4 files changed, 36 insertions, 19 deletions
diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h
index 15efff6097..280d1ae46c 100644
--- a/src/lib/libcrypto/x509/x509_internal.h
+++ b/src/lib/libcrypto/x509/x509_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_internal.h,v 1.26 2023/09/29 15:53:59 beck Exp $ */
+/* $OpenBSD: x509_internal.h,v 1.27 2023/11/13 10:33:00 tb Exp $ */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@@ -96,7 +96,8 @@ int x509_vfy_callback_indicate_completion(X509_STORE_CTX *ctx);
 int x509v3_cache_extensions(X509 *x);
 X509 *x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x);
-time_t x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notafter);
+int x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notafter,
+    time_t *out);
 struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc);
@@ -133,7 +134,7 @@ int x509_constraints_check(struct x509_constraints_names *names,
    struct x509_constraints_names *excluded, int *error);
 int x509_constraints_chain(STACK_OF(X509) *chain, int *error,
    int *depth);
-void x509_verify_cert_info_populate(X509 *cert);
+int x509_verify_cert_info_populate(X509 *cert);
 int x509_vfy_check_security_level(X509_STORE_CTX *ctx);
 __END_HIDDEN_DECLS
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index 0c92dfb19c..999ba639c5 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.29 2023/08/18 08:42:41 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.30 2023/11/13 10:33:00 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -711,7 +711,8 @@ x509v3_cache_extensions_internal(X509 *x)
        if (!x509_extension_oids_are_unique(x))
                x->ex_flags |= EXFLAG_INVALID;
-        x509_verify_cert_info_populate(x);
+        if (!x509_verify_cert_info_populate(x))
+                x->ex_flags |= EXFLAG_INVALID;
        x->ex_flags |= EXFLAG_SET;
 }
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index ca4814d938..c4c89a23b9 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.66 2023/05/07 07:11:50 tb Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.67 2023/11/13 10:33:00 tb Exp $ */
 /*
 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
 *
@@ -27,6 +27,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "asn1_local.h"
 #include "x509_internal.h"
 #include "x509_issuer_cache.h"
@@ -44,21 +45,22 @@ static void x509_verify_chain_free(struct x509_verify_chain *chain);
 * Parse an asn1 to a representable time_t as per RFC 5280 rules.
 * Returns -1 if that can't be done for any reason.
 */
-time_t
+int
-x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter)
+x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter,
+    time_t *out)
 {
        struct tm tm = { 0 };
        int type;
        type = ASN1_time_parse(atime->data, atime->length, &tm, atime->type);
        if (type == -1)
-                return -1;
+                return 0;
        /* RFC 5280 section 4.1.2.5 */
        if (tm.tm_year < 150 && type != V_ASN1_UTCTIME)
-                return -1;
+                return 0;
        if (tm.tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME)
-                return -1;
+                return 0;
        if (notAfter) {
                /*
@@ -67,7 +69,7 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter)
                 * date, limit the date to a 32 bit representable value.
                 */
                if (!ASN1_time_tm_clamp_notafter(&tm))
-                        return -1;
+                        return 0;
        }
        /*
@@ -75,22 +77,36 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter)
         * a time_t. A time_t must be sane if you care about times after
         * Jan 19 2038.
         */
-        return timegm(&tm);
+        return asn1_time_tm_to_time_t(&tm, out);
 }
 /*
 * Cache certificate hash, and values parsed out of an X509.
 * called from cache_extensions()
 */
-void
+int
 x509_verify_cert_info_populate(X509 *cert)
 {
+        const ASN1_TIME *notBefore, *notAfter;
        /*
         * Parse and save the cert times, or remember that they
         * are unacceptable/unparsable.
         */
-        cert->not_before = x509_verify_asn1_time_to_time_t(X509_get_notBefore(cert), 0);
-        cert->not_after = x509_verify_asn1_time_to_time_t(X509_get_notAfter(cert), 1);
+        cert->not_before = cert->not_after = -1;
+        if ((notBefore = X509_get_notBefore(cert)) == NULL)
+                return 0;
+        if ((notAfter = X509_get_notAfter(cert)) == NULL)
+                return 0;
+        if (!x509_verify_asn1_time_to_time_t(notBefore, 0, &cert->not_before))
+                return 0;
+        if (!x509_verify_asn1_time_to_time_t(notAfter, 1, &cert->not_after))
+                return 0;
+        return 1;
 }
 struct x509_verify_chain *
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index c4ba3d5b14..6c0ad78ec8 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.125 2023/06/08 22:02:40 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.126 2023/11/13 10:33:00 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1969,8 +1969,7 @@ X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, int is_notafter)
        else
                compare = *cmp_time;
-        if ((cert_time = x509_verify_asn1_time_to_time_t(ctm, is_notafter)) ==
+        if (!x509_verify_asn1_time_to_time_t(ctm, is_notafter, &cert_time))
-            -1)
                return 0; /* invalid time */
        if (cert_time <= compare)

diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h index 15efff6097..280d1ae46c 100644 --- a/src/lib/libcrypto/x509/x509_internal.h +++ b/src/lib/libcrypto/x509/x509_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_internal.h,v 1.26 2023/09/29 15:53:59 beck Exp $ */	1	/* $OpenBSD: x509_internal.h,v 1.27 2023/11/13 10:33:00 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -96,7 +96,8 @@ int x509_vfy_callback_indicate_completion(X509_STORE_CTX *ctx);
96	int x509v3_cache_extensions(X509 *x);	96	int x509v3_cache_extensions(X509 *x);
97	X509 x509_vfy_lookup_cert_match(X509_STORE_CTX ctx, X509 *x);	97	X509 x509_vfy_lookup_cert_match(X509_STORE_CTX ctx, X509 *x);
98		98
99	time_t x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notafter);	99	int x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notafter,
		100	time_t *out);
100		101
101	struct x509_verify_ctx x509_verify_ctx_new_from_xsc(X509_STORE_CTX xsc);	102	struct x509_verify_ctx x509_verify_ctx_new_from_xsc(X509_STORE_CTX xsc);
102		103
@@ -133,7 +134,7 @@ int x509_constraints_check(struct x509_constraints_names *names,
133	struct x509_constraints_names excluded, int error);	134	struct x509_constraints_names excluded, int error);
134	int x509_constraints_chain(STACK_OF(X509) chain, int error,	135	int x509_constraints_chain(STACK_OF(X509) chain, int error,
135	int *depth);	136	int *depth);
136	void x509_verify_cert_info_populate(X509 *cert);	137	int x509_verify_cert_info_populate(X509 *cert);
137	int x509_vfy_check_security_level(X509_STORE_CTX *ctx);	138	int x509_vfy_check_security_level(X509_STORE_CTX *ctx);
138		139
139	__END_HIDDEN_DECLS	140	__END_HIDDEN_DECLS


diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c index 0c92dfb19c..999ba639c5 100644 --- a/src/lib/libcrypto/x509/x509_purp.c +++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_purp.c,v 1.29 2023/08/18 08:42:41 tb Exp $ */	1	/* $OpenBSD: x509_purp.c,v 1.30 2023/11/13 10:33:00 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2001.	3	* project 2001.
4	*/	4	*/
@@ -711,7 +711,8 @@ x509v3_cache_extensions_internal(X509 *x)
711	if (!x509_extension_oids_are_unique(x))	711	if (!x509_extension_oids_are_unique(x))
712	x->ex_flags \|= EXFLAG_INVALID;	712	x->ex_flags \|= EXFLAG_INVALID;
713		713
714	x509_verify_cert_info_populate(x);	714	if (!x509_verify_cert_info_populate(x))
		715	x->ex_flags \|= EXFLAG_INVALID;
715		716
716	x->ex_flags \|= EXFLAG_SET;	717	x->ex_flags \|= EXFLAG_SET;
717	}	718	}


diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index ca4814d938..c4c89a23b9 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_verify.c,v 1.66 2023/05/07 07:11:50 tb Exp $ */	1	/* $OpenBSD: x509_verify.c,v 1.67 2023/11/13 10:33:00 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -27,6 +27,7 @@
27	#include <openssl/x509.h>	27	#include <openssl/x509.h>
28	#include <openssl/x509v3.h>	28	#include <openssl/x509v3.h>
29		29
		30	#include "asn1_local.h"
30	#include "x509_internal.h"	31	#include "x509_internal.h"
31	#include "x509_issuer_cache.h"	32	#include "x509_issuer_cache.h"
32		33
@@ -44,21 +45,22 @@ static void x509_verify_chain_free(struct x509_verify_chain *chain);
44	* Parse an asn1 to a representable time_t as per RFC 5280 rules.	45	* Parse an asn1 to a representable time_t as per RFC 5280 rules.
45	* Returns -1 if that can't be done for any reason.	46	* Returns -1 if that can't be done for any reason.
46	*/	47	*/
47	time_t	48	int
48	x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter)	49	x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter,
		50	time_t *out)
49	{	51	{
50	struct tm tm = { 0 };	52	struct tm tm = { 0 };
51	int type;	53	int type;
52		54
53	type = ASN1_time_parse(atime->data, atime->length, &tm, atime->type);	55	type = ASN1_time_parse(atime->data, atime->length, &tm, atime->type);
54	if (type == -1)	56	if (type == -1)
55	return -1;	57	return 0;
56		58
57	/* RFC 5280 section 4.1.2.5 */	59	/* RFC 5280 section 4.1.2.5 */
58	if (tm.tm_year < 150 && type != V_ASN1_UTCTIME)	60	if (tm.tm_year < 150 && type != V_ASN1_UTCTIME)
59	return -1;	61	return 0;
60	if (tm.tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME)	62	if (tm.tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME)
61	return -1;	63	return 0;
62		64
63	if (notAfter) {	65	if (notAfter) {
64	/*	66	/*
@@ -67,7 +69,7 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter)
67	* date, limit the date to a 32 bit representable value.	69	* date, limit the date to a 32 bit representable value.
68	*/	70	*/
69	if (!ASN1_time_tm_clamp_notafter(&tm))	71	if (!ASN1_time_tm_clamp_notafter(&tm))
70	return -1;	72	return 0;
71	}	73	}
72		74
73	/*	75	/*
@@ -75,22 +77,36 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter)
75	* a time_t. A time_t must be sane if you care about times after	77	* a time_t. A time_t must be sane if you care about times after
76	* Jan 19 2038.	78	* Jan 19 2038.
77	*/	79	*/
78	return timegm(&tm);	80	return asn1_time_tm_to_time_t(&tm, out);
79	}	81	}
80		82
81	/*	83	/*
82	* Cache certificate hash, and values parsed out of an X509.	84	* Cache certificate hash, and values parsed out of an X509.
83	* called from cache_extensions()	85	* called from cache_extensions()
84	*/	86	*/
85	void	87	int
86	x509_verify_cert_info_populate(X509 *cert)	88	x509_verify_cert_info_populate(X509 *cert)
87	{	89	{
		90	const ASN1_TIME notBefore, notAfter;
		91
88	/*	92	/*
89	* Parse and save the cert times, or remember that they	93	* Parse and save the cert times, or remember that they
90	* are unacceptable/unparsable.	94	* are unacceptable/unparsable.
91	*/	95	*/
92	cert->not_before = x509_verify_asn1_time_to_time_t(X509_get_notBefore(cert), 0);	96
93	cert->not_after = x509_verify_asn1_time_to_time_t(X509_get_notAfter(cert), 1);	97	cert->not_before = cert->not_after = -1;
		98
		99	if ((notBefore = X509_get_notBefore(cert)) == NULL)
		100	return 0;
		101	if ((notAfter = X509_get_notAfter(cert)) == NULL)
		102	return 0;
		103
		104	if (!x509_verify_asn1_time_to_time_t(notBefore, 0, &cert->not_before))
		105	return 0;
		106	if (!x509_verify_asn1_time_to_time_t(notAfter, 1, &cert->not_after))
		107	return 0;
		108
		109	return 1;
94	}	110	}
95		111
96	struct x509_verify_chain *	112	struct x509_verify_chain *


diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index c4ba3d5b14..6c0ad78ec8 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.c,v 1.125 2023/06/08 22:02:40 beck Exp $ */	1	/* $OpenBSD: x509_vfy.c,v 1.126 2023/11/13 10:33:00 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1969,8 +1969,7 @@ X509_cmp_time_internal(const ASN1_TIME ctm, time_t cmp_time, int is_notafter)
1969	else	1969	else
1970	compare = *cmp_time;	1970	compare = *cmp_time;
1971		1971
1972	if ((cert_time = x509_verify_asn1_time_to_time_t(ctm, is_notafter)) ==	1972	if (!x509_verify_asn1_time_to_time_t(ctm, is_notafter, &cert_time))
1973	-1)
1974	return 0; /* invalid time */	1973	return 0; /* invalid time */
1975		1974
1976	if (cert_time <= compare)	1975	if (cert_time <= compare)