4 files changed, 16 insertions, 63 deletions
diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h
index 73cc582d7b..5b74b0d1bd 100644
--- a/src/lib/libcrypto/x509/x509_local.h
+++ b/src/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_local.h,v 1.23 2024/03/26 05:39:47 tb Exp $ */
+/*      $OpenBSD: x509_local.h,v 1.24 2024/04/08 23:46:21 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2013.
 */
@@ -188,8 +188,6 @@ struct x509_st {
        struct ASIdentifiers_st *rfc3779_asid;
 #endif
        unsigned char hash[X509_CERT_HASH_LEN];
-        time_t not_before;
-        time_t not_after;
        X509_CERT_AUX *aux;
 } /* X509 */;
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index 53f4f2f967..8f4e5934e1 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.39 2024/03/02 10:43:52 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.40 2024/04/08 23:46:21 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -559,9 +559,6 @@ x509v3_cache_extensions_internal(X509 *x)
        if (!x509_extension_oids_are_unique(x))
                x->ex_flags |= EXFLAG_INVALID;
-        if (!x509_verify_cert_info_populate(x))
-                x->ex_flags |= EXFLAG_INVALID;
        x->ex_flags |= EXFLAG_SET;
 }
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 19bb925d9c..c7b2219fa9 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.68 2024/02/01 23:16:38 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.69 2024/04/08 23:46:21 beck Exp $ */
 /*
 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
 *
@@ -52,6 +52,9 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter,
        struct tm tm = { 0 };
        int type;
+        if (atime == NULL)
+                return 0;
        type = ASN1_time_parse(atime->data, atime->length, &tm, atime->type);
        if (type == -1)
                return 0;
@@ -80,35 +83,6 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter,
        return asn1_time_tm_to_time_t(&tm, out);
 }
-/*
- * Cache certificate hash, and values parsed out of an X509.
- * called from cache_extensions()
- */
-int
-x509_verify_cert_info_populate(X509 *cert)
-{
-        const ASN1_TIME *notBefore, *notAfter;
-        /*
-         * Parse and save the cert times, or remember that they
-         * are unacceptable/unparsable.
-         */
-        cert->not_before = cert->not_after = -1;
-        if ((notBefore = X509_get_notBefore(cert)) == NULL)
-                return 0;
-        if ((notAfter = X509_get_notAfter(cert)) == NULL)
-                return 0;
-        if (!x509_verify_asn1_time_to_time_t(notBefore, 0, &cert->not_before))
-                return 0;
-        if (!x509_verify_asn1_time_to_time_t(notAfter, 1, &cert->not_after))
-                return 0;
-        return 1;
-}
 struct x509_verify_chain *
 x509_verify_chain_new(void)
 {
@@ -840,26 +814,28 @@ x509_verify_set_check_time(struct x509_verify_ctx *ctx)
 static int
 x509_verify_cert_times(X509 *cert, time_t *cmp_time, int *error)
 {
-        time_t when;
+        time_t when, not_before, not_after;
        if (cmp_time == NULL)
                when = time(NULL);
        else
                when = *cmp_time;
-        if (cert->not_before == -1) {
+        if (!x509_verify_asn1_time_to_time_t(X509_get_notBefore(cert), 0,
+            &not_before)) {
                *error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
                return 0;
        }
-        if (when < cert->not_before) {
+        if (when < not_before) {
                *error = X509_V_ERR_CERT_NOT_YET_VALID;
                return 0;
        }
-        if (cert->not_after == -1) {
+        if (!x509_verify_asn1_time_to_time_t(X509_get_notAfter(cert), 1,
+            &not_after)) {
                *error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
                return 0;
        }
-        if (when > cert->not_after) {
+        if (when > not_after) {
                *error = X509_V_ERR_CERT_HAS_EXPIRED;
                return 0;
        }
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 5399658639..501f5e5710 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.142 2024/03/02 10:40:05 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.143 2024/04/08 23:46:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1744,18 +1744,6 @@ verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err)
        return ctx->verify_cb(0, ctx);
 }
-/* Mimic OpenSSL '0 for failure' ick */
-static int
-time_t_bogocmp(time_t a, time_t b)
-{
-        if (a == -1 || b == -1)
-                return 0;
-        if (a <= b)
-                return -1;
-        return 1;
-}
 /*
 * Check certificate validity times.
 *
@@ -1777,10 +1765,7 @@ x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
        else
                ptime = time(NULL);
-        if (x->ex_flags & EXFLAG_SET)
+        i = X509_cmp_time(X509_get_notBefore(x), &ptime);
-                i = time_t_bogocmp(x->not_before, ptime);
-        else
-                i = X509_cmp_time(X509_get_notBefore(x), &ptime);
        if (i >= 0 && depth < 0)
                return 0;
@@ -1791,10 +1776,7 @@ x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
            X509_V_ERR_CERT_NOT_YET_VALID))
                return 0;
-        if (x->ex_flags & EXFLAG_SET)
+        i = X509_cmp_time_internal(X509_get_notAfter(x), &ptime, 1);
-                i = time_t_bogocmp(x->not_after, ptime);
-        else
-                i = X509_cmp_time_internal(X509_get_notAfter(x), &ptime, 1);
        if (i <= 0 && depth < 0)
                return 0;