3 files changed, 86 insertions, 24 deletions
diff --git a/src/lib/libcrypto/asn1/a_time.c b/src/lib/libcrypto/asn1/a_time.c
index cd6a790cac..03311e1b7f 100644
--- a/src/lib/libcrypto/asn1/a_time.c
+++ b/src/lib/libcrypto/asn1/a_time.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_time.c,v 1.33 2021/12/25 07:48:09 jsing Exp $ */
+/* $OpenBSD: a_time.c,v 1.34 2022/06/27 13:54:57 beck Exp $ */
 /* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
@@ -92,8 +92,7 @@ ASN1_TIME_free(ASN1_TIME *a)
        ASN1_item_free((ASN1_VALUE *)a, &ASN1_TIME_it);
 }
-/* Public API in OpenSSL. Kept internal for now. */
+int
-static int
 ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm)
 {
        time_t now;
diff --git a/src/lib/libcrypto/asn1/a_time_tm.c b/src/lib/libcrypto/asn1/a_time_tm.c
index 0e040ae579..23e2ce4b4c 100644
--- a/src/lib/libcrypto/asn1/a_time_tm.c
+++ b/src/lib/libcrypto/asn1/a_time_tm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_time_tm.c,v 1.20 2022/04/28 17:31:29 tb Exp $ */
+/* $OpenBSD: a_time_tm.c,v 1.21 2022/06/27 13:54:57 beck Exp $ */
 /*
 * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
 *
@@ -379,6 +379,61 @@ ASN1_TIME_set_string(ASN1_TIME *s, const char *str)
        return (ASN1_TIME_set_string_internal(s, str, 0));
 }
+static int
+ASN1_TIME_cmp_time_t_internal(const ASN1_TIME *s, time_t t2, int mode)
+{
+        struct tm tm1, tm2;
+        /*
+         * This function has never handled failure conditions properly
+         * The OpenSSL version used to simply follow NULL pointers on failure.
+         * BoringSSL and OpenSSL now make it return -2 on failure.
+         *
+         * The danger is that users of this function will not differentiate the
+         * -2 failure case from s < t2. Callers must be careful. Sadly this is
+         * one of those pervasive things from OpenSSL we must continue with.
+         */
+        if (ASN1_time_parse(s->data, s->length, &tm1, mode) == -1)
+                return -2;
+        if (gmtime_r(&t2, &tm2) == NULL)
+                return -2;
+        return ASN1_time_tm_cmp(&tm1, &tm2);
+}
+int
+ASN1_TIME_compare(const ASN1_TIME *t1, const ASN1_TIME *t2)
+{
+        struct tm tm1, tm2;
+        if (t1->type != V_ASN1_UTCTIME && t1->type != V_ASN1_GENERALIZEDTIME)
+                return -2;
+        if (t2->type != V_ASN1_UTCTIME && t2->type != V_ASN1_GENERALIZEDTIME)
+                return -2;
+        if (ASN1_time_parse(t1->data, t1->length, &tm1, t1->type) == -1)
+                return -2;
+        if (ASN1_time_parse(t1->data, t2->length, &tm2, t2->type) == -1)
+                return -2;
+        return ASN1_time_tm_cmp(&tm1, &tm2);
+}
+int
+ASN1_TIME_cmp_time_t(const ASN1_TIME *s, time_t t)
+{
+        if (s->type == V_ASN1_UTCTIME)
+                return ASN1_TIME_cmp_time_t_internal(s, t, V_ASN1_UTCTIME);
+        if (s->type == V_ASN1_GENERALIZEDTIME)
+                return ASN1_TIME_cmp_time_t_internal(s, t,
+                    V_ASN1_GENERALIZEDTIME);
+        return -2;
+}
 /*
 * ASN1_UTCTIME wrappers
 */
@@ -413,26 +468,11 @@ ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t, int offset_day, long offset_sec)
 }
 int
-ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t2)
+ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
 {
-        struct tm tm1, tm2;
+        if (s->type == V_ASN1_UTCTIME)
+                return ASN1_TIME_cmp_time_t_internal(s, t, V_ASN1_UTCTIME);
-        /*
+        return -2;
-         * This function has never handled failure conditions properly
-         * and should be deprecated. The OpenSSL version used to
-         * simply follow NULL pointers on failure. BoringSSL and
-         * OpenSSL now make it return -2 on failure.
-         *
-         * The danger is that users of this function will not
-         * differentiate the -2 failure case from t1 < t2.
-         */
-        if (ASN1_time_parse(s->data, s->length, &tm1, V_ASN1_UTCTIME) == -1)
-                return (-2); /* XXX */
-        if (gmtime_r(&t2, &tm2) == NULL)
-                return (-2); /* XXX */
-        return ASN1_time_tm_cmp(&tm1, &tm2);
 }
 /*
@@ -468,3 +508,19 @@ ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s, time_t t, int offset_day,
        return (ASN1_TIME_adj_internal(s, t, offset_day, offset_sec,
            V_ASN1_GENERALIZEDTIME));
 }
+int
+ASN1_TIME_normalize(ASN1_TIME *t)
+{
+        struct tm tm;
+        if (!ASN1_TIME_to_tm(t, &tm))
+                return 0;
+        return tm_to_rfc5280_time(&tm, t) != NULL;
+}
+int
+ASN1_TIME_set_string_x509(ASN1_TIME *s, const char *str)
+{
+        return ASN1_TIME_set_string_internal(s, str, RFC5280);
+}
diff --git a/src/lib/libcrypto/asn1/asn1.h b/src/lib/libcrypto/asn1/asn1.h
index 0db0b1d8fe..3ff3f51d34 100644
--- a/src/lib/libcrypto/asn1/asn1.h
+++ b/src/lib/libcrypto/asn1/asn1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1.h,v 1.64 2022/06/25 16:15:18 jsing Exp $ */
+/* $OpenBSD: asn1.h,v 1.65 2022/06/27 13:54:57 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -719,6 +719,13 @@ ASN1_TIME *d2i_ASN1_TIME(ASN1_TIME **a, const unsigned char **in, long len);
 int i2d_ASN1_TIME(ASN1_TIME *a, unsigned char **out);
 extern const ASN1_ITEM ASN1_TIME_it;
+#ifdef LIBRESSL_INTERNAL
+int ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm);
+int ASN1_TIME_compare(const ASN1_TIME *t1, const ASN1_TIME *t2);
+int ASN1_TIME_cmp_time_t(const ASN1_TIME *s, time_t t2);
+int ASN1_TIME_normalize(ASN1_TIME *t);
+int ASN1_TIME_set_string_x509(ASN1_TIME *time, const char *str);
+#endif
 int ASN1_TIME_diff(int *pday, int *psec, const ASN1_TIME *from,
    const ASN1_TIME *to);

diff --git a/src/lib/libcrypto/asn1/a_time.c b/src/lib/libcrypto/asn1/a_time.c index cd6a790cac..03311e1b7f 100644 --- a/src/lib/libcrypto/asn1/a_time.c +++ b/src/lib/libcrypto/asn1/a_time.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: a_time.c,v 1.33 2021/12/25 07:48:09 jsing Exp $ */	1	/* $OpenBSD: a_time.c,v 1.34 2022/06/27 13:54:57 beck Exp $ */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 1999 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
4	*	4	*
@@ -92,8 +92,7 @@ ASN1_TIME_free(ASN1_TIME *a)
92	ASN1_item_free((ASN1_VALUE *)a, &ASN1_TIME_it);	92	ASN1_item_free((ASN1_VALUE *)a, &ASN1_TIME_it);
93	}	93	}
94		94
95	/* Public API in OpenSSL. Kept internal for now. */	95	int
96	static int
97	ASN1_TIME_to_tm(const ASN1_TIME s, struct tm tm)	96	ASN1_TIME_to_tm(const ASN1_TIME s, struct tm tm)
98	{	97	{
99	time_t now;	98	time_t now;


diff --git a/src/lib/libcrypto/asn1/a_time_tm.c b/src/lib/libcrypto/asn1/a_time_tm.c index 0e040ae579..23e2ce4b4c 100644 --- a/src/lib/libcrypto/asn1/a_time_tm.c +++ b/src/lib/libcrypto/asn1/a_time_tm.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: a_time_tm.c,v 1.20 2022/04/28 17:31:29 tb Exp $ */	1	/* $OpenBSD: a_time_tm.c,v 1.21 2022/06/27 13:54:57 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -379,6 +379,61 @@ ASN1_TIME_set_string(ASN1_TIME s, const char str)
379	return (ASN1_TIME_set_string_internal(s, str, 0));	379	return (ASN1_TIME_set_string_internal(s, str, 0));
380	}	380	}
381		381
		382	static int
		383	ASN1_TIME_cmp_time_t_internal(const ASN1_TIME *s, time_t t2, int mode)
		384	{
		385	struct tm tm1, tm2;
		386
		387	/*
		388	* This function has never handled failure conditions properly
		389	* The OpenSSL version used to simply follow NULL pointers on failure.
		390	* BoringSSL and OpenSSL now make it return -2 on failure.
		391	*
		392	* The danger is that users of this function will not differentiate the
		393	* -2 failure case from s < t2. Callers must be careful. Sadly this is
		394	* one of those pervasive things from OpenSSL we must continue with.
		395	*/
		396
		397	if (ASN1_time_parse(s->data, s->length, &tm1, mode) == -1)
		398	return -2;
		399
		400	if (gmtime_r(&t2, &tm2) == NULL)
		401	return -2;
		402
		403	return ASN1_time_tm_cmp(&tm1, &tm2);
		404	}
		405
		406	int
		407	ASN1_TIME_compare(const ASN1_TIME t1, const ASN1_TIME t2)
		408	{
		409	struct tm tm1, tm2;
		410
		411	if (t1->type != V_ASN1_UTCTIME && t1->type != V_ASN1_GENERALIZEDTIME)
		412	return -2;
		413
		414	if (t2->type != V_ASN1_UTCTIME && t2->type != V_ASN1_GENERALIZEDTIME)
		415	return -2;
		416
		417	if (ASN1_time_parse(t1->data, t1->length, &tm1, t1->type) == -1)
		418	return -2;
		419
		420	if (ASN1_time_parse(t1->data, t2->length, &tm2, t2->type) == -1)
		421	return -2;
		422
		423	return ASN1_time_tm_cmp(&tm1, &tm2);
		424	}
		425
		426	int
		427	ASN1_TIME_cmp_time_t(const ASN1_TIME *s, time_t t)
		428	{
		429	if (s->type == V_ASN1_UTCTIME)
		430	return ASN1_TIME_cmp_time_t_internal(s, t, V_ASN1_UTCTIME);
		431	if (s->type == V_ASN1_GENERALIZEDTIME)
		432	return ASN1_TIME_cmp_time_t_internal(s, t,
		433	V_ASN1_GENERALIZEDTIME);
		434	return -2;
		435	}
		436
382	/*	437	/*
383	* ASN1_UTCTIME wrappers	438	* ASN1_UTCTIME wrappers
384	*/	439	*/
@@ -413,26 +468,11 @@ ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t, int offset_day, long offset_sec)
413	}	468	}
414		469
415	int	470	int
416	ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t2)	471	ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
417	{	472	{
418	struct tm tm1, tm2;	473	if (s->type == V_ASN1_UTCTIME)
419		474	return ASN1_TIME_cmp_time_t_internal(s, t, V_ASN1_UTCTIME);
420	/*	475	return -2;
421	* This function has never handled failure conditions properly
422	* and should be deprecated. The OpenSSL version used to
423	* simply follow NULL pointers on failure. BoringSSL and
424	* OpenSSL now make it return -2 on failure.
425	*
426	* The danger is that users of this function will not
427	* differentiate the -2 failure case from t1 < t2.
428	*/
429	if (ASN1_time_parse(s->data, s->length, &tm1, V_ASN1_UTCTIME) == -1)
430	return (-2); /* XXX */
431
432	if (gmtime_r(&t2, &tm2) == NULL)
433	return (-2); /* XXX */
434
435	return ASN1_time_tm_cmp(&tm1, &tm2);
436	}	476	}
437		477
438	/*	478	/*
@@ -468,3 +508,19 @@ ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s, time_t t, int offset_day,
468	return (ASN1_TIME_adj_internal(s, t, offset_day, offset_sec,	508	return (ASN1_TIME_adj_internal(s, t, offset_day, offset_sec,
469	V_ASN1_GENERALIZEDTIME));	509	V_ASN1_GENERALIZEDTIME));
470	}	510	}
		511
		512	int
		513	ASN1_TIME_normalize(ASN1_TIME *t)
		514	{
		515	struct tm tm;
		516
		517	if (!ASN1_TIME_to_tm(t, &tm))
		518	return 0;
		519	return tm_to_rfc5280_time(&tm, t) != NULL;
		520	}
		521
		522	int
		523	ASN1_TIME_set_string_x509(ASN1_TIME s, const char str)
		524	{
		525	return ASN1_TIME_set_string_internal(s, str, RFC5280);
		526	}


diff --git a/src/lib/libcrypto/asn1/asn1.h b/src/lib/libcrypto/asn1/asn1.h index 0db0b1d8fe..3ff3f51d34 100644 --- a/src/lib/libcrypto/asn1/asn1.h +++ b/src/lib/libcrypto/asn1/asn1.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: asn1.h,v 1.64 2022/06/25 16:15:18 jsing Exp $ */	1	/* $OpenBSD: asn1.h,v 1.65 2022/06/27 13:54:57 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -719,6 +719,13 @@ ASN1_TIME d2i_ASN1_TIME(ASN1_TIME a, const unsigned char *in, long len);
719	int i2d_ASN1_TIME(ASN1_TIME a, unsigned char *out);	719	int i2d_ASN1_TIME(ASN1_TIME a, unsigned char *out);
720	extern const ASN1_ITEM ASN1_TIME_it;	720	extern const ASN1_ITEM ASN1_TIME_it;
721		721
		722	#ifdef LIBRESSL_INTERNAL
		723	int ASN1_TIME_to_tm(const ASN1_TIME s, struct tm tm);
		724	int ASN1_TIME_compare(const ASN1_TIME t1, const ASN1_TIME t2);
		725	int ASN1_TIME_cmp_time_t(const ASN1_TIME *s, time_t t2);
		726	int ASN1_TIME_normalize(ASN1_TIME *t);
		727	int ASN1_TIME_set_string_x509(ASN1_TIME time, const char str);
		728	#endif
722	int ASN1_TIME_diff(int pday, int psec, const ASN1_TIME *from,	729	int ASN1_TIME_diff(int pday, int psec, const ASN1_TIME *from,
723	const ASN1_TIME *to);	730	const ASN1_TIME *to);
724		731