summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libssl/src/crypto/ocsp/ocsp_cl.c38
-rw-r--r--src/lib/libssl/src/crypto/ocsp/ocsp_srv.c4
2 files changed, 9 insertions, 33 deletions
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c b/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c
index 811101f385..d4f847023b 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ocsp_cl.c,v 1.8.6.1 2016/06/25 16:42:40 beck Exp $ */ 1/* $OpenBSD: ocsp_cl.c,v 1.8.6.2 2016/06/27 15:42:31 beck Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL 2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */ 3 * project. */
4 4
@@ -71,9 +71,6 @@
71#include <openssl/x509.h> 71#include <openssl/x509.h>
72#include <openssl/x509v3.h> 72#include <openssl/x509v3.h>
73 73
74int asn1_time_parse(const char *, size_t, struct tm *, int);
75int asn1_tm_cmp(struct tm *, struct tm *);
76
77/* Utility functions related to sending OCSP requests and extracting 74/* Utility functions related to sending OCSP requests and extracting
78 * relevant information from the response. 75 * relevant information from the response.
79 */ 76 */
@@ -332,43 +329,25 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
332{ 329{
333 int ret = 1; 330 int ret = 1;
334 time_t t_now, t_tmp; 331 time_t t_now, t_tmp;
335 struct tm tm_this, tm_next, tm_tmp;
336 332
337 time(&t_now); 333 time(&t_now);
338
339 /*
340 * Times must explicitly be a GENERALIZEDTIME as per section
341 * 4.2.2.1 of RFC 6960 - It is invalid to accept other times
342 * (such as UTCTIME permitted/required by RFC 5280 for certificates)
343 */
344
345 /* Check thisUpdate is valid and not more than nsec in the future */ 334 /* Check thisUpdate is valid and not more than nsec in the future */
346 if (asn1_time_parse(thisupd->data, thisupd->length, &tm_this, 335 if (!ASN1_GENERALIZEDTIME_check(thisupd)) {
347 V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
348 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, 336 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
349 OCSP_R_ERROR_IN_THISUPDATE_FIELD); 337 OCSP_R_ERROR_IN_THISUPDATE_FIELD);
350 ret = 0; 338 ret = 0;
351 } else { 339 } else {
352 t_tmp = t_now + nsec; 340 t_tmp = t_now + nsec;
353 if (gmtime_r(&t_tmp, &tm_tmp) == NULL) 341 if (X509_cmp_time(thisupd, &t_tmp) > 0) {
354 return 0;
355 if (asn1_tm_cmp(&tm_this, &tm_tmp) > 0) {
356 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, 342 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
357 OCSP_R_STATUS_NOT_YET_VALID); 343 OCSP_R_STATUS_NOT_YET_VALID);
358 ret = 0; 344 ret = 0;
359 } 345 }
360 346
361 /* 347 /* If maxsec specified check thisUpdate is not more than maxsec in the past */
362 * If maxsec specified check thisUpdate is not more than maxsec
363 * in the past
364 */
365 if (maxsec >= 0) { 348 if (maxsec >= 0) {
366 t_tmp = t_now - maxsec; 349 t_tmp = t_now - maxsec;
367 if (gmtime_r(&t_tmp, &tm_tmp) == NULL) 350 if (X509_cmp_time(thisupd, &t_tmp) < 0) {
368 return 0;
369 if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
370 return 0;
371 if (asn1_tm_cmp(&tm_this, &tm_tmp) < 0) {
372 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, 351 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
373 OCSP_R_STATUS_TOO_OLD); 352 OCSP_R_STATUS_TOO_OLD);
374 ret = 0; 353 ret = 0;
@@ -380,16 +359,13 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
380 return ret; 359 return ret;
381 360
382 /* Check nextUpdate is valid and not more than nsec in the past */ 361 /* Check nextUpdate is valid and not more than nsec in the past */
383 if (asn1_time_parse(nextupd->data, nextupd->length, &tm_next, 362 if (!ASN1_GENERALIZEDTIME_check(nextupd)) {
384 V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
385 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, 363 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
386 OCSP_R_ERROR_IN_NEXTUPDATE_FIELD); 364 OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
387 ret = 0; 365 ret = 0;
388 } else { 366 } else {
389 t_tmp = t_now - nsec; 367 t_tmp = t_now - nsec;
390 if (gmtime_r(&t_tmp, &tm_tmp) == NULL) 368 if (X509_cmp_time(nextupd, &t_tmp) < 0) {
391 return 0;
392 if (asn1_tm_cmp(&tm_next, &tm_tmp) < 0) {
393 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, 369 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
394 OCSP_R_STATUS_EXPIRED); 370 OCSP_R_STATUS_EXPIRED);
395 ret = 0; 371 ret = 0;
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c b/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c
index a215c4ac0e..be462141a4 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ocsp_srv.c,v 1.7.6.1 2016/06/25 16:42:40 beck Exp $ */ 1/* $OpenBSD: ocsp_srv.c,v 1.7.6.2 2016/06/27 15:42:31 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001. 3 * project 2001.
4 */ 4 */
@@ -260,7 +260,7 @@ OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
260 } 260 }
261 261
262 if (!(flags & OCSP_NOTIME) && 262 if (!(flags & OCSP_NOTIME) &&
263 !ASN1_GENERALIZEDTIME_set(brsp->tbsResponseData->producedAt, time(NULL))) 263 !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
264 goto err; 264 goto err;
265 265
266 /* Right now, I think that not doing double hashing is the right 266 /* Right now, I think that not doing double hashing is the right
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-25 17:56:08 +0000