summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_vfy.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c28
1 files changed, 20 insertions, 8 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index f7feb85f36..9d7a7d1228 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.c,v 1.33 2014/07/11 08:44:49 jsing Exp $ */ 1/* $OpenBSD: x509_vfy.c,v 1.34 2014/07/11 12:52:41 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -73,6 +73,7 @@
73#include <openssl/objects.h> 73#include <openssl/objects.h>
74#include <openssl/x509.h> 74#include <openssl/x509.h>
75#include <openssl/x509v3.h> 75#include <openssl/x509v3.h>
76#include "x509_lcl.h"
76 77
77/* CRL score values */ 78/* CRL score values */
78 79
@@ -408,14 +409,17 @@ static X509 *
408find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) 409find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
409{ 410{
410 int i; 411 int i;
411 X509 *issuer; 412 X509 *issuer, *rv = NULL;
412 413
413 for (i = 0; i < sk_X509_num(sk); i++) { 414 for (i = 0; i < sk_X509_num(sk); i++) {
414 issuer = sk_X509_value(sk, i); 415 issuer = sk_X509_value(sk, i);
415 if (ctx->check_issued(ctx, x, issuer)) 416 if (ctx->check_issued(ctx, x, issuer)) {
416 return issuer; 417 rv = issuer;
418 if (x509_check_cert_time(ctx, rv, 1))
419 break;
420 }
417 } 421 }
418 return NULL; 422 return rv;
419} 423}
420 424
421/* Given a possible certificate and issuer check them */ 425/* Given a possible certificate and issuer check them */
@@ -1492,8 +1496,8 @@ check_policy(X509_STORE_CTX *ctx)
1492 return 1; 1496 return 1;
1493} 1497}
1494 1498
1495static int 1499int
1496check_cert_time(X509_STORE_CTX *ctx, X509 *x) 1500x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
1497{ 1501{
1498 time_t *ptime; 1502 time_t *ptime;
1499 int i; 1503 int i;
@@ -1505,6 +1509,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1505 1509
1506 i = X509_cmp_time(X509_get_notBefore(x), ptime); 1510 i = X509_cmp_time(X509_get_notBefore(x), ptime);
1507 if (i == 0) { 1511 if (i == 0) {
1512 if (quiet)
1513 return 0;
1508 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; 1514 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1509 ctx->current_cert = x; 1515 ctx->current_cert = x;
1510 if (!ctx->verify_cb(0, ctx)) 1516 if (!ctx->verify_cb(0, ctx))
@@ -1512,6 +1518,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1512 } 1518 }
1513 1519
1514 if (i > 0) { 1520 if (i > 0) {
1521 if (quiet)
1522 return 0;
1515 ctx->error = X509_V_ERR_CERT_NOT_YET_VALID; 1523 ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
1516 ctx->current_cert = x; 1524 ctx->current_cert = x;
1517 if (!ctx->verify_cb(0, ctx)) 1525 if (!ctx->verify_cb(0, ctx))
@@ -1520,6 +1528,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1520 1528
1521 i = X509_cmp_time(X509_get_notAfter(x), ptime); 1529 i = X509_cmp_time(X509_get_notAfter(x), ptime);
1522 if (i == 0) { 1530 if (i == 0) {
1531 if (quiet)
1532 return 0;
1523 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; 1533 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1524 ctx->current_cert = x; 1534 ctx->current_cert = x;
1525 if (!ctx->verify_cb(0, ctx)) 1535 if (!ctx->verify_cb(0, ctx))
@@ -1527,6 +1537,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1527 } 1537 }
1528 1538
1529 if (i < 0) { 1539 if (i < 0) {
1540 if (quiet)
1541 return 0;
1530 ctx->error = X509_V_ERR_CERT_HAS_EXPIRED; 1542 ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
1531 ctx->current_cert = x; 1543 ctx->current_cert = x;
1532 if (!ctx->verify_cb(0, ctx)) 1544 if (!ctx->verify_cb(0, ctx))
@@ -1597,7 +1609,7 @@ internal_verify(X509_STORE_CTX *ctx)
1597 1609
1598 xs->valid = 1; 1610 xs->valid = 1;
1599 1611
1600 ok = check_cert_time(ctx, xs); 1612 ok = x509_check_cert_time(ctx, xs, 0);
1601 if (!ok) 1613 if (!ok)
1602 goto end; 1614 goto end;
1603 1615