diff options
| author | schwarze <> | 2021-11-13 18:24:45 +0000 |
|---|---|---|
| committer | schwarze <> | 2021-11-13 18:24:45 +0000 |
| commit | b1d4c337e12b48693723b9228ead6a3604929d27 (patch) | |
| tree | af2b33645fa80d440b575ecb9471393968b5dc08 /src/lib | |
| parent | 89aa3af8a0fb42b0e35d7005c011d5aa3af3c2cc (diff) | |
| download | openbsd-b1d4c337e12b48693723b9228ead6a3604929d27.tar.gz openbsd-b1d4c337e12b48693723b9228ead6a3604929d27.tar.bz2 openbsd-b1d4c337e12b48693723b9228ead6a3604929d27.zip | |
Fix a bug in check_crl_time() that could result in incomplete
verification, accepting CRLs that ought to be rejected, if an unusual
combination of verification flags was specified.
If time verification was explicitly requested with
X509_V_FLAG_USE_CHECK_TIME, it was skipped on CRLs if
X509_V_FLAG_NO_CHECK_TIME was also set, even though the former is
documented to override the latter both in the OpenSSL and in the
LibreSSL X509_VERIFY_PARAM_set_flags(3) manual page.
The same bug in x509_check_cert_time() was already fixed by beck@
in rev. 1.57 on 2017/01/20.
This syncs the beginning of the function check_crl_time() with the
OpenSSL 1.1.1 branch, which is still under a free license.
OK beck@
This teaches that having too many flags and options is bad because they
breed bugs, and even more so if they are poorly designed to override
each other in surprising ways.
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_vfy.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index a36cc8ef71..b044f4931e 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_vfy.c,v 1.96 2021/11/07 15:52:38 tb Exp $ */ | 1 | /* $OpenBSD: x509_vfy.c,v 1.97 2021/11/13 18:24:45 schwarze Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1080,17 +1080,17 @@ err: | |||
| 1080 | static int | 1080 | static int |
| 1081 | check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) | 1081 | check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) |
| 1082 | { | 1082 | { |
| 1083 | time_t *ptime = NULL; | 1083 | time_t *ptime; |
| 1084 | int i; | 1084 | int i; |
| 1085 | 1085 | ||
| 1086 | if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) | ||
| 1087 | return (1); | ||
| 1088 | |||
| 1089 | if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) | ||
| 1090 | ptime = &ctx->param->check_time; | ||
| 1091 | |||
| 1092 | if (notify) | 1086 | if (notify) |
| 1093 | ctx->current_crl = crl; | 1087 | ctx->current_crl = crl; |
| 1088 | if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) | ||
| 1089 | ptime = &ctx->param->check_time; | ||
| 1090 | else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) | ||
| 1091 | return (1); | ||
| 1092 | else | ||
| 1093 | ptime = NULL; | ||
| 1094 | 1094 | ||
| 1095 | i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); | 1095 | i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); |
| 1096 | if (i == 0) { | 1096 | if (i == 0) { |