Add support for disabling certificate and CRL validity checking.

Loosely based on changes in OpenSSL. ok beck@
author: jsing <> 2015-09-14 16:13:39 +0000
committer: jsing <> 2015-09-14 16:13:39 +0000
commit: 0f763b25777f63f3832ab70f6b1fccb6ee041476 (patch)
tree: 40548d8c11ad3fb893a9bacd91ce393db1391112 /src/lib
parent: 0199cfad0795530b289178635afa2b2407f1a068 (diff)
download: openbsd-0f763b25777f63f3832ab70f6b1fccb6ee041476.tar.gz
openbsd-0f763b25777f63f3832ab70f6b1fccb6ee041476.tar.bz2
openbsd-0f763b25777f63f3832ab70f6b1fccb6ee041476.zip
4 files changed, 30 insertions, 22 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index f2dc356dc8..8d4d15668e 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.44 2015/07/19 05:42:55 miod Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.45 2015/09/14 16:13:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -758,15 +758,17 @@ err:
 static int
 check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
 {
-        time_t *ptime;
+        time_t *ptime = NULL;
        int i;
-        if (notify)
+        if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
-                ctx->current_crl = crl;
+                return (1);
        if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
                ptime = &ctx->param->check_time;
-        else
-                ptime = NULL;
+        if (notify)
+                ctx->current_crl = crl;
        i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
        if (i == 0) {
@@ -1489,13 +1491,14 @@ check_policy(X509_STORE_CTX *ctx)
 int
 x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
 {
-        time_t *ptime;
+        time_t *ptime = NULL;
        int i;
+        if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
+                return (1);
        if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
                ptime = &ctx->param->check_time;
-        else
-                ptime = NULL;
        i = X509_cmp_time(X509_get_notBefore(x), ptime);
        if (i == 0) {
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index e760279b52..e3a1db2407 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.h,v 1.15 2015/02/07 13:19:15 doug Exp $ */
+/* $OpenBSD: x509_vfy.h,v 1.16 2015/09/14 16:13:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -383,7 +383,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define X509_V_FLAG_USE_DELTAS                  0x2000
 /* Check selfsigned CA signature */
 #define X509_V_FLAG_CHECK_SS_SIGNATURE          0x4000
+/* Do not check certificate or CRL validity against current time. */
+#define X509_V_FLAG_NO_CHECK_TIME               0x200000
 #define X509_VP_FLAG_DEFAULT                    0x1
 #define X509_VP_FLAG_OVERWRITE                  0x2
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c
index f2dc356dc8..8d4d15668e 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.44 2015/07/19 05:42:55 miod Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.45 2015/09/14 16:13:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -758,15 +758,17 @@ err:
 static int
 check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
 {
-        time_t *ptime;
+        time_t *ptime = NULL;
        int i;
-        if (notify)
+        if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
-                ctx->current_crl = crl;
+                return (1);
        if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
                ptime = &ctx->param->check_time;
-        else
-                ptime = NULL;
+        if (notify)
+                ctx->current_crl = crl;
        i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
        if (i == 0) {
@@ -1489,13 +1491,14 @@ check_policy(X509_STORE_CTX *ctx)
 int
 x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
 {
-        time_t *ptime;
+        time_t *ptime = NULL;
        int i;
+        if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
+                return (1);
        if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
                ptime = &ctx->param->check_time;
-        else
-                ptime = NULL;
        i = X509_cmp_time(X509_get_notBefore(x), ptime);
        if (i == 0) {
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.h b/src/lib/libssl/src/crypto/x509/x509_vfy.h
index e760279b52..e3a1db2407 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.h
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.h,v 1.15 2015/02/07 13:19:15 doug Exp $ */
+/* $OpenBSD: x509_vfy.h,v 1.16 2015/09/14 16:13:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -383,7 +383,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define X509_V_FLAG_USE_DELTAS                  0x2000
 /* Check selfsigned CA signature */
 #define X509_V_FLAG_CHECK_SS_SIGNATURE          0x4000
+/* Do not check certificate or CRL validity against current time. */
+#define X509_V_FLAG_NO_CHECK_TIME               0x200000
 #define X509_VP_FLAG_DEFAULT                    0x1
 #define X509_VP_FLAG_OVERWRITE                  0x2
author	jsing <>	2015-09-14 16:13:39 +0000
committer	jsing <>	2015-09-14 16:13:39 +0000
commit	0f763b25777f63f3832ab70f6b1fccb6ee041476 (patch)
tree	40548d8c11ad3fb893a9bacd91ce393db1391112 /src/lib
parent	0199cfad0795530b289178635afa2b2407f1a068 (diff)
download	openbsd-0f763b25777f63f3832ab70f6b1fccb6ee041476.tar.gz openbsd-0f763b25777f63f3832ab70f6b1fccb6ee041476.tar.bz2 openbsd-0f763b25777f63f3832ab70f6b1fccb6ee041476.zip

diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index f2dc356dc8..8d4d15668e 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.c,v 1.44 2015/07/19 05:42:55 miod Exp $ */	1	/* $OpenBSD: x509_vfy.c,v 1.45 2015/09/14 16:13:39 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -758,15 +758,17 @@ err:
758	static int	758	static int
759	check_crl_time(X509_STORE_CTX ctx, X509_CRL crl, int notify)	759	check_crl_time(X509_STORE_CTX ctx, X509_CRL crl, int notify)
760	{	760	{
761	time_t *ptime;	761	time_t *ptime = NULL;
762	int i;	762	int i;
763		763
764	if (notify)	764	if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
765	ctx->current_crl = crl;	765	return (1);
		766
766	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)	767	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
767	ptime = &ctx->param->check_time;	768	ptime = &ctx->param->check_time;
768	else	769
769	ptime = NULL;	770	if (notify)
		771	ctx->current_crl = crl;
770		772
771	i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);	773	i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
772	if (i == 0) {	774	if (i == 0) {
@@ -1489,13 +1491,14 @@ check_policy(X509_STORE_CTX *ctx)
1489	int	1491	int
1490	x509_check_cert_time(X509_STORE_CTX ctx, X509 x, int quiet)	1492	x509_check_cert_time(X509_STORE_CTX ctx, X509 x, int quiet)
1491	{	1493	{
1492	time_t *ptime;	1494	time_t *ptime = NULL;
1493	int i;	1495	int i;
1494		1496
		1497	if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
		1498	return (1);
		1499
1495	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)	1500	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1496	ptime = &ctx->param->check_time;	1501	ptime = &ctx->param->check_time;
1497	else
1498	ptime = NULL;
1499		1502
1500	i = X509_cmp_time(X509_get_notBefore(x), ptime);	1503	i = X509_cmp_time(X509_get_notBefore(x), ptime);
1501	if (i == 0) {	1504	if (i == 0) {


diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h index e760279b52..e3a1db2407 100644 --- a/src/lib/libcrypto/x509/x509_vfy.h +++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.h,v 1.15 2015/02/07 13:19:15 doug Exp $ */	1	/* $OpenBSD: x509_vfy.h,v 1.16 2015/09/14 16:13:39 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -383,7 +383,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
383	#define X509_V_FLAG_USE_DELTAS 0x2000	383	#define X509_V_FLAG_USE_DELTAS 0x2000
384	/* Check selfsigned CA signature */	384	/* Check selfsigned CA signature */
385	#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000	385	#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
386		386	/* Do not check certificate or CRL validity against current time. */
		387	#define X509_V_FLAG_NO_CHECK_TIME 0x200000
387		388
388	#define X509_VP_FLAG_DEFAULT 0x1	389	#define X509_VP_FLAG_DEFAULT 0x1
389	#define X509_VP_FLAG_OVERWRITE 0x2	390	#define X509_VP_FLAG_OVERWRITE 0x2


diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c index f2dc356dc8..8d4d15668e 100644 --- a/src/lib/libssl/src/crypto/x509/x509_vfy.c +++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.c,v 1.44 2015/07/19 05:42:55 miod Exp $ */	1	/* $OpenBSD: x509_vfy.c,v 1.45 2015/09/14 16:13:39 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -758,15 +758,17 @@ err:
758	static int	758	static int
759	check_crl_time(X509_STORE_CTX ctx, X509_CRL crl, int notify)	759	check_crl_time(X509_STORE_CTX ctx, X509_CRL crl, int notify)
760	{	760	{
761	time_t *ptime;	761	time_t *ptime = NULL;
762	int i;	762	int i;
763		763
764	if (notify)	764	if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
765	ctx->current_crl = crl;	765	return (1);
		766
766	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)	767	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
767	ptime = &ctx->param->check_time;	768	ptime = &ctx->param->check_time;
768	else	769
769	ptime = NULL;	770	if (notify)
		771	ctx->current_crl = crl;
770		772
771	i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);	773	i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
772	if (i == 0) {	774	if (i == 0) {
@@ -1489,13 +1491,14 @@ check_policy(X509_STORE_CTX *ctx)
1489	int	1491	int
1490	x509_check_cert_time(X509_STORE_CTX ctx, X509 x, int quiet)	1492	x509_check_cert_time(X509_STORE_CTX ctx, X509 x, int quiet)
1491	{	1493	{
1492	time_t *ptime;	1494	time_t *ptime = NULL;
1493	int i;	1495	int i;
1494		1496
		1497	if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
		1498	return (1);
		1499
1495	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)	1500	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1496	ptime = &ctx->param->check_time;	1501	ptime = &ctx->param->check_time;
1497	else
1498	ptime = NULL;
1499		1502
1500	i = X509_cmp_time(X509_get_notBefore(x), ptime);	1503	i = X509_cmp_time(X509_get_notBefore(x), ptime);
1501	if (i == 0) {	1504	if (i == 0) {


diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.h b/src/lib/libssl/src/crypto/x509/x509_vfy.h index e760279b52..e3a1db2407 100644 --- a/src/lib/libssl/src/crypto/x509/x509_vfy.h +++ b/src/lib/libssl/src/crypto/x509/x509_vfy.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.h,v 1.15 2015/02/07 13:19:15 doug Exp $ */	1	/* $OpenBSD: x509_vfy.h,v 1.16 2015/09/14 16:13:39 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -383,7 +383,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
383	#define X509_V_FLAG_USE_DELTAS 0x2000	383	#define X509_V_FLAG_USE_DELTAS 0x2000
384	/* Check selfsigned CA signature */	384	/* Check selfsigned CA signature */
385	#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000	385	#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
386		386	/* Do not check certificate or CRL validity against current time. */
		387	#define X509_V_FLAG_NO_CHECK_TIME 0x200000
387		388
388	#define X509_VP_FLAG_DEFAULT 0x1	389	#define X509_VP_FLAG_DEFAULT 0x1
389	#define X509_VP_FLAG_OVERWRITE 0x2	390	#define X509_VP_FLAG_OVERWRITE 0x2