make public ASN1_time_parse and ASN1_time_tm_cmp to replace former hidden

functions.. document with a man page.
bump majors on libtls, libssl, libcrypto
ok jsing@ guenther@

14 files changed, 133 insertions, 43 deletions

diff --git a/src/lib/libcrypto/asn1/a_time_tm.c b/src/lib/libcrypto/asn1/a_time_tm.c
index aa3cb9994c..fcd3acf9c8 100644
--- a/src/lib/libcrypto/asn1/a_time_tm.c
+++ b/src/lib/libcrypto/asn1/a_time_tm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_time_tm.c,v 1.9 2015/12/12 21:02:59 beck Exp $ */
+/* $OpenBSD: a_time_tm.c,v 1.10 2016/11/04 18:07:23 beck Exp $ */
 /*
  * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
  *
@@ -30,7 +30,7 @@
 #define UTCTIME_LENGTH 13
 
 int
-asn1_tm_cmp(struct tm *tm1, struct tm *tm2) {
+ASN1_time_tm_cmp(struct tm *tm1, struct tm *tm2) {
         if (tm1->tm_year < tm2->tm_year)
                 return (-1);
         if (tm1->tm_year > tm2->tm_year)
@@ -117,8 +117,8 @@ rfc5280_string_from_tm(struct tm *tm)
  * Parse an RFC 5280 format ASN.1 time string.
  *
  * mode must be:
- * 0 if we expect to parse a time as specified in RFC 5280 from an X509 object.
- * V_ASN1_UTCTIME if we wish to parse on RFC5280 format UTC time.
+ * 0 if we expect to parse a time as specified in RFC 5280 for an X509 object.
+ * V_ASN1_UTCTIME if we wish to parse an RFC5280 format UTC time.
  * V_ASN1_GENERALIZEDTIME if we wish to parse an RFC5280 format Generalized time.
  *
  * Returns:
@@ -130,7 +130,7 @@ rfc5280_string_from_tm(struct tm *tm)
  */
 #define ATOI2(ar)       ((ar) += 2, ((ar)[-2] - '0') * 10 + ((ar)[-1] - '0'))
 int
-asn1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode)
+ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode)
 {
         size_t i;
         int type = 0;
@@ -218,7 +218,7 @@ ASN1_TIME_set_string_internal(ASN1_TIME *s, const char *str, int mode)
         int type;
         char *tmp;
 
-        if ((type = asn1_time_parse(str, strlen(str), NULL, mode)) == -1)
+        if ((type = ASN1_time_parse(str, strlen(str), NULL, mode)) == -1)
                 return (0);
         if (mode != 0 && mode != type)
                 return (0);
@@ -315,7 +315,7 @@ ASN1_TIME_check(ASN1_TIME *t)
 {
         if (t->type != V_ASN1_GENERALIZEDTIME && t->type != V_ASN1_UTCTIME)
                 return (0);
-        return (t->type == asn1_time_parse(t->data, t->length, NULL, t->type));
+        return (t->type == ASN1_time_parse(t->data, t->length, NULL, t->type));
 }
 
 ASN1_GENERALIZEDTIME *
@@ -329,7 +329,7 @@ ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out)
                 return (NULL);
 
         memset(&tm, 0, sizeof(tm));
-        if (t->type != asn1_time_parse(t->data, t->length, &tm, t->type))
+        if (t->type != ASN1_time_parse(t->data, t->length, &tm, t->type))
                 return (NULL);
         if ((str = gentime_string_from_tm(&tm)) == NULL)
                 return (NULL);
@@ -364,7 +364,7 @@ ASN1_UTCTIME_check(ASN1_UTCTIME *d)
 {
         if (d->type != V_ASN1_UTCTIME)
                 return (0);
-        return (d->type == asn1_time_parse(d->data, d->length, NULL, d->type));
+        return (d->type == ASN1_time_parse(d->data, d->length, NULL, d->type));
 }
 
 int
@@ -402,13 +402,13 @@ ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t2)
          * The danger is that users of this function will not
          * differentiate the -2 failure case from t1 < t2.
          */
-        if (asn1_time_parse(s->data, s->length, &tm1, V_ASN1_UTCTIME) == -1)
+        if (ASN1_time_parse(s->data, s->length, &tm1, V_ASN1_UTCTIME) == -1)
                 return (-2); /* XXX */
 
         if (gmtime_r(&t2, &tm2) == NULL)
                 return (-2); /* XXX */
 
-        return asn1_tm_cmp(&tm1, &tm2);
+        return ASN1_time_tm_cmp(&tm1, &tm2);
 }
 
 /*
@@ -420,7 +420,7 @@ ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d)
 {
         if (d->type != V_ASN1_GENERALIZEDTIME)
                 return (0);
-        return (d->type == asn1_time_parse(d->data, d->length, NULL, d->type));
+        return (d->type == ASN1_time_parse(d->data, d->length, NULL, d->type));
 }
 
 int
diff --git a/src/lib/libcrypto/asn1/asn1.h b/src/lib/libcrypto/asn1/asn1.h
index c5d9b55e40..72fdc72881 100644
--- a/src/lib/libcrypto/asn1/asn1.h
+++ b/src/lib/libcrypto/asn1/asn1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1.h,v 1.34 2015/10/13 16:31:08 jsing Exp $ */
+/* $OpenBSD: asn1.h,v 1.35 2016/11/04 18:07:23 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1357,6 +1357,9 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_WRONG_TAG                                 168
 #define ASN1_R_WRONG_TYPE                                169
 
+
+int ASN1_time_parse(const char *_bytes, size_t _len, struct tm *_tm, int _mode);
+int ASN1_time_tm_cmp(struct tm *_tm1, struct tm *_tm2);
 #ifdef  __cplusplus
 }
 #endif
diff --git a/src/lib/libcrypto/man/ASN1_time_parse.3 b/src/lib/libcrypto/man/ASN1_time_parse.3
new file mode 100644
index 0000000000..e70a292f6d
--- /dev/null
+++ b/src/lib/libcrypto/man/ASN1_time_parse.3
@@ -0,0 +1,94 @@
+.\" $OpenBSD: ASN1_time_parse.3,v 1.1 2016/11/04 18:07:23 beck Exp $
+.\"
+.\" Copyright (c) 2016 Bob Beck <beck@@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: November 4 2016 $
+.Dt ASN1_TIME_PARSE 3
+.Os
+.Sh NAME
+.Nm ASN1_time_parse,
+.Nm ASN1_time_tm_cmp
+.Nd LibreSSL utilities for asn1 format time.
+.Sh SYNOPSIS
+.In asn1.h
+.Ft "int"
+.Fn ASN1_time_parse "const char *bytes" "size_t len" "struct tm *tm" "int mode
+.Ft "int"
+.Fn ASN1_time_tm_cmp "struct tm *tm1" "struct tm *tm2" 
+.Sh DESCRIPTION
+The
+.Nm ASN1_time_parse
+function parses an asn1 time string of
+.Ar len
+bytes starting at
+.Ar bytes .
+The resulting time is stored in
+.Ar tm
+if 
+.Ar tm
+is non NULL. 
+.Pp
+The 
+.Ar mode
+parameter must be one of
+.Bl -bullet -offset four
+.It
+.Ar 0
+to parse a time as specified in RFC 5280 for an X509 object,
+which may be either a UTC time or a Generalized time. 
+.It
+.Ar V_ASN1_UTCTIME
+to parse an RFC 5280 format UTC time.
+.It
+.Ar V_ASN1_GENERALIZEDTIME 
+to parse an RFC 5280 format Generalized time.
+.El
+.Pp
+The
+.Nm ASN1_time_tm_cmp
+function compares two times in
+.Ar tm1
+and
+.Ar tm2
+.Sh RETURN VALUES
+.Nm ASN1_parse_time 
+returns
+.Bl -bullet -offset four
+.It
+.Ar -1
+if the string was invalid for the
+.Ar mode
+specified
+.It
+.Ar V_ASN1_UTCTIME 
+if the string parsed as a valid UTC time.
+.It :
+.Ar V_ASN1_GENERALIZEDTIME 
+if the string parsed as a valid Generalized time.
+.El
+.Pp
+.Nm ASN1_time_tm_cmp
+returns
+.Bl -bullet -offset four
+.It
+.Ar -1
+if tm1 is less than tm2.
+.It
+.Ar 1
+if tm1 is greater than tm2.
+.It
+.Ar 0
+if tm1 is the same as tm2.
+.El
diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index a76a03c78a..7819029ff6 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.46 2016/11/04 15:29:03 schwarze Exp $
+# $OpenBSD: Makefile,v 1.47 2016/11/04 18:07:23 beck Exp $
 
 .include <bsd.own.mk>           # for NOMAN
 
@@ -11,6 +11,7 @@ MAN=	\
         ASN1_STRING_new.3 \
         ASN1_STRING_print_ex.3 \
         ASN1_generate_nconf.3 \
+        ASN1_time_parse.3 \
         BF_set_key.3 \
         BIO.3 \
         BIO_ctrl.3 \
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
index 86baed8724..40417973f5 100644
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_cl.c,v 1.11 2016/07/16 16:14:28 beck Exp $ */
+/* $OpenBSD: ocsp_cl.c,v 1.12 2016/11/04 18:07:23 beck Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
  * project. */
 
@@ -71,9 +71,6 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-int asn1_time_parse(const char *, size_t, struct tm *, int);
-int asn1_tm_cmp(struct tm *, struct tm *);
-
 /* Utility functions related to sending OCSP requests and extracting
  * relevant information from the response.
  */
@@ -342,7 +339,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
          */
 
         /* Check thisUpdate is valid and not more than nsec in the future */
-        if (asn1_time_parse(thisupd->data, thisupd->length, &tm_this,
+        if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,
             V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
                 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
                     OCSP_R_ERROR_IN_THISUPDATE_FIELD);
@@ -351,7 +348,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
                 t_tmp = t_now + nsec;
                 if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
                         return 0;
-                if (asn1_tm_cmp(&tm_this, &tm_tmp) > 0) {
+                if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) {
                         OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
                             OCSP_R_STATUS_NOT_YET_VALID);
                         return 0;
@@ -365,7 +362,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
                         t_tmp = t_now - maxsec;
                         if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
                                 return 0;
-                        if (asn1_tm_cmp(&tm_this, &tm_tmp) < 0) {
+                        if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) {
                                 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
                                     OCSP_R_STATUS_TOO_OLD);
                                 return 0;
@@ -377,7 +374,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
                 return 1;
 
         /* Check nextUpdate is valid and not more than nsec in the past */
-        if (asn1_time_parse(nextupd->data, nextupd->length, &tm_next,
+        if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,
             V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
                 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
                     OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
@@ -386,7 +383,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
                 t_tmp = t_now - nsec;
                 if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
                         return 0;
-                if (asn1_tm_cmp(&tm_next, &tm_tmp) < 0) {
+                if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) {
                         OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
                             OCSP_R_STATUS_EXPIRED);
                         return 0;
@@ -394,7 +391,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
         }
 
         /* Also don't allow nextUpdate to precede thisUpdate */
-        if (asn1_tm_cmp(&tm_next, &tm_this) < 0) {
+        if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) {
                 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
                     OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
                 return 0;
diff --git a/src/lib/libcrypto/shlib_version b/src/lib/libcrypto/shlib_version
index cf69944b9d..77935fe957 100644
--- a/src/lib/libcrypto/shlib_version
+++ b/src/lib/libcrypto/shlib_version
@@ -1,3 +1,3 @@
 # Don't forget to give libssl and libtls the same type of bump!
-major=38
-minor=1
+major=39
+minor=0
diff --git a/src/lib/libcrypto/x509/vpm_int.h b/src/lib/libcrypto/x509/vpm_int.h
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/src/lib/libcrypto/x509/vpm_int.h
diff --git a/src/lib/libcrypto/x509/x509_lcl.h b/src/lib/libcrypto/x509/x509_lcl.h
index 9ffdd01e61..b16df78ad7 100644
--- a/src/lib/libcrypto/x509/x509_lcl.h
+++ b/src/lib/libcrypto/x509/x509_lcl.h
@@ -57,5 +57,3 @@
  */
 
 int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);
-int asn1_time_parse(const char *, size_t, struct tm *, int);
-int asn1_tm_cmp(struct tm *tm1, struct tm *tm2);
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index a9330e1c03..7a6d272023 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.50 2016/10/02 20:45:04 guenther Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.51 2016/11/04 18:07:23 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1658,7 +1658,7 @@ X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
 
         memset(&tm1, 0, sizeof(tm1));
 
-        type = asn1_time_parse(ctm->data, ctm->length, &tm1, ctm->type);
+        type = ASN1_time_parse(ctm->data, ctm->length, &tm1, ctm->type);
         if (type == -1)
                 goto out; /* invalid time */
 
@@ -1679,7 +1679,7 @@ X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
         if (gmtime_r(&time2, &tm2) == NULL)
                 goto out;
 
-        ret = asn1_tm_cmp(&tm1, &tm2);
+        ret = ASN1_time_tm_cmp(&tm1, &tm2);
         if (ret == 0)
                 ret = -1; /* 0 is used for error, so map same to less than */
  out:
diff --git a/src/lib/libssl/shlib_version b/src/lib/libssl/shlib_version
index 9149d47732..51f4d897f8 100644
--- a/src/lib/libssl/shlib_version
+++ b/src/lib/libssl/shlib_version
@@ -1,3 +1,3 @@
 # Don't forget to give libtls the same type of bump!
-major=39
-minor=1
+major=40
+minor=0
diff --git a/src/lib/libtls/shlib_version b/src/lib/libtls/shlib_version
index faa53892ba..56246d02b2 100644
--- a/src/lib/libtls/shlib_version
+++ b/src/lib/libtls/shlib_version
@@ -1,2 +1,2 @@
-major=11
-minor=6
+major=12
+minor=0
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
index 5882a19cee..1bf4b2285b 100644
--- a/src/lib/libtls/tls_conninfo.c
+++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_conninfo.c,v 1.11 2016/08/22 17:12:35 jsing Exp $ */
+/* $OpenBSD: tls_conninfo.c,v 1.12 2016/11/04 18:07:24 beck Exp $ */
 /*
  * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -136,9 +136,9 @@ tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore,
                 goto err;
         if ((after = X509_get_notAfter(ctx->ssl_peer_cert)) == NULL)
                 goto err;
-        if (asn1_time_parse(before->data, before->length, &before_tm, 0) == -1)
+        if (ASN1_time_parse(before->data, before->length, &before_tm, 0) == -1)
                 goto err;
-        if (asn1_time_parse(after->data, after->length, &after_tm, 0) == -1)
+        if (ASN1_time_parse(after->data, after->length, &after_tm, 0) == -1)
                 goto err;
         if ((*notbefore = timegm(&before_tm)) == -1)
                 goto err;
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 0112ceedb9..7b07c96c86 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.46 2016/11/04 05:13:13 beck Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.47 2016/11/04 18:07:24 beck Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -209,6 +209,4 @@ int tls_ocsp_verify_cb(SSL *ssl, void *arg);
 void tls_ocsp_ctx_free(struct tls_ocsp_ctx *ctx);
 struct tls_ocsp_ctx *tls_ocsp_setup_from_peer(struct tls *ctx);
 
-int asn1_time_parse(const char *, size_t, struct tm *, int);
-
 #endif /* HEADER_TLS_INTERNAL_H */
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
index af65771f7c..52e90364a7 100644
--- a/src/lib/libtls/tls_ocsp.c
+++ b/src/lib/libtls/tls_ocsp.c
@@ -63,7 +63,7 @@ tls_ocsp_asn1_parse_time(struct tls *ctx, ASN1_GENERALIZEDTIME *gt, time_t *gt_t
         if (gt == NULL)
                 return -1;
         /* RFC 6960 specifies that all times in OCSP must be GENERALIZEDTIME */
-        if (asn1_time_parse(gt->data, gt->length, &tm,
+        if (ASN1_time_parse(gt->data, gt->length, &tm,
                 V_ASN1_GENERALIZEDTIME) == -1)
                 return -1;
         if ((*gt_time = timegm(&tm)) == -1)
@@ -258,7 +258,6 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
                                OCSP_crl_reason_str(crl_reason));
                 goto error;
         }
-
         ret = 0;
 
  error: