4 files changed, 58 insertions, 52 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
index 5ef2226785..d8ee33c391 100644
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_cl.c,v 1.24 2024/03/02 09:08:41 tb Exp $ */
+/* $OpenBSD: ocsp_cl.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
 * project. */
@@ -68,6 +68,7 @@
 #include <openssl/ocsp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
+#include <openssl/posix_time.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -394,69 +395,61 @@ int
 OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
    ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
 {
-        time_t t_now, t_tmp;
+        int64_t posix_next, posix_this, posix_now;
-        struct tm tm_this, tm_next, tm_tmp;
+        struct tm tm_this, tm_next;
-        time(&t_now);
+        /* Negative values of nsec make no sense */
+        if (nsec < 0)
+                return 0;
+        posix_now = time(NULL);
        /*
         * Times must explicitly be a GENERALIZEDTIME as per section
         * 4.2.2.1 of RFC 6960 - It is invalid to accept other times
         * (such as UTCTIME permitted/required by RFC 5280 for certificates)
         */
+        /* Check that thisUpdate is valid. */
-        /* Check thisUpdate is valid and not more than nsec in the future */
        if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,
            V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
                OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD);
                return 0;
-        } else {
+        }
-                t_tmp = t_now + nsec;
+        if (!OPENSSL_tm_to_posix(&tm_this, &posix_this))
-                if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
+                return 0;
-                        return 0;
+        /* thisUpdate must not be more than nsec in the future. */
-                if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) {
+        if (posix_this - nsec > posix_now) {
-                        OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);
+                OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);
-                        return 0;
+                return 0;
-                }
+        }
+        /* thisUpdate must not be more than maxsec seconds in the past. */
-                /*
+        if (maxsec >= 0 && posix_this < posix_now - maxsec) {
-                 * If maxsec specified check thisUpdate is not more than maxsec
+                OCSPerror(OCSP_R_STATUS_TOO_OLD);
-                 * in the past
+                return 0;
-                 */
-                if (maxsec >= 0) {
-                        t_tmp = t_now - maxsec;
-                        if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
-                                return 0;
-                        if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) {
-                                OCSPerror(OCSP_R_STATUS_TOO_OLD);
-                                return 0;
-                        }
-                }
        }
-        if (!nextupd)
+        /* RFC 6960 section 4.2.2.1 allows for servers to not set nextUpdate */
+        if (nextupd == NULL)
                return 1;
-        /* Check nextUpdate is valid and not more than nsec in the past */
+        /* Check that nextUpdate is valid. */
        if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,
            V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
                OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
                return 0;
-        } else {
-                t_tmp = t_now - nsec;
-                if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
-                        return 0;
-                if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) {
-                        OCSPerror(OCSP_R_STATUS_EXPIRED);
-                        return 0;
-                }
        }
+        if (!OPENSSL_tm_to_posix(&tm_next, &posix_next))
-        /* Also don't allow nextUpdate to precede thisUpdate */
+                return 0;
-        if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) {
+        /* Don't allow nextUpdate to precede thisUpdate. */
+        if (posix_next < posix_this) {
                OCSPerror(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
                return 0;
        }
+        /* nextUpdate must not be more than nsec seconds in the past. */
+        if (posix_next + nsec  < posix_now) {
+                OCSPerror(OCSP_R_STATUS_EXPIRED);
+                return 0;
+        }
        return 1;
 }
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c
index 3013cffbc5..8eb687aab1 100644
--- a/src/lib/libcrypto/ts/ts_rsp_sign.c
+++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_sign.c,v 1.32 2023/08/22 08:09:36 tb Exp $ */
+/* $OpenBSD: ts_rsp_sign.c,v 1.33 2024/03/24 11:30:12 beck Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -999,7 +999,7 @@ TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
        if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
                goto err;
-        if (!(tm = gmtime(&sec)))
+        if (OPENSSL_gmtime(&sec, tm) == NULL)
                goto err;
        /*
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
index 90fdfacad3..08f8714ecd 100644
--- a/src/lib/libtls/tls_conninfo.c
+++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_conninfo.c,v 1.24 2023/11/13 10:51:49 tb Exp $ */
+/* $OpenBSD: tls_conninfo.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
 /*
 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -19,12 +19,27 @@
 #include <stdio.h>
 #include <string.h>
+#include <openssl/posix_time.h>
 #include <openssl/x509.h>
 #include <tls.h>
 #include "tls_internal.h"
-int ASN1_time_tm_clamp_notafter(struct tm *tm);
+static int
+tls_convert_notafter(struct tm *tm, time_t *out_time)
+{
+        int64_t posix_time;
+        /* OPENSSL_timegm() fails if tm is not representable in a time_t */
+        if (OPENSSL_timegm(tm, out_time))
+                return 1;
+        if (!OPENSSL_tm_to_posix(tm, &posix_time))
+                return 0;
+        if (posix_time < INT32_MIN)
+                return 0;
+        *out_time = (posix_time > INT32_MAX) ? INT32_MAX : posix_time;
+        return 1;
+}
 int
 tls_hex_string(const unsigned char *in, size_t inlen, char **out,
@@ -121,13 +136,10 @@ tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore,
                goto err;
        if (!ASN1_TIME_to_tm(after, &after_tm))
                goto err;
-        if (!ASN1_time_tm_clamp_notafter(&after_tm))
+        if (!tls_convert_notafter(&after_tm, notafter))
                goto err;
-        if ((*notbefore = timegm(&before_tm)) == -1)
+        if (!OPENSSL_timegm(&before_tm, notbefore))
                goto err;
-        if ((*notafter = timegm(&after_tm)) == -1)
-                goto err;
        return (0);
 err:
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
index c7eb3e5986..f7d7ba9199 100644
--- a/src/lib/libtls/tls_ocsp.c
+++ b/src/lib/libtls/tls_ocsp.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls_ocsp.c,v 1.24 2023/11/13 10:56:19 tb Exp $ */
+/*      $OpenBSD: tls_ocsp.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
 /*
 * Copyright (c) 2015 Marko Kreen <markokr@gmail.com>
 * Copyright (c) 2016 Bob Beck <beck@openbsd.org>
@@ -25,6 +25,7 @@
 #include <openssl/err.h>
 #include <openssl/ocsp.h>
+#include <openssl/posix_time.h>
 #include <openssl/x509.h>
 #include <tls.h>
@@ -68,7 +69,7 @@ tls_ocsp_asn1_parse_time(struct tls *ctx, ASN1_GENERALIZEDTIME *gt, time_t *gt_t
                return -1;
        if (!ASN1_TIME_to_tm(gt, &tm))
                return -1;
-        if ((*gt_time = timegm(&tm)) == -1)
+        if (!OPENSSL_timegm(&tm, gt_time))
                return -1;
        return 0;
 }

diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c index 5ef2226785..d8ee33c391 100644 --- a/src/lib/libcrypto/ocsp/ocsp_cl.c +++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ocsp_cl.c,v 1.24 2024/03/02 09:08:41 tb Exp $ */	1	/* $OpenBSD: ocsp_cl.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
2	/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL	2	/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3	* project. */	3	* project. */
4		4
@@ -68,6 +68,7 @@
68	#include <openssl/ocsp.h>	68	#include <openssl/ocsp.h>
69	#include <openssl/objects.h>	69	#include <openssl/objects.h>
70	#include <openssl/pem.h>	70	#include <openssl/pem.h>
		71	#include <openssl/posix_time.h>
71	#include <openssl/x509.h>	72	#include <openssl/x509.h>
72	#include <openssl/x509v3.h>	73	#include <openssl/x509v3.h>
73		74
@@ -394,69 +395,61 @@ int
394	OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,	395	OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
395	ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)	396	ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
396	{	397	{
397	time_t t_now, t_tmp;	398	int64_t posix_next, posix_this, posix_now;
398	struct tm tm_this, tm_next, tm_tmp;	399	struct tm tm_this, tm_next;
399		400
400	time(&t_now);	401	/* Negative values of nsec make no sense */
		402	if (nsec < 0)
		403	return 0;
		404
		405	posix_now = time(NULL);
401		406
402	/*	407	/*
403	* Times must explicitly be a GENERALIZEDTIME as per section	408	* Times must explicitly be a GENERALIZEDTIME as per section
404	* 4.2.2.1 of RFC 6960 - It is invalid to accept other times	409	* 4.2.2.1 of RFC 6960 - It is invalid to accept other times
405	* (such as UTCTIME permitted/required by RFC 5280 for certificates)	410	* (such as UTCTIME permitted/required by RFC 5280 for certificates)
406	*/	411	*/
407		412	/* Check that thisUpdate is valid. */
408	/* Check thisUpdate is valid and not more than nsec in the future */
409	if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,	413	if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,
410	V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {	414	V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
411	OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD);	415	OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD);
412	return 0;	416	return 0;
413	} else {	417	}
414	t_tmp = t_now + nsec;	418	if (!OPENSSL_tm_to_posix(&tm_this, &posix_this))
415	if (gmtime_r(&t_tmp, &tm_tmp) == NULL)	419	return 0;
416	return 0;	420	/* thisUpdate must not be more than nsec in the future. */
417	if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) {	421	if (posix_this - nsec > posix_now) {
418	OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);	422	OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);
419	return 0;	423	return 0;
420	}	424	}
421		425	/* thisUpdate must not be more than maxsec seconds in the past. */
422	/*	426	if (maxsec >= 0 && posix_this < posix_now - maxsec) {
423	* If maxsec specified check thisUpdate is not more than maxsec	427	OCSPerror(OCSP_R_STATUS_TOO_OLD);
424	* in the past	428	return 0;
425	*/
426	if (maxsec >= 0) {
427	t_tmp = t_now - maxsec;
428	if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
429	return 0;
430	if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) {
431	OCSPerror(OCSP_R_STATUS_TOO_OLD);
432	return 0;
433	}
434	}
435	}	429	}
436		430
437	if (!nextupd)	431	/* RFC 6960 section 4.2.2.1 allows for servers to not set nextUpdate */
		432	if (nextupd == NULL)
438	return 1;	433	return 1;
439		434
440	/* Check nextUpdate is valid and not more than nsec in the past */	435	/* Check that nextUpdate is valid. */
441	if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,	436	if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,
442	V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {	437	V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
443	OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);	438	OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
444	return 0;	439	return 0;
445	} else {
446	t_tmp = t_now - nsec;
447	if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
448	return 0;
449	if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) {
450	OCSPerror(OCSP_R_STATUS_EXPIRED);
451	return 0;
452	}
453	}	440	}
454		441	if (!OPENSSL_tm_to_posix(&tm_next, &posix_next))
455	/* Also don't allow nextUpdate to precede thisUpdate */	442	return 0;
456	if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) {	443	/* Don't allow nextUpdate to precede thisUpdate. */
		444	if (posix_next < posix_this) {
457	OCSPerror(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);	445	OCSPerror(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
458	return 0;	446	return 0;
459	}	447	}
		448	/* nextUpdate must not be more than nsec seconds in the past. */
		449	if (posix_next + nsec < posix_now) {
		450	OCSPerror(OCSP_R_STATUS_EXPIRED);
		451	return 0;
		452	}
460		453
461	return 1;	454	return 1;
462	}	455	}


diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c index 3013cffbc5..8eb687aab1 100644 --- a/src/lib/libcrypto/ts/ts_rsp_sign.c +++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts_rsp_sign.c,v 1.32 2023/08/22 08:09:36 tb Exp $ */	1	/* $OpenBSD: ts_rsp_sign.c,v 1.33 2024/03/24 11:30:12 beck Exp $ */
2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3	* project 2002.	3	* project 2002.
4	*/	4	*/
@@ -999,7 +999,7 @@ TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
999	if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)	999	if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
1000	goto err;	1000	goto err;
1001		1001
1002	if (!(tm = gmtime(&sec)))	1002	if (OPENSSL_gmtime(&sec, tm) == NULL)
1003	goto err;	1003	goto err;
1004		1004
1005	/*	1005	/*


diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c index 90fdfacad3..08f8714ecd 100644 --- a/src/lib/libtls/tls_conninfo.c +++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_conninfo.c,v 1.24 2023/11/13 10:51:49 tb Exp $ */	1	/* $OpenBSD: tls_conninfo.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -19,12 +19,27 @@
19	#include <stdio.h>	19	#include <stdio.h>
20	#include <string.h>	20	#include <string.h>
21		21
		22	#include <openssl/posix_time.h>
22	#include <openssl/x509.h>	23	#include <openssl/x509.h>
23		24
24	#include <tls.h>	25	#include <tls.h>
25	#include "tls_internal.h"	26	#include "tls_internal.h"
26		27
27	int ASN1_time_tm_clamp_notafter(struct tm *tm);	28	static int
		29	tls_convert_notafter(struct tm tm, time_t out_time)
		30	{
		31	int64_t posix_time;
		32
		33	/* OPENSSL_timegm() fails if tm is not representable in a time_t */
		34	if (OPENSSL_timegm(tm, out_time))
		35	return 1;
		36	if (!OPENSSL_tm_to_posix(tm, &posix_time))
		37	return 0;
		38	if (posix_time < INT32_MIN)
		39	return 0;
		40	*out_time = (posix_time > INT32_MAX) ? INT32_MAX : posix_time;
		41	return 1;
		42	}
28		43
29	int	44	int
30	tls_hex_string(const unsigned char in, size_t inlen, char *out,	45	tls_hex_string(const unsigned char in, size_t inlen, char *out,
@@ -121,13 +136,10 @@ tls_get_peer_cert_times(struct tls ctx, time_t notbefore,
121	goto err;	136	goto err;
122	if (!ASN1_TIME_to_tm(after, &after_tm))	137	if (!ASN1_TIME_to_tm(after, &after_tm))
123	goto err;	138	goto err;
124	if (!ASN1_time_tm_clamp_notafter(&after_tm))	139	if (!tls_convert_notafter(&after_tm, notafter))
125	goto err;	140	goto err;
126	if ((*notbefore = timegm(&before_tm)) == -1)	141	if (!OPENSSL_timegm(&before_tm, notbefore))
127	goto err;	142	goto err;
128	if ((*notafter = timegm(&after_tm)) == -1)
129	goto err;
130
131	return (0);	143	return (0);
132		144
133	err:	145	err:


diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c index c7eb3e5986..f7d7ba9199 100644 --- a/src/lib/libtls/tls_ocsp.c +++ b/src/lib/libtls/tls_ocsp.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_ocsp.c,v 1.24 2023/11/13 10:56:19 tb Exp $ */	1	/* $OpenBSD: tls_ocsp.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2015 Marko Kreen <markokr@gmail.com>	3	* Copyright (c) 2015 Marko Kreen <markokr@gmail.com>
4	* Copyright (c) 2016 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2016 Bob Beck <beck@openbsd.org>
@@ -25,6 +25,7 @@
25		25
26	#include <openssl/err.h>	26	#include <openssl/err.h>
27	#include <openssl/ocsp.h>	27	#include <openssl/ocsp.h>
		28	#include <openssl/posix_time.h>
28	#include <openssl/x509.h>	29	#include <openssl/x509.h>
29		30
30	#include <tls.h>	31	#include <tls.h>
@@ -68,7 +69,7 @@ tls_ocsp_asn1_parse_time(struct tls ctx, ASN1_GENERALIZEDTIME gt, time_t *gt_t
68	return -1;	69	return -1;
69	if (!ASN1_TIME_to_tm(gt, &tm))	70	if (!ASN1_TIME_to_tm(gt, &tm))
70	return -1;	71	return -1;
71	if ((*gt_time = timegm(&tm)) == -1)	72	if (!OPENSSL_timegm(&tm, gt_time))
72	return -1;	73	return -1;
73	return 0;	74	return 0;
74	}	75	}