1 files changed, 34 insertions, 41 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
index 5ef2226785..d8ee33c391 100644
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_cl.c,v 1.24 2024/03/02 09:08:41 tb Exp $ */
+/* $OpenBSD: ocsp_cl.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
 * project. */
@@ -68,6 +68,7 @@
 #include <openssl/ocsp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
+#include <openssl/posix_time.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -394,69 +395,61 @@ int
 OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
    ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
 {
-        time_t t_now, t_tmp;
+        int64_t posix_next, posix_this, posix_now;
-        struct tm tm_this, tm_next, tm_tmp;
+        struct tm tm_this, tm_next;
-        time(&t_now);
+        /* Negative values of nsec make no sense */
+        if (nsec < 0)
+                return 0;
+        posix_now = time(NULL);
        /*
         * Times must explicitly be a GENERALIZEDTIME as per section
         * 4.2.2.1 of RFC 6960 - It is invalid to accept other times
         * (such as UTCTIME permitted/required by RFC 5280 for certificates)
         */
+        /* Check that thisUpdate is valid. */
-        /* Check thisUpdate is valid and not more than nsec in the future */
        if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,
            V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
                OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD);
                return 0;
-        } else {
+        }
-                t_tmp = t_now + nsec;
+        if (!OPENSSL_tm_to_posix(&tm_this, &posix_this))
-                if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
+                return 0;
-                        return 0;
+        /* thisUpdate must not be more than nsec in the future. */
-                if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) {
+        if (posix_this - nsec > posix_now) {
-                        OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);
+                OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);
-                        return 0;
+                return 0;
-                }
+        }
+        /* thisUpdate must not be more than maxsec seconds in the past. */
-                /*
+        if (maxsec >= 0 && posix_this < posix_now - maxsec) {
-                 * If maxsec specified check thisUpdate is not more than maxsec
+                OCSPerror(OCSP_R_STATUS_TOO_OLD);
-                 * in the past
+                return 0;
-                 */
-                if (maxsec >= 0) {
-                        t_tmp = t_now - maxsec;
-                        if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
-                                return 0;
-                        if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) {
-                                OCSPerror(OCSP_R_STATUS_TOO_OLD);
-                                return 0;
-                        }
-                }
        }
-        if (!nextupd)
+        /* RFC 6960 section 4.2.2.1 allows for servers to not set nextUpdate */
+        if (nextupd == NULL)
                return 1;
-        /* Check nextUpdate is valid and not more than nsec in the past */
+        /* Check that nextUpdate is valid. */
        if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,
            V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
                OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
                return 0;
-        } else {
-                t_tmp = t_now - nsec;
-                if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
-                        return 0;
-                if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) {
-                        OCSPerror(OCSP_R_STATUS_EXPIRED);
-                        return 0;
-                }
        }
+        if (!OPENSSL_tm_to_posix(&tm_next, &posix_next))
-        /* Also don't allow nextUpdate to precede thisUpdate */
+                return 0;
-        if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) {
+        /* Don't allow nextUpdate to precede thisUpdate. */
+        if (posix_next < posix_this) {
                OCSPerror(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
                return 0;
        }
+        /* nextUpdate must not be more than nsec seconds in the past. */
+        if (posix_next + nsec  < posix_now) {
+                OCSPerror(OCSP_R_STATUS_EXPIRED);
+                return 0;
+        }
        return 1;
 }

diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c index 5ef2226785..d8ee33c391 100644 --- a/src/lib/libcrypto/ocsp/ocsp_cl.c +++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ocsp_cl.c,v 1.24 2024/03/02 09:08:41 tb Exp $ */	1	/* $OpenBSD: ocsp_cl.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
2	/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL	2	/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3	* project. */	3	* project. */
4		4
@@ -68,6 +68,7 @@
68	#include <openssl/ocsp.h>	68	#include <openssl/ocsp.h>
69	#include <openssl/objects.h>	69	#include <openssl/objects.h>
70	#include <openssl/pem.h>	70	#include <openssl/pem.h>
		71	#include <openssl/posix_time.h>
71	#include <openssl/x509.h>	72	#include <openssl/x509.h>
72	#include <openssl/x509v3.h>	73	#include <openssl/x509v3.h>
73		74
@@ -394,69 +395,61 @@ int
394	OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,	395	OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
395	ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)	396	ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
396	{	397	{
397	time_t t_now, t_tmp;	398	int64_t posix_next, posix_this, posix_now;
398	struct tm tm_this, tm_next, tm_tmp;	399	struct tm tm_this, tm_next;
399		400
400	time(&t_now);	401	/* Negative values of nsec make no sense */
		402	if (nsec < 0)
		403	return 0;
		404
		405	posix_now = time(NULL);
401		406
402	/*	407	/*
403	* Times must explicitly be a GENERALIZEDTIME as per section	408	* Times must explicitly be a GENERALIZEDTIME as per section
404	* 4.2.2.1 of RFC 6960 - It is invalid to accept other times	409	* 4.2.2.1 of RFC 6960 - It is invalid to accept other times
405	* (such as UTCTIME permitted/required by RFC 5280 for certificates)	410	* (such as UTCTIME permitted/required by RFC 5280 for certificates)
406	*/	411	*/
407		412	/* Check that thisUpdate is valid. */
408	/* Check thisUpdate is valid and not more than nsec in the future */
409	if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,	413	if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,
410	V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {	414	V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
411	OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD);	415	OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD);
412	return 0;	416	return 0;
413	} else {	417	}
414	t_tmp = t_now + nsec;	418	if (!OPENSSL_tm_to_posix(&tm_this, &posix_this))
415	if (gmtime_r(&t_tmp, &tm_tmp) == NULL)	419	return 0;
416	return 0;	420	/* thisUpdate must not be more than nsec in the future. */
417	if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) {	421	if (posix_this - nsec > posix_now) {
418	OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);	422	OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);
419	return 0;	423	return 0;
420	}	424	}
421		425	/* thisUpdate must not be more than maxsec seconds in the past. */
422	/*	426	if (maxsec >= 0 && posix_this < posix_now - maxsec) {
423	* If maxsec specified check thisUpdate is not more than maxsec	427	OCSPerror(OCSP_R_STATUS_TOO_OLD);
424	* in the past	428	return 0;
425	*/
426	if (maxsec >= 0) {
427	t_tmp = t_now - maxsec;
428	if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
429	return 0;
430	if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) {
431	OCSPerror(OCSP_R_STATUS_TOO_OLD);
432	return 0;
433	}
434	}
435	}	429	}
436		430
437	if (!nextupd)	431	/* RFC 6960 section 4.2.2.1 allows for servers to not set nextUpdate */
		432	if (nextupd == NULL)
438	return 1;	433	return 1;
439		434
440	/* Check nextUpdate is valid and not more than nsec in the past */	435	/* Check that nextUpdate is valid. */
441	if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,	436	if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,
442	V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {	437	V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
443	OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);	438	OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
444	return 0;	439	return 0;
445	} else {
446	t_tmp = t_now - nsec;
447	if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
448	return 0;
449	if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) {
450	OCSPerror(OCSP_R_STATUS_EXPIRED);
451	return 0;
452	}
453	}	440	}
454		441	if (!OPENSSL_tm_to_posix(&tm_next, &posix_next))
455	/* Also don't allow nextUpdate to precede thisUpdate */	442	return 0;
456	if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) {	443	/* Don't allow nextUpdate to precede thisUpdate. */
		444	if (posix_next < posix_this) {
457	OCSPerror(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);	445	OCSPerror(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
458	return 0;	446	return 0;
459	}	447	}
		448	/* nextUpdate must not be more than nsec seconds in the past. */
		449	if (posix_next + nsec < posix_now) {
		450	OCSPerror(OCSP_R_STATUS_EXPIRED);
		451	return 0;
		452	}
460		453
461	return 1;	454	return 1;
462	}	455	}