Fix from kinichiro.inoguchi@gmail.com to ensure that OCSP uses

Generalized Time on requests as per RFC6960
author: beck <> 2016-06-25 16:10:26 +0000
committer: beck <> 2016-06-25 16:10:26 +0000
commit: 9c7ce0e373193152baa3074a5e6ec4a358cc48f9 (patch)
tree: a2501be7408a7472810ff5c3a6e4767a6f11bffb /src
parent: 1f2ce7f699960512a4fcf3ed64c452a986dbc6cc (diff)
download: openbsd-9c7ce0e373193152baa3074a5e6ec4a358cc48f9.tar.gz
openbsd-9c7ce0e373193152baa3074a5e6ec4a358cc48f9.tar.bz2
openbsd-9c7ce0e373193152baa3074a5e6ec4a358cc48f9.zip
2 files changed, 4 insertions, 4 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c
index 8f28916757..1f8aa3141e 100644
--- a/src/lib/libcrypto/ocsp/ocsp_srv.c
+++ b/src/lib/libcrypto/ocsp/ocsp_srv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_srv.c,v 1.7 2014/10/18 17:20:40 jsing Exp $ */
+/* $OpenBSD: ocsp_srv.c,v 1.8 2016/06/25 16:10:26 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -260,7 +260,7 @@ OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
        }
        if (!(flags & OCSP_NOTIME) &&
-            !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
+            !ASN1_GENERALIZEDTIME_set(brsp->tbsResponseData->producedAt, time(NULL)))
                goto err;
        /* Right now, I think that not doing double hashing is the right
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c b/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c
index 8f28916757..1f8aa3141e 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_srv.c,v 1.7 2014/10/18 17:20:40 jsing Exp $ */
+/* $OpenBSD: ocsp_srv.c,v 1.8 2016/06/25 16:10:26 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -260,7 +260,7 @@ OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
        }
        if (!(flags & OCSP_NOTIME) &&
-            !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
+            !ASN1_GENERALIZEDTIME_set(brsp->tbsResponseData->producedAt, time(NULL)))
                goto err;
        /* Right now, I think that not doing double hashing is the right
author	beck <>	2016-06-25 16:10:26 +0000
committer	beck <>	2016-06-25 16:10:26 +0000
commit	9c7ce0e373193152baa3074a5e6ec4a358cc48f9 (patch)
tree	a2501be7408a7472810ff5c3a6e4767a6f11bffb /src
parent	1f2ce7f699960512a4fcf3ed64c452a986dbc6cc (diff)
download	openbsd-9c7ce0e373193152baa3074a5e6ec4a358cc48f9.tar.gz openbsd-9c7ce0e373193152baa3074a5e6ec4a358cc48f9.tar.bz2 openbsd-9c7ce0e373193152baa3074a5e6ec4a358cc48f9.zip

diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c index 8f28916757..1f8aa3141e 100644 --- a/src/lib/libcrypto/ocsp/ocsp_srv.c +++ b/src/lib/libcrypto/ocsp/ocsp_srv.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ocsp_srv.c,v 1.7 2014/10/18 17:20:40 jsing Exp $ */	1	/* $OpenBSD: ocsp_srv.c,v 1.8 2016/06/25 16:10:26 beck Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2001.	3	* project 2001.
4	*/	4	*/
@@ -260,7 +260,7 @@ OCSP_basic_sign(OCSP_BASICRESP brsp, X509 signer, EVP_PKEY *key,
260	}	260	}
261		261
262	if (!(flags & OCSP_NOTIME) &&	262	if (!(flags & OCSP_NOTIME) &&
263	!X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))	263	!ASN1_GENERALIZEDTIME_set(brsp->tbsResponseData->producedAt, time(NULL)))
264	goto err;	264	goto err;
265		265
266	/* Right now, I think that not doing double hashing is the right	266	/* Right now, I think that not doing double hashing is the right


diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c b/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c index 8f28916757..1f8aa3141e 100644 --- a/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c +++ b/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ocsp_srv.c,v 1.7 2014/10/18 17:20:40 jsing Exp $ */	1	/* $OpenBSD: ocsp_srv.c,v 1.8 2016/06/25 16:10:26 beck Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2001.	3	* project 2001.
4	*/	4	*/
@@ -260,7 +260,7 @@ OCSP_basic_sign(OCSP_BASICRESP brsp, X509 signer, EVP_PKEY *key,
260	}	260	}
261		261
262	if (!(flags & OCSP_NOTIME) &&	262	if (!(flags & OCSP_NOTIME) &&
263	!X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))	263	!ASN1_GENERALIZEDTIME_set(brsp->tbsResponseData->producedAt, time(NULL)))
264	goto err;	264	goto err;
265		265
266	/* Right now, I think that not doing double hashing is the right	266	/* Right now, I think that not doing double hashing is the right