diff options
Diffstat (limited to '')
-rw-r--r-- | src/lib/libcrypto/x509/x509_vfy.c | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index f7feb85f36..9d7a7d1228 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: x509_vfy.c,v 1.33 2014/07/11 08:44:49 jsing Exp $ */ | 1 | /* $OpenBSD: x509_vfy.c,v 1.34 2014/07/11 12:52:41 miod Exp $ */ |
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | * All rights reserved. | 3 | * All rights reserved. |
4 | * | 4 | * |
@@ -73,6 +73,7 @@ | |||
73 | #include <openssl/objects.h> | 73 | #include <openssl/objects.h> |
74 | #include <openssl/x509.h> | 74 | #include <openssl/x509.h> |
75 | #include <openssl/x509v3.h> | 75 | #include <openssl/x509v3.h> |
76 | #include "x509_lcl.h" | ||
76 | 77 | ||
77 | /* CRL score values */ | 78 | /* CRL score values */ |
78 | 79 | ||
@@ -408,14 +409,17 @@ static X509 * | |||
408 | find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) | 409 | find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) |
409 | { | 410 | { |
410 | int i; | 411 | int i; |
411 | X509 *issuer; | 412 | X509 *issuer, *rv = NULL; |
412 | 413 | ||
413 | for (i = 0; i < sk_X509_num(sk); i++) { | 414 | for (i = 0; i < sk_X509_num(sk); i++) { |
414 | issuer = sk_X509_value(sk, i); | 415 | issuer = sk_X509_value(sk, i); |
415 | if (ctx->check_issued(ctx, x, issuer)) | 416 | if (ctx->check_issued(ctx, x, issuer)) { |
416 | return issuer; | 417 | rv = issuer; |
418 | if (x509_check_cert_time(ctx, rv, 1)) | ||
419 | break; | ||
420 | } | ||
417 | } | 421 | } |
418 | return NULL; | 422 | return rv; |
419 | } | 423 | } |
420 | 424 | ||
421 | /* Given a possible certificate and issuer check them */ | 425 | /* Given a possible certificate and issuer check them */ |
@@ -1492,8 +1496,8 @@ check_policy(X509_STORE_CTX *ctx) | |||
1492 | return 1; | 1496 | return 1; |
1493 | } | 1497 | } |
1494 | 1498 | ||
1495 | static int | 1499 | int |
1496 | check_cert_time(X509_STORE_CTX *ctx, X509 *x) | 1500 | x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet) |
1497 | { | 1501 | { |
1498 | time_t *ptime; | 1502 | time_t *ptime; |
1499 | int i; | 1503 | int i; |
@@ -1505,6 +1509,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x) | |||
1505 | 1509 | ||
1506 | i = X509_cmp_time(X509_get_notBefore(x), ptime); | 1510 | i = X509_cmp_time(X509_get_notBefore(x), ptime); |
1507 | if (i == 0) { | 1511 | if (i == 0) { |
1512 | if (quiet) | ||
1513 | return 0; | ||
1508 | ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; | 1514 | ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; |
1509 | ctx->current_cert = x; | 1515 | ctx->current_cert = x; |
1510 | if (!ctx->verify_cb(0, ctx)) | 1516 | if (!ctx->verify_cb(0, ctx)) |
@@ -1512,6 +1518,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x) | |||
1512 | } | 1518 | } |
1513 | 1519 | ||
1514 | if (i > 0) { | 1520 | if (i > 0) { |
1521 | if (quiet) | ||
1522 | return 0; | ||
1515 | ctx->error = X509_V_ERR_CERT_NOT_YET_VALID; | 1523 | ctx->error = X509_V_ERR_CERT_NOT_YET_VALID; |
1516 | ctx->current_cert = x; | 1524 | ctx->current_cert = x; |
1517 | if (!ctx->verify_cb(0, ctx)) | 1525 | if (!ctx->verify_cb(0, ctx)) |
@@ -1520,6 +1528,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x) | |||
1520 | 1528 | ||
1521 | i = X509_cmp_time(X509_get_notAfter(x), ptime); | 1529 | i = X509_cmp_time(X509_get_notAfter(x), ptime); |
1522 | if (i == 0) { | 1530 | if (i == 0) { |
1531 | if (quiet) | ||
1532 | return 0; | ||
1523 | ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; | 1533 | ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; |
1524 | ctx->current_cert = x; | 1534 | ctx->current_cert = x; |
1525 | if (!ctx->verify_cb(0, ctx)) | 1535 | if (!ctx->verify_cb(0, ctx)) |
@@ -1527,6 +1537,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x) | |||
1527 | } | 1537 | } |
1528 | 1538 | ||
1529 | if (i < 0) { | 1539 | if (i < 0) { |
1540 | if (quiet) | ||
1541 | return 0; | ||
1530 | ctx->error = X509_V_ERR_CERT_HAS_EXPIRED; | 1542 | ctx->error = X509_V_ERR_CERT_HAS_EXPIRED; |
1531 | ctx->current_cert = x; | 1543 | ctx->current_cert = x; |
1532 | if (!ctx->verify_cb(0, ctx)) | 1544 | if (!ctx->verify_cb(0, ctx)) |
@@ -1597,7 +1609,7 @@ internal_verify(X509_STORE_CTX *ctx) | |||
1597 | 1609 | ||
1598 | xs->valid = 1; | 1610 | xs->valid = 1; |
1599 | 1611 | ||
1600 | ok = check_cert_time(ctx, xs); | 1612 | ok = x509_check_cert_time(ctx, xs, 0); |
1601 | if (!ok) | 1613 | if (!ok) |
1602 | goto end; | 1614 | goto end; |
1603 | 1615 | ||