (ret); | 1686 | return (ret); |
| 1678 | } | 1687 | } |
| @@ -1684,28 +1693,20 @@ X509_gmtime_adj(ASN1_TIME *s, long adj) | |||
| 1684 | } | 1693 | } |
| 1685 | 1694 | ||
| 1686 | ASN1_TIME * | 1695 | ASN1_TIME * |
| 1687 | X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) | 1696 | X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_time) |
| 1688 | { | 1697 | { |
| 1689 | return X509_time_adj_ex(s, 0, offset_sec, in_tm); | 1698 | return X509_time_adj_ex(s, 0, offset_sec, in_time); |
| 1690 | } | 1699 | } |
| 1691 | 1700 | ||
| 1692 | ASN1_TIME * | 1701 | ASN1_TIME * |
| 1693 | X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_tm) | 1702 | X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_time) |
| 1694 | { | 1703 | { |
| 1695 | time_t t; | 1704 | time_t t; |
| 1696 | 1705 | if (in_time == NULL) | |
| 1697 | if (in_tm) | 1706 | t = time(NULL); |
| 1698 | t = *in_tm; | ||
| 1699 | else | 1707 | else |
| 1700 | time(&t); | 1708 | t = *in_time; |
| 1701 | 1709 | ||
| 1702 | if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) { | ||
| 1703 | if (s->type == V_ASN1_UTCTIME) | ||
| 1704 | return ASN1_UTCTIME_adj(s, t, offset_day, offset_sec); | ||
| 1705 | if (s->type == V_ASN1_GENERALIZEDTIME) | ||
| 1706 | return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, | ||
| 1707 | offset_sec); | ||
| 1708 | } | ||
| 1709 | return ASN1_TIME_adj(s, t, offset_day, offset_sec); | 1710 | return ASN1_TIME_adj(s, t, offset_day, offset_sec); |
| 1710 | } | 1711 | } |
| 1711 | 1712 | ||