summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libcrypto/x509/x509_lcl.h59
-rw-r--r--src/lib/libcrypto/x509/x509_lu.c23
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c28
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_lcl.h59
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_lu.c23
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_vfy.c28
6 files changed, 194 insertions, 26 deletions
diff --git a/src/lib/libcrypto/x509/x509_lcl.h b/src/lib/libcrypto/x509/x509_lcl.h
new file mode 100644
index 0000000000..b16df78ad7
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_lcl.h
@@ -0,0 +1,59 @@
1/* x509_lcl.h */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2013.
4 */
5/* ====================================================================
6 * Copyright (c) 2013 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
index 8d3e4f4dce..b522c88c25 100644
--- a/src/lib/libcrypto/x509/x509_lu.c
+++ b/src/lib/libcrypto/x509/x509_lu.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_lu.c,v 1.16 2014/07/11 08:44:49 jsing Exp $ */ 1/* $OpenBSD: x509_lu.c,v 1.17 2014/07/11 12:52:41 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -62,6 +62,7 @@
62#include <openssl/lhash.h> 62#include <openssl/lhash.h>
63#include <openssl/x509.h> 63#include <openssl/x509.h>
64#include <openssl/x509v3.h> 64#include <openssl/x509v3.h>
65#include "x509_lcl.h"
65 66
66X509_LOOKUP * 67X509_LOOKUP *
67X509_LOOKUP_new(X509_LOOKUP_METHOD *method) 68X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
@@ -632,6 +633,8 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
632 X509_NAME *xn; 633 X509_NAME *xn;
633 X509_OBJECT obj, *pobj; 634 X509_OBJECT obj, *pobj;
634 int i, ok, idx, ret; 635 int i, ok, idx, ret;
636
637 *issuer = NULL;
635 xn = X509_get_issuer_name(x); 638 xn = X509_get_issuer_name(x);
636 ok = X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj); 639 ok = X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj);
637 if (ok != X509_LU_X509) { 640 if (ok != X509_LU_X509) {
@@ -649,8 +652,10 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
649 } 652 }
650 /* If certificate matches all OK */ 653 /* If certificate matches all OK */
651 if (ctx->check_issued(ctx, x, obj.data.x509)) { 654 if (ctx->check_issued(ctx, x, obj.data.x509)) {
652 *issuer = obj.data.x509; 655 if (x509_check_cert_time(ctx, obj.data.x509, 1)) {
653 return 1; 656 *issuer = obj.data.x509;
657 return 1;
658 }
654 } 659 }
655 X509_OBJECT_free_contents(&obj); 660 X509_OBJECT_free_contents(&obj);
656 661
@@ -670,13 +675,21 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
670 break; 675 break;
671 if (ctx->check_issued(ctx, x, pobj->data.x509)) { 676 if (ctx->check_issued(ctx, x, pobj->data.x509)) {
672 *issuer = pobj->data.x509; 677 *issuer = pobj->data.x509;
673 X509_OBJECT_up_ref_count(pobj);
674 ret = 1; 678 ret = 1;
675 break; 679 /*
680 * If times check, exit with match,
681 * otherwise keep looking. Leave last
682 * match in issuer so we return nearest
683 * match if no certificate time is OK.
684 */
685 if (x509_check_cert_time(ctx, *issuer, 1))
686 break;
676 } 687 }
677 } 688 }
678 } 689 }
679 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 690 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
691 if (*issuer)
692 CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
680 return ret; 693 return ret;
681} 694}
682 695
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index f7feb85f36..9d7a7d1228 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.c,v 1.33 2014/07/11 08:44:49 jsing Exp $ */ 1/* $OpenBSD: x509_vfy.c,v 1.34 2014/07/11 12:52:41 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -73,6 +73,7 @@
73#include <openssl/objects.h> 73#include <openssl/objects.h>
74#include <openssl/x509.h> 74#include <openssl/x509.h>
75#include <openssl/x509v3.h> 75#include <openssl/x509v3.h>
76#include "x509_lcl.h"
76 77
77/* CRL score values */ 78/* CRL score values */
78 79
@@ -408,14 +409,17 @@ static X509 *
408find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) 409find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
409{ 410{
410 int i; 411 int i;
411 X509 *issuer; 412 X509 *issuer, *rv = NULL;
412 413
413 for (i = 0; i < sk_X509_num(sk); i++) { 414 for (i = 0; i < sk_X509_num(sk); i++) {
414 issuer = sk_X509_value(sk, i); 415 issuer = sk_X509_value(sk, i);
415 if (ctx->check_issued(ctx, x, issuer)) 416 if (ctx->check_issued(ctx, x, issuer)) {
416 return issuer; 417 rv = issuer;
418 if (x509_check_cert_time(ctx, rv, 1))
419 break;
420 }
417 } 421 }
418 return NULL; 422 return rv;
419} 423}
420 424
421/* Given a possible certificate and issuer check them */ 425/* Given a possible certificate and issuer check them */
@@ -1492,8 +1496,8 @@ check_policy(X509_STORE_CTX *ctx)
1492 return 1; 1496 return 1;
1493} 1497}
1494 1498
1495static int 1499int
1496check_cert_time(X509_STORE_CTX *ctx, X509 *x) 1500x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
1497{ 1501{
1498 time_t *ptime; 1502 time_t *ptime;
1499 int i; 1503 int i;
@@ -1505,6 +1509,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1505 1509
1506 i = X509_cmp_time(X509_get_notBefore(x), ptime); 1510 i = X509_cmp_time(X509_get_notBefore(x), ptime);
1507 if (i == 0) { 1511 if (i == 0) {
1512 if (quiet)
1513 return 0;
1508 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; 1514 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1509 ctx->current_cert = x; 1515 ctx->current_cert = x;
1510 if (!ctx->verify_cb(0, ctx)) 1516 if (!ctx->verify_cb(0, ctx))
@@ -1512,6 +1518,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1512 } 1518 }
1513 1519
1514 if (i > 0) { 1520 if (i > 0) {
1521 if (quiet)
1522 return 0;
1515 ctx->error = X509_V_ERR_CERT_NOT_YET_VALID; 1523 ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
1516 ctx->current_cert = x; 1524 ctx->current_cert = x;
1517 if (!ctx->verify_cb(0, ctx)) 1525 if (!ctx->verify_cb(0, ctx))
@@ -1520,6 +1528,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1520 1528
1521 i = X509_cmp_time(X509_get_notAfter(x), ptime); 1529 i = X509_cmp_time(X509_get_notAfter(x), ptime);
1522 if (i == 0) { 1530 if (i == 0) {
1531 if (quiet)
1532 return 0;
1523 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; 1533 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1524 ctx->current_cert = x; 1534 ctx->current_cert = x;
1525 if (!ctx->verify_cb(0, ctx)) 1535 if (!ctx->verify_cb(0, ctx))
@@ -1527,6 +1537,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1527 } 1537 }
1528 1538
1529 if (i < 0) { 1539 if (i < 0) {
1540 if (quiet)
1541 return 0;
1530 ctx->error = X509_V_ERR_CERT_HAS_EXPIRED; 1542 ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
1531 ctx->current_cert = x; 1543 ctx->current_cert = x;
1532 if (!ctx->verify_cb(0, ctx)) 1544 if (!ctx->verify_cb(0, ctx))
@@ -1597,7 +1609,7 @@ internal_verify(X509_STORE_CTX *ctx)
1597 1609
1598 xs->valid = 1; 1610 xs->valid = 1;
1599 1611
1600 ok = check_cert_time(ctx, xs); 1612 ok = x509_check_cert_time(ctx, xs, 0);
1601 if (!ok) 1613 if (!ok)
1602 goto end; 1614 goto end;
1603 1615
diff --git a/src/lib/libssl/src/crypto/x509/x509_lcl.h b/src/lib/libssl/src/crypto/x509/x509_lcl.h
new file mode 100644
index 0000000000..b16df78ad7
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509/x509_lcl.h
@@ -0,0 +1,59 @@
1/* x509_lcl.h */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2013.
4 */
5/* ====================================================================
6 * Copyright (c) 2013 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);
diff --git a/src/lib/libssl/src/crypto/x509/x509_lu.c b/src/lib/libssl/src/crypto/x509/x509_lu.c
index 8d3e4f4dce..b522c88c25 100644
--- a/src/lib/libssl/src/crypto/x509/x509_lu.c
+++ b/src/lib/libssl/src/crypto/x509/x509_lu.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_lu.c,v 1.16 2014/07/11 08:44:49 jsing Exp $ */ 1/* $OpenBSD: x509_lu.c,v 1.17 2014/07/11 12:52:41 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -62,6 +62,7 @@
62#include <openssl/lhash.h> 62#include <openssl/lhash.h>
63#include <openssl/x509.h> 63#include <openssl/x509.h>
64#include <openssl/x509v3.h> 64#include <openssl/x509v3.h>
65#include "x509_lcl.h"
65 66
66X509_LOOKUP * 67X509_LOOKUP *
67X509_LOOKUP_new(X509_LOOKUP_METHOD *method) 68X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
@@ -632,6 +633,8 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
632 X509_NAME *xn; 633 X509_NAME *xn;
633 X509_OBJECT obj, *pobj; 634 X509_OBJECT obj, *pobj;
634 int i, ok, idx, ret; 635 int i, ok, idx, ret;
636
637 *issuer = NULL;
635 xn = X509_get_issuer_name(x); 638 xn = X509_get_issuer_name(x);
636 ok = X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj); 639 ok = X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj);
637 if (ok != X509_LU_X509) { 640 if (ok != X509_LU_X509) {
@@ -649,8 +652,10 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
649 } 652 }
650 /* If certificate matches all OK */ 653 /* If certificate matches all OK */
651 if (ctx->check_issued(ctx, x, obj.data.x509)) { 654 if (ctx->check_issued(ctx, x, obj.data.x509)) {
652 *issuer = obj.data.x509; 655 if (x509_check_cert_time(ctx, obj.data.x509, 1)) {
653 return 1; 656 *issuer = obj.data.x509;
657 return 1;
658 }
654 } 659 }
655 X509_OBJECT_free_contents(&obj); 660 X509_OBJECT_free_contents(&obj);
656 661
@@ -670,13 +675,21 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
670 break; 675 break;
671 if (ctx->check_issued(ctx, x, pobj->data.x509)) { 676 if (ctx->check_issued(ctx, x, pobj->data.x509)) {
672 *issuer = pobj->data.x509; 677 *issuer = pobj->data.x509;
673 X509_OBJECT_up_ref_count(pobj);
674 ret = 1; 678 ret = 1;
675 break; 679 /*
680 * If times check, exit with match,
681 * otherwise keep looking. Leave last
682 * match in issuer so we return nearest
683 * match if no certificate time is OK.
684 */
685 if (x509_check_cert_time(ctx, *issuer, 1))
686 break;
676 } 687 }
677 } 688 }
678 } 689 }
679 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 690 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
691 if (*issuer)
692 CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
680 return ret; 693 return ret;
681} 694}
682 695
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c
index f7feb85f36..9d7a7d1228 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.c,v 1.33 2014/07/11 08:44:49 jsing Exp $ */ 1/* $OpenBSD: x509_vfy.c,v 1.34 2014/07/11 12:52:41 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -73,6 +73,7 @@
73#include <openssl/objects.h> 73#include <openssl/objects.h>
74#include <openssl/x509.h> 74#include <openssl/x509.h>
75#include <openssl/x509v3.h> 75#include <openssl/x509v3.h>
76#include "x509_lcl.h"
76 77
77/* CRL score values */ 78/* CRL score values */
78 79
@@ -408,14 +409,17 @@ static X509 *
408find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) 409find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
409{ 410{
410 int i; 411 int i;
411 X509 *issuer; 412 X509 *issuer, *rv = NULL;
412 413
413 for (i = 0; i < sk_X509_num(sk); i++) { 414 for (i = 0; i < sk_X509_num(sk); i++) {
414 issuer = sk_X509_value(sk, i); 415 issuer = sk_X509_value(sk, i);
415 if (ctx->check_issued(ctx, x, issuer)) 416 if (ctx->check_issued(ctx, x, issuer)) {
416 return issuer; 417 rv = issuer;
418 if (x509_check_cert_time(ctx, rv, 1))
419 break;
420 }
417 } 421 }
418 return NULL; 422 return rv;
419} 423}
420 424
421/* Given a possible certificate and issuer check them */ 425/* Given a possible certificate and issuer check them */
@@ -1492,8 +1496,8 @@ check_policy(X509_STORE_CTX *ctx)
1492 return 1; 1496 return 1;
1493} 1497}
1494 1498
1495static int 1499int
1496check_cert_time(X509_STORE_CTX *ctx, X509 *x) 1500x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
1497{ 1501{
1498 time_t *ptime; 1502 time_t *ptime;
1499 int i; 1503 int i;
@@ -1505,6 +1509,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1505 1509
1506 i = X509_cmp_time(X509_get_notBefore(x), ptime); 1510 i = X509_cmp_time(X509_get_notBefore(x), ptime);
1507 if (i == 0) { 1511 if (i == 0) {
1512 if (quiet)
1513 return 0;
1508 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; 1514 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1509 ctx->current_cert = x; 1515 ctx->current_cert = x;
1510 if (!ctx->verify_cb(0, ctx)) 1516 if (!ctx->verify_cb(0, ctx))
@@ -1512,6 +1518,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1512 } 1518 }
1513 1519
1514 if (i > 0) { 1520 if (i > 0) {
1521 if (quiet)
1522 return 0;
1515 ctx->error = X509_V_ERR_CERT_NOT_YET_VALID; 1523 ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
1516 ctx->current_cert = x; 1524 ctx->current_cert = x;
1517 if (!ctx->verify_cb(0, ctx)) 1525 if (!ctx->verify_cb(0, ctx))
@@ -1520,6 +1528,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1520 1528
1521 i = X509_cmp_time(X509_get_notAfter(x), ptime); 1529 i = X509_cmp_time(X509_get_notAfter(x), ptime);
1522 if (i == 0) { 1530 if (i == 0) {
1531 if (quiet)
1532 return 0;
1523 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; 1533 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1524 ctx->current_cert = x; 1534 ctx->current_cert = x;
1525 if (!ctx->verify_cb(0, ctx)) 1535 if (!ctx->verify_cb(0, ctx))
@@ -1527,6 +1537,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1527 } 1537 }
1528 1538
1529 if (i < 0) { 1539 if (i < 0) {
1540 if (quiet)
1541 return 0;
1530 ctx->error = X509_V_ERR_CERT_HAS_EXPIRED; 1542 ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
1531 ctx->current_cert = x; 1543 ctx->current_cert = x;
1532 if (!ctx->verify_cb(0, ctx)) 1544 if (!ctx->verify_cb(0, ctx))
@@ -1597,7 +1609,7 @@ internal_verify(X509_STORE_CTX *ctx)
1597 1609
1598 xs->valid = 1; 1610 xs->valid = 1;
1599 1611
1600 ok = check_cert_time(ctx, xs); 1612 ok = x509_check_cert_time(ctx, xs, 0);
1601 if (!ok) 1613 if (!ok)
1602 goto end; 1614 goto end;
1603 1615
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-02 20:49:14 +0000