1 files changed, 27 insertions, 11 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index ca4814d938..c4c89a23b9 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.66 2023/05/07 07:11:50 tb Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.67 2023/11/13 10:33:00 tb Exp $ */
 /*
 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
 *
@@ -27,6 +27,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "asn1_local.h"
 #include "x509_internal.h"
 #include "x509_issuer_cache.h"
@@ -44,21 +45,22 @@ static void x509_verify_chain_free(struct x509_verify_chain *chain);
 * Parse an asn1 to a representable time_t as per RFC 5280 rules.
 * Returns -1 if that can't be done for any reason.
 */
-time_t
+int
-x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter)
+x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter,
+    time_t *out)
 {
        struct tm tm = { 0 };
        int type;
        type = ASN1_time_parse(atime->data, atime->length, &tm, atime->type);
        if (type == -1)
-                return -1;
+                return 0;
        /* RFC 5280 section 4.1.2.5 */
        if (tm.tm_year < 150 && type != V_ASN1_UTCTIME)
-                return -1;
+                return 0;
        if (tm.tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME)
-                return -1;
+                return 0;
        if (notAfter) {
                /*
@@ -67,7 +69,7 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter)
                 * date, limit the date to a 32 bit representable value.
                 */
                if (!ASN1_time_tm_clamp_notafter(&tm))
-                        return -1;
+                        return 0;
        }
        /*
@@ -75,22 +77,36 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter)
         * a time_t. A time_t must be sane if you care about times after
         * Jan 19 2038.
         */
-        return timegm(&tm);
+        return asn1_time_tm_to_time_t(&tm, out);
 }
 /*
 * Cache certificate hash, and values parsed out of an X509.
 * called from cache_extensions()
 */
-void
+int
 x509_verify_cert_info_populate(X509 *cert)
 {
+        const ASN1_TIME *notBefore, *notAfter;
        /*
         * Parse and save the cert times, or remember that they
         * are unacceptable/unparsable.
         */
-        cert->not_before = x509_verify_asn1_time_to_time_t(X509_get_notBefore(cert), 0);
-        cert->not_after = x509_verify_asn1_time_to_time_t(X509_get_notAfter(cert), 1);
+        cert->not_before = cert->not_after = -1;
+        if ((notBefore = X509_get_notBefore(cert)) == NULL)
+                return 0;
+        if ((notAfter = X509_get_notAfter(cert)) == NULL)
+                return 0;
+        if (!x509_verify_asn1_time_to_time_t(notBefore, 0, &cert->not_before))
+                return 0;
+        if (!x509_verify_asn1_time_to_time_t(notAfter, 1, &cert->not_after))
+                return 0;
+        return 1;
 }
 struct x509_verify_chain *

diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index ca4814d938..c4c89a23b9 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_verify.c,v 1.66 2023/05/07 07:11:50 tb Exp $ */	1	/* $OpenBSD: x509_verify.c,v 1.67 2023/11/13 10:33:00 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -27,6 +27,7 @@
27	#include <openssl/x509.h>	27	#include <openssl/x509.h>
28	#include <openssl/x509v3.h>	28	#include <openssl/x509v3.h>
29		29
		30	#include "asn1_local.h"
30	#include "x509_internal.h"	31	#include "x509_internal.h"
31	#include "x509_issuer_cache.h"	32	#include "x509_issuer_cache.h"
32		33
@@ -44,21 +45,22 @@ static void x509_verify_chain_free(struct x509_verify_chain *chain);
44	* Parse an asn1 to a representable time_t as per RFC 5280 rules.	45	* Parse an asn1 to a representable time_t as per RFC 5280 rules.
45	* Returns -1 if that can't be done for any reason.	46	* Returns -1 if that can't be done for any reason.
46	*/	47	*/
47	time_t	48	int
48	x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter)	49	x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter,
		50	time_t *out)
49	{	51	{
50	struct tm tm = { 0 };	52	struct tm tm = { 0 };
51	int type;	53	int type;
52		54
53	type = ASN1_time_parse(atime->data, atime->length, &tm, atime->type);	55	type = ASN1_time_parse(atime->data, atime->length, &tm, atime->type);
54	if (type == -1)	56	if (type == -1)
55	return -1;	57	return 0;
56		58
57	/* RFC 5280 section 4.1.2.5 */	59	/* RFC 5280 section 4.1.2.5 */
58	if (tm.tm_year < 150 && type != V_ASN1_UTCTIME)	60	if (tm.tm_year < 150 && type != V_ASN1_UTCTIME)
59	return -1;	61	return 0;
60	if (tm.tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME)	62	if (tm.tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME)
61	return -1;	63	return 0;
62		64
63	if (notAfter) {	65	if (notAfter) {
64	/*	66	/*
@@ -67,7 +69,7 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter)
67	* date, limit the date to a 32 bit representable value.	69	* date, limit the date to a 32 bit representable value.
68	*/	70	*/
69	if (!ASN1_time_tm_clamp_notafter(&tm))	71	if (!ASN1_time_tm_clamp_notafter(&tm))
70	return -1;	72	return 0;
71	}	73	}
72		74
73	/*	75	/*
@@ -75,22 +77,36 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter)
75	* a time_t. A time_t must be sane if you care about times after	77	* a time_t. A time_t must be sane if you care about times after
76	* Jan 19 2038.	78	* Jan 19 2038.
77	*/	79	*/
78	return timegm(&tm);	80	return asn1_time_tm_to_time_t(&tm, out);
79	}	81	}
80		82
81	/*	83	/*
82	* Cache certificate hash, and values parsed out of an X509.	84	* Cache certificate hash, and values parsed out of an X509.
83	* called from cache_extensions()	85	* called from cache_extensions()
84	*/	86	*/
85	void	87	int
86	x509_verify_cert_info_populate(X509 *cert)	88	x509_verify_cert_info_populate(X509 *cert)
87	{	89	{
		90	const ASN1_TIME notBefore, notAfter;
		91
88	/*	92	/*
89	* Parse and save the cert times, or remember that they	93	* Parse and save the cert times, or remember that they
90	* are unacceptable/unparsable.	94	* are unacceptable/unparsable.
91	*/	95	*/
92	cert->not_before = x509_verify_asn1_time_to_time_t(X509_get_notBefore(cert), 0);	96
93	cert->not_after = x509_verify_asn1_time_to_time_t(X509_get_notAfter(cert), 1);	97	cert->not_before = cert->not_after = -1;
		98
		99	if ((notBefore = X509_get_notBefore(cert)) == NULL)
		100	return 0;
		101	if ((notAfter = X509_get_notAfter(cert)) == NULL)
		102	return 0;
		103
		104	if (!x509_verify_asn1_time_to_time_t(notBefore, 0, &cert->not_before))
		105	return 0;
		106	if (!x509_verify_asn1_time_to_time_t(notAfter, 1, &cert->not_after))
		107	return 0;
		108
		109	return 1;
94	}	110	}
95		111
96	struct x509_verify_chain *	112	struct x509_verify_chain *