Make ASN1_TIME_set_string_X509 and ASN1_TIME_set_string match the man page

This makes it where people can't put dumb values in certs without trying harder, and changes the regress to test this. GENERALIZED times outside of the RFC5280 spec are required for OCSP but these should be constructed with the GENERALIZED time string setters. ok tb@
author: beck <> 2024-04-08 19:57:40 +0000
committer: beck <> 2024-04-08 19:57:40 +0000
commit: 9b894dc1e52d28085c180c2a2584f86b2cc867e0 (patch)
tree: 619c34426de3801d9a839cd449bde5dac9c734e7 /src
parent: 7c47e205b5035b62d024838e10da7aa8d6858336 (diff)
download: openbsd-9b894dc1e52d28085c180c2a2584f86b2cc867e0.tar.gz
openbsd-9b894dc1e52d28085c180c2a2584f86b2cc867e0.tar.bz2
openbsd-9b894dc1e52d28085c180c2a2584f86b2cc867e0.zip
3 files changed, 60 insertions, 39 deletions
diff --git a/src/lib/libcrypto/asn1/a_time_tm.c b/src/lib/libcrypto/asn1/a_time_tm.c
index 986c1e735d..c8eabec08f 100644
--- a/src/lib/libcrypto/asn1/a_time_tm.c
+++ b/src/lib/libcrypto/asn1/a_time_tm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_time_tm.c,v 1.33 2024/03/02 09:10:42 tb Exp $ */
+/* $OpenBSD: a_time_tm.c,v 1.34 2024/04/08 19:57:40 beck Exp $ */
 /*
 * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
 *
@@ -160,15 +160,7 @@ tm_to_utctime(struct tm *tm, ASN1_TIME *atime)
 ASN1_TIME *
 tm_to_rfc5280_time(struct tm *tm, ASN1_TIME *atime)
 {
-        int year;
+        if (tm->tm_year >= 50 && tm->tm_year < 150)
-        year = tm->tm_year + 1900;
-        if (year < 1950 || year > 9999) {
-                ASN1error(ASN1_R_ILLEGAL_TIME_VALUE);
-                return (NULL);
-        }
-        if (year < 2050)
                return (tm_to_utctime(tm, atime));
        return (tm_to_gentime(tm, atime));
@@ -352,25 +344,21 @@ ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode)
 static int
 ASN1_TIME_set_string_internal(ASN1_TIME *s, const char *str, int mode)
 {
+        struct tm tm;
        int type;
-        char *tmp;
-        if ((type = ASN1_time_parse(str, strlen(str), NULL, mode)) == -1)
+        if ((type = ASN1_time_parse(str, strlen(str), &tm, mode)) == -1)
-                return (0);
-        if (mode != 0 && mode != type)
                return (0);
+        switch(mode) {
-        if (s == NULL)
+        case V_ASN1_UTCTIME:
-                return (1);
+                return (type == mode && tm_to_utctime(&tm, s) != NULL);
+        case V_ASN1_GENERALIZEDTIME:
-        if ((tmp = strdup(str)) == NULL)
+                return (type == mode && tm_to_gentime(&tm, s) != NULL);
+        case RFC5280:
+                return (tm_to_rfc5280_time(&tm, s) != NULL);
+        default:
                return (0);
-        free(s->data);
+        }
-        s->data = tmp;
-        s->length = strlen(tmp);
-        s->type = type;
-        return (1);
 }
 static ASN1_TIME *
@@ -448,7 +436,7 @@ LCRYPTO_ALIAS(ASN1_TIME_to_generalizedtime);
 int
 ASN1_TIME_set_string(ASN1_TIME *s, const char *str)
 {
-        return (ASN1_TIME_set_string_internal(s, str, 0));
+        return (ASN1_TIME_set_string_internal(s, str, RFC5280));
 }
 LCRYPTO_ALIAS(ASN1_TIME_set_string);
diff --git a/src/regress/lib/libcrypto/asn1/asn1time.c b/src/regress/lib/libcrypto/asn1/asn1time.c
index 8208fcd1c0..7cc6df8a1a 100644
--- a/src/regress/lib/libcrypto/asn1/asn1time.c
+++ b/src/regress/lib/libcrypto/asn1/asn1time.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1time.c,v 1.25 2024/02/18 22:17:01 tb Exp $ */
+/* $OpenBSD: asn1time.c,v 1.26 2024/04/08 19:57:40 beck Exp $ */
 /*
 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2024 Google Inc.
@@ -420,6 +420,7 @@ static int
 asn1_time_test(int test_no, const struct asn1_time_test *att, int type)
 {
        ASN1_TIME *t = NULL, *tx509 = NULL;
+        char *parsed_time = NULL;
        int failure = 1;
        if (ASN1_TIME_set_string(NULL, att->str) != 1) {
@@ -434,9 +435,27 @@ asn1_time_test(int test_no, const struct asn1_time_test *att, int type)
        if ((tx509 = ASN1_TIME_new()) == NULL)
                goto done;
-        if (ASN1_TIME_set_string(t, att->str) != 1) {
+        switch (strlen(att->str)) {
-                fprintf(stderr, "FAIL: test %d - failed to set string '%s'\n",
+        case 13:
-                    test_no, att->str);
+                t->type = V_ASN1_UTCTIME;
+                if (ASN1_UTCTIME_set_string(t, att->str) != 1) {
+                        fprintf(stderr, "FAIL: test %d - failed to set utc "
+                            "string '%s'\n",
+                            test_no, att->str);
+                        goto done;
+                }
+                break;
+        case 15:
+                t->type = V_ASN1_GENERALIZEDTIME;
+                if (ASN1_GENERALIZEDTIME_set_string(t, att->str) != 1) {
+                        fprintf(stderr, "FAIL: test %d - failed to set gen "
+                            "string '%s'\n",
+                            test_no, att->str);
+                        goto done;
+                }
+                break;
+        default:
+                fprintf(stderr, "FAIL: unknown type\n");
                goto done;
        }
@@ -446,13 +465,33 @@ asn1_time_test(int test_no, const struct asn1_time_test *att, int type)
                goto done;
        }
+        if ((parsed_time = strdup(t->data)) == NULL)
+                goto done;
        if (ASN1_TIME_normalize(t) != 1) {
                fprintf(stderr, "FAIL: test %d - failed to set normalize '%s'\n",
                    test_no, att->str);
                goto done;
        }
-        if (ASN1_TIME_set_string_X509(tx509, t->data) != 1) {
+        if (ASN1_TIME_set_string_X509(tx509, parsed_time) != 1) {
+                fprintf(stderr, "FAIL: test %d - failed to set string X509 '%s'\n",
+                    test_no, t->data);
+                goto done;
+        }
+        if (t->type != tx509->type) {
+                fprintf(stderr, "FAIL: test %d - type %d, different from %d\n",
+                    test_no, t->type, tx509->type);
+                goto done;
+        }
+        if (ASN1_TIME_compare(t, tx509) != 0) {
+                fprintf(stderr, "FAIL: ASN1_TIME values differ!\n");
+                goto done;
+        }
+        if (ASN1_TIME_set_string(tx509, parsed_time) != 1) {
                fprintf(stderr, "FAIL: test %d - failed to set string X509 '%s'\n",
                    test_no, t->data);
                goto done;
@@ -476,6 +515,7 @@ asn1_time_test(int test_no, const struct asn1_time_test *att, int type)
        ASN1_TIME_free(t);
        ASN1_TIME_free(tx509);
+        free(parsed_time);
        return (failure);
 }
diff --git a/src/regress/lib/libcrypto/asn1/rfc5280time.c b/src/regress/lib/libcrypto/asn1/rfc5280time.c
index 7a44a30e88..c57cac1463 100644
--- a/src/regress/lib/libcrypto/asn1/rfc5280time.c
+++ b/src/regress/lib/libcrypto/asn1/rfc5280time.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rfc5280time.c,v 1.7 2022/09/05 21:12:08 tb Exp $ */
+/* $OpenBSD: rfc5280time.c,v 1.8 2024/04/08 19:57:40 beck Exp $ */
 /*
 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2015 Bob Beck <beck@opebsd.org>
@@ -234,13 +234,6 @@ rfc5280_invtime_test(int test_no, struct rfc5280_time_test *att)
                        goto done;
                }
        }
-        if (ASN1_TIME_set_string(t, att->str) != 0) {
-                if (X509_cmp_time(t, &now) != 0) {
-                        fprintf(stderr, "FAIL: test %d - successfully parsed as UTCTIME "
-                            "string '%s'\n", test_no, att->str);
-                        goto done;
-                }
-        }
        failure = 0;
author	beck <>	2024-04-08 19:57:40 +0000
committer	beck <>	2024-04-08 19:57:40 +0000
commit	9b894dc1e52d28085c180c2a2584f86b2cc867e0 (patch)
tree	619c34426de3801d9a839cd449bde5dac9c734e7 /src
parent	7c47e205b5035b62d024838e10da7aa8d6858336 (diff)
download	openbsd-9b894dc1e52d28085c180c2a2584f86b2cc867e0.tar.gz openbsd-9b894dc1e52d28085c180c2a2584f86b2cc867e0.tar.bz2 openbsd-9b894dc1e52d28085c180c2a2584f86b2cc867e0.zip

diff --git a/src/lib/libcrypto/asn1/a_time_tm.c b/src/lib/libcrypto/asn1/a_time_tm.c index 986c1e735d..c8eabec08f 100644 --- a/src/lib/libcrypto/asn1/a_time_tm.c +++ b/src/lib/libcrypto/asn1/a_time_tm.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: a_time_tm.c,v 1.33 2024/03/02 09:10:42 tb Exp $ */	1	/* $OpenBSD: a_time_tm.c,v 1.34 2024/04/08 19:57:40 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -160,15 +160,7 @@ tm_to_utctime(struct tm tm, ASN1_TIME atime)
160	ASN1_TIME *	160	ASN1_TIME *
161	tm_to_rfc5280_time(struct tm tm, ASN1_TIME atime)	161	tm_to_rfc5280_time(struct tm tm, ASN1_TIME atime)
162	{	162	{
163	int year;	163	if (tm->tm_year >= 50 && tm->tm_year < 150)
164
165	year = tm->tm_year + 1900;
166	if (year < 1950 \|\| year > 9999) {
167	ASN1error(ASN1_R_ILLEGAL_TIME_VALUE);
168	return (NULL);
169	}
170
171	if (year < 2050)
172	return (tm_to_utctime(tm, atime));	164	return (tm_to_utctime(tm, atime));
173		165
174	return (tm_to_gentime(tm, atime));	166	return (tm_to_gentime(tm, atime));
@@ -352,25 +344,21 @@ ASN1_time_parse(const char bytes, size_t len, struct tm tm, int mode)
352	static int	344	static int
353	ASN1_TIME_set_string_internal(ASN1_TIME s, const char str, int mode)	345	ASN1_TIME_set_string_internal(ASN1_TIME s, const char str, int mode)
354	{	346	{
		347	struct tm tm;
355	int type;	348	int type;
356	char *tmp;
357		349
358	if ((type = ASN1_time_parse(str, strlen(str), NULL, mode)) == -1)	350	if ((type = ASN1_time_parse(str, strlen(str), &tm, mode)) == -1)
359	return (0);
360	if (mode != 0 && mode != type)
361	return (0);	351	return (0);
362		352	switch(mode) {
363	if (s == NULL)	353	case V_ASN1_UTCTIME:
364	return (1);	354	return (type == mode && tm_to_utctime(&tm, s) != NULL);
365		355	case V_ASN1_GENERALIZEDTIME:
366	if ((tmp = strdup(str)) == NULL)	356	return (type == mode && tm_to_gentime(&tm, s) != NULL);
		357	case RFC5280:
		358	return (tm_to_rfc5280_time(&tm, s) != NULL);
		359	default:
367	return (0);	360	return (0);
368	free(s->data);	361	}
369	s->data = tmp;
370	s->length = strlen(tmp);
371	s->type = type;
372
373	return (1);
374	}	362	}
375		363
376	static ASN1_TIME *	364	static ASN1_TIME *
@@ -448,7 +436,7 @@ LCRYPTO_ALIAS(ASN1_TIME_to_generalizedtime);
448	int	436	int
449	ASN1_TIME_set_string(ASN1_TIME s, const char str)	437	ASN1_TIME_set_string(ASN1_TIME s, const char str)
450	{	438	{
451	return (ASN1_TIME_set_string_internal(s, str, 0));	439	return (ASN1_TIME_set_string_internal(s, str, RFC5280));
452	}	440	}
453	LCRYPTO_ALIAS(ASN1_TIME_set_string);	441	LCRYPTO_ALIAS(ASN1_TIME_set_string);
454		442


diff --git a/src/regress/lib/libcrypto/asn1/asn1time.c b/src/regress/lib/libcrypto/asn1/asn1time.c index 8208fcd1c0..7cc6df8a1a 100644 --- a/src/regress/lib/libcrypto/asn1/asn1time.c +++ b/src/regress/lib/libcrypto/asn1/asn1time.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: asn1time.c,v 1.25 2024/02/18 22:17:01 tb Exp $ */	1	/* $OpenBSD: asn1time.c,v 1.26 2024/04/08 19:57:40 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2024 Google Inc.	4	* Copyright (c) 2024 Google Inc.
@@ -420,6 +420,7 @@ static int
420	asn1_time_test(int test_no, const struct asn1_time_test *att, int type)	420	asn1_time_test(int test_no, const struct asn1_time_test *att, int type)
421	{	421	{
422	ASN1_TIME t = NULL, tx509 = NULL;	422	ASN1_TIME t = NULL, tx509 = NULL;
		423	char *parsed_time = NULL;
423	int failure = 1;	424	int failure = 1;
424		425
425	if (ASN1_TIME_set_string(NULL, att->str) != 1) {	426	if (ASN1_TIME_set_string(NULL, att->str) != 1) {
@@ -434,9 +435,27 @@ asn1_time_test(int test_no, const struct asn1_time_test *att, int type)
434	if ((tx509 = ASN1_TIME_new()) == NULL)	435	if ((tx509 = ASN1_TIME_new()) == NULL)
435	goto done;	436	goto done;
436		437
437	if (ASN1_TIME_set_string(t, att->str) != 1) {	438	switch (strlen(att->str)) {
438	fprintf(stderr, "FAIL: test %d - failed to set string '%s'\n",	439	case 13:
439	test_no, att->str);	440	t->type = V_ASN1_UTCTIME;
		441	if (ASN1_UTCTIME_set_string(t, att->str) != 1) {
		442	fprintf(stderr, "FAIL: test %d - failed to set utc "
		443	"string '%s'\n",
		444	test_no, att->str);
		445	goto done;
		446	}
		447	break;
		448	case 15:
		449	t->type = V_ASN1_GENERALIZEDTIME;
		450	if (ASN1_GENERALIZEDTIME_set_string(t, att->str) != 1) {
		451	fprintf(stderr, "FAIL: test %d - failed to set gen "
		452	"string '%s'\n",
		453	test_no, att->str);
		454	goto done;
		455	}
		456	break;
		457	default:
		458	fprintf(stderr, "FAIL: unknown type\n");
440	goto done;	459	goto done;
441	}	460	}
442		461
@@ -446,13 +465,33 @@ asn1_time_test(int test_no, const struct asn1_time_test *att, int type)
446	goto done;	465	goto done;
447	}	466	}
448		467
		468	if ((parsed_time = strdup(t->data)) == NULL)
		469	goto done;
		470
449	if (ASN1_TIME_normalize(t) != 1) {	471	if (ASN1_TIME_normalize(t) != 1) {
450	fprintf(stderr, "FAIL: test %d - failed to set normalize '%s'\n",	472	fprintf(stderr, "FAIL: test %d - failed to set normalize '%s'\n",
451	test_no, att->str);	473	test_no, att->str);
452	goto done;	474	goto done;
453	}	475	}
454		476
455	if (ASN1_TIME_set_string_X509(tx509, t->data) != 1) {	477	if (ASN1_TIME_set_string_X509(tx509, parsed_time) != 1) {
		478	fprintf(stderr, "FAIL: test %d - failed to set string X509 '%s'\n",
		479	test_no, t->data);
		480	goto done;
		481	}
		482
		483	if (t->type != tx509->type) {
		484	fprintf(stderr, "FAIL: test %d - type %d, different from %d\n",
		485	test_no, t->type, tx509->type);
		486	goto done;
		487	}
		488
		489	if (ASN1_TIME_compare(t, tx509) != 0) {
		490	fprintf(stderr, "FAIL: ASN1_TIME values differ!\n");
		491	goto done;
		492	}
		493
		494	if (ASN1_TIME_set_string(tx509, parsed_time) != 1) {
456	fprintf(stderr, "FAIL: test %d - failed to set string X509 '%s'\n",	495	fprintf(stderr, "FAIL: test %d - failed to set string X509 '%s'\n",
457	test_no, t->data);	496	test_no, t->data);
458	goto done;	497	goto done;
@@ -476,6 +515,7 @@ asn1_time_test(int test_no, const struct asn1_time_test *att, int type)
476		515
477	ASN1_TIME_free(t);	516	ASN1_TIME_free(t);
478	ASN1_TIME_free(tx509);	517	ASN1_TIME_free(tx509);
		518	free(parsed_time);
479		519
480	return (failure);	520	return (failure);
481	}	521	}


diff --git a/src/regress/lib/libcrypto/asn1/rfc5280time.c b/src/regress/lib/libcrypto/asn1/rfc5280time.c index 7a44a30e88..c57cac1463 100644 --- a/src/regress/lib/libcrypto/asn1/rfc5280time.c +++ b/src/regress/lib/libcrypto/asn1/rfc5280time.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rfc5280time.c,v 1.7 2022/09/05 21:12:08 tb Exp $ */	1	/* $OpenBSD: rfc5280time.c,v 1.8 2024/04/08 19:57:40 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2015 Bob Beck <beck@opebsd.org>	4	* Copyright (c) 2015 Bob Beck <beck@opebsd.org>
@@ -234,13 +234,6 @@ rfc5280_invtime_test(int test_no, struct rfc5280_time_test *att)
234	goto done;	234	goto done;
235	}	235	}
236	}	236	}
237	if (ASN1_TIME_set_string(t, att->str) != 0) {
238	if (X509_cmp_time(t, &now) != 0) {
239	fprintf(stderr, "FAIL: test %d - successfully parsed as UTCTIME "
240	"string '%s'\n", test_no, att->str);
241	goto done;
242	}
243	}
244		237
245	failure = 0;	238	failure = 0;
246		239