Convert libressl to use the BoringSSL style time conversions

This gets rid of our last uses of timegm and gmtime in the library and things that ship with it. It includes a bit of refactoring in ocsp_cl.c to remove some obvious ugly. ok tb@
author: beck <> 2024-03-24 11:30:12 +0000
committer: beck <> 2024-03-24 11:30:12 +0000
commit: 5176ab31ca58949fc78b5b06b23adf63a83b9c44 (patch)
tree: af867a635253990b4a88720849f04a8a6bb5d8b3 /src/lib/libcrypto
parent: c84d6a97971ee756cdbcf3936caaeaa66a6d2289 (diff)
download: openbsd-5176ab31ca58949fc78b5b06b23adf63a83b9c44.tar.gz
openbsd-5176ab31ca58949fc78b5b06b23adf63a83b9c44.tar.bz2
openbsd-5176ab31ca58949fc78b5b06b23adf63a83b9c44.zip
2 files changed, 36 insertions, 43 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
index 5ef2226785..d8ee33c391 100644
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_cl.c,v 1.24 2024/03/02 09:08:41 tb Exp $ */
+/* $OpenBSD: ocsp_cl.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
 * project. */
@@ -68,6 +68,7 @@
 #include <openssl/ocsp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
+#include <openssl/posix_time.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -394,69 +395,61 @@ int
 OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
    ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
 {
-        time_t t_now, t_tmp;
+        int64_t posix_next, posix_this, posix_now;
-        struct tm tm_this, tm_next, tm_tmp;
+        struct tm tm_this, tm_next;
-        time(&t_now);
+        /* Negative values of nsec make no sense */
+        if (nsec < 0)
+                return 0;
+        posix_now = time(NULL);
        /*
         * Times must explicitly be a GENERALIZEDTIME as per section
         * 4.2.2.1 of RFC 6960 - It is invalid to accept other times
         * (such as UTCTIME permitted/required by RFC 5280 for certificates)
         */
+        /* Check that thisUpdate is valid. */
-        /* Check thisUpdate is valid and not more than nsec in the future */
        if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,
            V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
                OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD);
                return 0;
-        } else {
+        }
-                t_tmp = t_now + nsec;
+        if (!OPENSSL_tm_to_posix(&tm_this, &posix_this))
-                if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
+                return 0;
-                        return 0;
+        /* thisUpdate must not be more than nsec in the future. */
-                if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) {
+        if (posix_this - nsec > posix_now) {
-                        OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);
+                OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);
-                        return 0;
+                return 0;
-                }
+        }
+        /* thisUpdate must not be more than maxsec seconds in the past. */
-                /*
+        if (maxsec >= 0 && posix_this < posix_now - maxsec) {
-                 * If maxsec specified check thisUpdate is not more than maxsec
+                OCSPerror(OCSP_R_STATUS_TOO_OLD);
-                 * in the past
+                return 0;
-                 */
-                if (maxsec >= 0) {
-                        t_tmp = t_now - maxsec;
-                        if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
-                                return 0;
-                        if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) {
-                                OCSPerror(OCSP_R_STATUS_TOO_OLD);
-                                return 0;
-                        }
-                }
        }
-        if (!nextupd)
+        /* RFC 6960 section 4.2.2.1 allows for servers to not set nextUpdate */
+        if (nextupd == NULL)
                return 1;
-        /* Check nextUpdate is valid and not more than nsec in the past */
+        /* Check that nextUpdate is valid. */
        if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,
            V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
                OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
                return 0;
-        } else {
-                t_tmp = t_now - nsec;
-                if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
-                        return 0;
-                if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) {
-                        OCSPerror(OCSP_R_STATUS_EXPIRED);
-                        return 0;
-                }
        }
+        if (!OPENSSL_tm_to_posix(&tm_next, &posix_next))
-        /* Also don't allow nextUpdate to precede thisUpdate */
+                return 0;
-        if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) {
+        /* Don't allow nextUpdate to precede thisUpdate. */
+        if (posix_next < posix_this) {
                OCSPerror(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
                return 0;
        }
+        /* nextUpdate must not be more than nsec seconds in the past. */
+        if (posix_next + nsec  < posix_now) {
+                OCSPerror(OCSP_R_STATUS_EXPIRED);
+                return 0;
+        }
        return 1;
 }
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c
index 3013cffbc5..8eb687aab1 100644
--- a/src/lib/libcrypto/ts/ts_rsp_sign.c
+++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_sign.c,v 1.32 2023/08/22 08:09:36 tb Exp $ */
+/* $OpenBSD: ts_rsp_sign.c,v 1.33 2024/03/24 11:30:12 beck Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -999,7 +999,7 @@ TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
        if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
                goto err;
-        if (!(tm = gmtime(&sec)))
+        if (OPENSSL_gmtime(&sec, tm) == NULL)
                goto err;
        /*
author	beck <>	2024-03-24 11:30:12 +0000
committer	beck <>	2024-03-24 11:30:12 +0000
commit	5176ab31ca58949fc78b5b06b23adf63a83b9c44 (patch)
tree	af867a635253990b4a88720849f04a8a6bb5d8b3 /src/lib/libcrypto
parent	c84d6a97971ee756cdbcf3936caaeaa66a6d2289 (diff)
download	openbsd-5176ab31ca58949fc78b5b06b23adf63a83b9c44.tar.gz openbsd-5176ab31ca58949fc78b5b06b23adf63a83b9c44.tar.bz2 openbsd-5176ab31ca58949fc78b5b06b23adf63a83b9c44.zip

diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c index 5ef2226785..d8ee33c391 100644 --- a/src/lib/libcrypto/ocsp/ocsp_cl.c +++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ocsp_cl.c,v 1.24 2024/03/02 09:08:41 tb Exp $ */	1	/* $OpenBSD: ocsp_cl.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
2	/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL	2	/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3	* project. */	3	* project. */
4		4
@@ -68,6 +68,7 @@
68	#include <openssl/ocsp.h>	68	#include <openssl/ocsp.h>
69	#include <openssl/objects.h>	69	#include <openssl/objects.h>
70	#include <openssl/pem.h>	70	#include <openssl/pem.h>
		71	#include <openssl/posix_time.h>
71	#include <openssl/x509.h>	72	#include <openssl/x509.h>
72	#include <openssl/x509v3.h>	73	#include <openssl/x509v3.h>
73		74
@@ -394,69 +395,61 @@ int
394	OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,	395	OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
395	ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)	396	ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
396	{	397	{
397	time_t t_now, t_tmp;	398	int64_t posix_next, posix_this, posix_now;
398	struct tm tm_this, tm_next, tm_tmp;	399	struct tm tm_this, tm_next;
399		400
400	time(&t_now);	401	/* Negative values of nsec make no sense */
		402	if (nsec < 0)
		403	return 0;
		404
		405	posix_now = time(NULL);
401		406
402	/*	407	/*
403	* Times must explicitly be a GENERALIZEDTIME as per section	408	* Times must explicitly be a GENERALIZEDTIME as per section
404	* 4.2.2.1 of RFC 6960 - It is invalid to accept other times	409	* 4.2.2.1 of RFC 6960 - It is invalid to accept other times
405	* (such as UTCTIME permitted/required by RFC 5280 for certificates)	410	* (such as UTCTIME permitted/required by RFC 5280 for certificates)
406	*/	411	*/
407		412	/* Check that thisUpdate is valid. */
408	/* Check thisUpdate is valid and not more than nsec in the future */
409	if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,	413	if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,
410	V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {	414	V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
411	OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD);	415	OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD);
412	return 0;	416	return 0;
413	} else {	417	}
414	t_tmp = t_now + nsec;	418	if (!OPENSSL_tm_to_posix(&tm_this, &posix_this))
415	if (gmtime_r(&t_tmp, &tm_tmp) == NULL)	419	return 0;
416	return 0;	420	/* thisUpdate must not be more than nsec in the future. */
417	if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) {	421	if (posix_this - nsec > posix_now) {
418	OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);	422	OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);
419	return 0;	423	return 0;
420	}	424	}
421		425	/* thisUpdate must not be more than maxsec seconds in the past. */
422	/*	426	if (maxsec >= 0 && posix_this < posix_now - maxsec) {
423	* If maxsec specified check thisUpdate is not more than maxsec	427	OCSPerror(OCSP_R_STATUS_TOO_OLD);
424	* in the past	428	return 0;
425	*/
426	if (maxsec >= 0) {
427	t_tmp = t_now - maxsec;
428	if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
429	return 0;
430	if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) {
431	OCSPerror(OCSP_R_STATUS_TOO_OLD);
432	return 0;
433	}
434	}
435	}	429	}
436		430
437	if (!nextupd)	431	/* RFC 6960 section 4.2.2.1 allows for servers to not set nextUpdate */
		432	if (nextupd == NULL)
438	return 1;	433	return 1;
439		434
440	/* Check nextUpdate is valid and not more than nsec in the past */	435	/* Check that nextUpdate is valid. */
441	if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,	436	if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,
442	V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {	437	V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
443	OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);	438	OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
444	return 0;	439	return 0;
445	} else {
446	t_tmp = t_now - nsec;
447	if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
448	return 0;
449	if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) {
450	OCSPerror(OCSP_R_STATUS_EXPIRED);
451	return 0;
452	}
453	}	440	}
454		441	if (!OPENSSL_tm_to_posix(&tm_next, &posix_next))
455	/* Also don't allow nextUpdate to precede thisUpdate */	442	return 0;
456	if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) {	443	/* Don't allow nextUpdate to precede thisUpdate. */
		444	if (posix_next < posix_this) {
457	OCSPerror(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);	445	OCSPerror(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
458	return 0;	446	return 0;
459	}	447	}
		448	/* nextUpdate must not be more than nsec seconds in the past. */
		449	if (posix_next + nsec < posix_now) {
		450	OCSPerror(OCSP_R_STATUS_EXPIRED);
		451	return 0;
		452	}
460		453
461	return 1;	454	return 1;
462	}	455	}


diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c index 3013cffbc5..8eb687aab1 100644 --- a/src/lib/libcrypto/ts/ts_rsp_sign.c +++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts_rsp_sign.c,v 1.32 2023/08/22 08:09:36 tb Exp $ */	1	/* $OpenBSD: ts_rsp_sign.c,v 1.33 2024/03/24 11:30:12 beck Exp $ */
2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3	* project 2002.	3	* project 2002.
4	*/	4	*/
@@ -999,7 +999,7 @@ TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
999	if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)	999	if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
1000	goto err;	1000	goto err;
1001		1001
1002	if (!(tm = gmtime(&sec)))	1002	if (OPENSSL_gmtime(&sec, tm) == NULL)
1003	goto err;	1003	goto err;
1004		1004
1005	/*	1005	/*