3 files changed, 9 insertions, 84 deletions
diff --git a/src/lib/libcrypto/ts/ts.h b/src/lib/libcrypto/ts/ts.h
index 5215fc0583..c2b2a9ed3d 100644
--- a/src/lib/libcrypto/ts/ts.h
+++ b/src/lib/libcrypto/ts/ts.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts.h,v 1.23 2023/11/19 15:46:10 tb Exp $ */
+/* $OpenBSD: ts.h,v 1.24 2024/03/26 00:39:22 beck Exp $ */
 /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
 * project 2002, 2003, 2004.
 */
@@ -389,8 +389,8 @@ int TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx,
   '0' means sec, '3' msec, '6' usec, and so on. Default is 0. */
 int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx,
    unsigned clock_precision_digits);
-/* At most we accept usec precision. */
+/* At most we accept sec precision. */
-#define TS_MAX_CLOCK_PRECISION_DIGITS   6
+#define TS_MAX_CLOCK_PRECISION_DIGITS 0
 /* No flags are set by default. */
 void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags);
diff --git a/src/lib/libcrypto/ts/ts_conf.c b/src/lib/libcrypto/ts/ts_conf.c
index 5d27a8bbc3..ef8569ef04 100644
--- a/src/lib/libcrypto/ts/ts_conf.c
+++ b/src/lib/libcrypto/ts/ts_conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_conf.c,v 1.13 2023/11/19 15:46:10 tb Exp $ */
+/* $OpenBSD: ts_conf.c,v 1.14 2024/03/26 00:39:22 beck Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -437,7 +437,8 @@ TS_CONF_set_clock_precision_digits(CONF *conf, const char *section,
        if (!NCONF_get_number_e(conf, section, ENV_CLOCK_PRECISION_DIGITS,
            &digits))
                digits = 0;
-        if (digits < 0 || digits > TS_MAX_CLOCK_PRECISION_DIGITS) {
+        /* We only support second precision, so reject everything else */
+        if (digits != 0) {
                TS_CONF_invalid(section, ENV_CLOCK_PRECISION_DIGITS);
                goto err;
        }
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c
index dc8241d2be..e3101340c5 100644
--- a/src/lib/libcrypto/ts/ts_rsp_sign.c
+++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_sign.c,v 1.34 2024/03/25 07:02:22 beck Exp $ */
+/* $OpenBSD: ts_rsp_sign.c,v 1.35 2024/03/26 00:39:22 beck Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -90,9 +90,6 @@ static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed);
 static int TS_TST_INFO_content_new(PKCS7 *p7);
 static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc);
-static ASN1_GENERALIZEDTIME *TS_RESP_set_genTime_with_precision(
-    ASN1_GENERALIZEDTIME *, time_t, long, unsigned);
 /* Default callbacks for response generation. */
 static ASN1_INTEGER *
@@ -434,7 +431,7 @@ LCRYPTO_ALIAS(TS_RESP_CTX_get_tst_info);
 int
 TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx, unsigned precision)
 {
-        if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
+        if (precision > 0)
                return 0;
        ctx->clock_precision_digits = precision;
        return 1;
@@ -650,8 +647,7 @@ TS_RESP_create_tst_info(TS_RESP_CTX *ctx, ASN1_OBJECT *policy)
            !TS_TST_INFO_set_serial(tst_info, serial))
                goto end;
        if (!(*ctx->time_cb)(ctx, ctx->time_cb_data, &sec, &usec) ||
-            !(asn1_time = TS_RESP_set_genTime_with_precision(NULL, sec, usec,
+            ((asn1_time = ASN1_GENERALIZEDTIME_set(NULL, sec)) == NULL) ||
-            ctx->clock_precision_digits)) ||
            !TS_TST_INFO_set_time(tst_info, asn1_time))
                goto end;
@@ -984,75 +980,3 @@ err:
        return 0;
 }
-static ASN1_GENERALIZEDTIME *
-TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
-    time_t sec, long usec, unsigned precision)
-{
-        struct tm tm;
-        char genTime_str[17 + TS_MAX_CLOCK_PRECISION_DIGITS];
-        char usecstr[TS_MAX_CLOCK_PRECISION_DIGITS + 2];
-        char *p;
-        int rv;
-        if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
-                goto err;
-        if (OPENSSL_gmtime(&sec, &tm) == NULL)
-                goto err;
-        /*
-         * Put "genTime_str" in GeneralizedTime format.  We work around the
-         * restrictions imposed by rfc3280 (i.e. "GeneralizedTime values MUST
-         * NOT include fractional seconds") and OpenSSL related functions to
-         * meet the rfc3161 requirement: "GeneralizedTime syntax can include
-         * fraction-of-second details".
-         */
-        if (precision > 0) {
-                /* To make things a bit harder, X.690 | ISO/IEC 8825-1 provides
-                   the following restrictions for a DER-encoding, which OpenSSL
-                   (specifically ASN1_GENERALIZEDTIME_check() function) doesn't
-                   support:
-                   "The encoding MUST terminate with a "Z" (which means "Zulu"
-                   time). The decimal point element, if present, MUST be the
-                   point option ".". The fractional-seconds elements,
-                   if present, MUST omit all trailing 0's;
-                   if the elements correspond to 0, they MUST be wholly
-                   omitted, and the decimal point element also MUST be
-                   omitted." */
-                (void) snprintf(usecstr, sizeof(usecstr), ".%06ld", usec);
-                /* truncate and trim trailing 0 */
-                usecstr[precision + 1] = '\0';
-                p = usecstr + strlen(usecstr) - 1;
-                while (p > usecstr && *p == '0')
-                        *p-- = '\0';
-                /* if we've reached the beginning, delete the . too */
-                if (p == usecstr)
-                        *p = '\0';
-        } else {
-                /* empty */
-                usecstr[0] = '\0';
-        }
-        rv = snprintf(genTime_str, sizeof(genTime_str),
-            "%04d%02d%02d%02d%02d%02d%sZ",
-            tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
-            tm.tm_hour, tm.tm_min, tm.tm_sec, usecstr);
-        if (rv < 0 || rv >= sizeof(genTime_str))
-                goto err;
-        /* Now call OpenSSL to check and set our genTime value */
-        if (!asn1_time && !(asn1_time = ASN1_GENERALIZEDTIME_new()))
-                goto err;
-        if (!ASN1_GENERALIZEDTIME_set_string(asn1_time, genTime_str)) {
-                ASN1_GENERALIZEDTIME_free(asn1_time);
-                goto err;
-        }
-        return asn1_time;
-err:
-        TSerror(TS_R_COULD_NOT_SET_TIME);
-        return NULL;
-}

diff --git a/src/lib/libcrypto/ts/ts.h b/src/lib/libcrypto/ts/ts.h index 5215fc0583..c2b2a9ed3d 100644 --- a/src/lib/libcrypto/ts/ts.h +++ b/src/lib/libcrypto/ts/ts.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts.h,v 1.23 2023/11/19 15:46:10 tb Exp $ */	1	/* $OpenBSD: ts.h,v 1.24 2024/03/26 00:39:22 beck Exp $ */
2	/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
3	* project 2002, 2003, 2004.	3	* project 2002, 2003, 2004.
4	*/	4	*/
@@ -389,8 +389,8 @@ int TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx,
389	'0' means sec, '3' msec, '6' usec, and so on. Default is 0. */	389	'0' means sec, '3' msec, '6' usec, and so on. Default is 0. */
390	int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx,	390	int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx,
391	unsigned clock_precision_digits);	391	unsigned clock_precision_digits);
392	/* At most we accept usec precision. */	392	/* At most we accept sec precision. */
393	#define TS_MAX_CLOCK_PRECISION_DIGITS 6	393	#define TS_MAX_CLOCK_PRECISION_DIGITS 0
394		394
395	/* No flags are set by default. */	395	/* No flags are set by default. */
396	void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags);	396	void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags);


diff --git a/src/lib/libcrypto/ts/ts_conf.c b/src/lib/libcrypto/ts/ts_conf.c index 5d27a8bbc3..ef8569ef04 100644 --- a/src/lib/libcrypto/ts/ts_conf.c +++ b/src/lib/libcrypto/ts/ts_conf.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts_conf.c,v 1.13 2023/11/19 15:46:10 tb Exp $ */	1	/* $OpenBSD: ts_conf.c,v 1.14 2024/03/26 00:39:22 beck Exp $ */
2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3	* project 2002.	3	* project 2002.
4	*/	4	*/
@@ -437,7 +437,8 @@ TS_CONF_set_clock_precision_digits(CONF conf, const char section,
437	if (!NCONF_get_number_e(conf, section, ENV_CLOCK_PRECISION_DIGITS,	437	if (!NCONF_get_number_e(conf, section, ENV_CLOCK_PRECISION_DIGITS,
438	&digits))	438	&digits))
439	digits = 0;	439	digits = 0;
440	if (digits < 0 \|\| digits > TS_MAX_CLOCK_PRECISION_DIGITS) {	440	/* We only support second precision, so reject everything else */
		441	if (digits != 0) {
441	TS_CONF_invalid(section, ENV_CLOCK_PRECISION_DIGITS);	442	TS_CONF_invalid(section, ENV_CLOCK_PRECISION_DIGITS);
442	goto err;	443	goto err;
443	}	444	}


diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c index dc8241d2be..e3101340c5 100644 --- a/src/lib/libcrypto/ts/ts_rsp_sign.c +++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts_rsp_sign.c,v 1.34 2024/03/25 07:02:22 beck Exp $ */	1	/* $OpenBSD: ts_rsp_sign.c,v 1.35 2024/03/26 00:39:22 beck Exp $ */
2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3	* project 2002.	3	* project 2002.
4	*/	4	*/
@@ -90,9 +90,6 @@ static ESS_CERT_ID ESS_CERT_ID_new_init(X509 cert, int issuer_needed);
90	static int TS_TST_INFO_content_new(PKCS7 *p7);	90	static int TS_TST_INFO_content_new(PKCS7 *p7);
91	static int ESS_add_signing_cert(PKCS7_SIGNER_INFO si, ESS_SIGNING_CERT sc);	91	static int ESS_add_signing_cert(PKCS7_SIGNER_INFO si, ESS_SIGNING_CERT sc);
92		92
93	static ASN1_GENERALIZEDTIME *TS_RESP_set_genTime_with_precision(
94	ASN1_GENERALIZEDTIME *, time_t, long, unsigned);
95
96	/* Default callbacks for response generation. */	93	/* Default callbacks for response generation. */
97		94
98	static ASN1_INTEGER *	95	static ASN1_INTEGER *
@@ -434,7 +431,7 @@ LCRYPTO_ALIAS(TS_RESP_CTX_get_tst_info);
434	int	431	int
435	TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx, unsigned precision)	432	TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx, unsigned precision)
436	{	433	{
437	if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)	434	if (precision > 0)
438	return 0;	435	return 0;
439	ctx->clock_precision_digits = precision;	436	ctx->clock_precision_digits = precision;
440	return 1;	437	return 1;
@@ -650,8 +647,7 @@ TS_RESP_create_tst_info(TS_RESP_CTX ctx, ASN1_OBJECT policy)
650	!TS_TST_INFO_set_serial(tst_info, serial))	647	!TS_TST_INFO_set_serial(tst_info, serial))
651	goto end;	648	goto end;
652	if (!(*ctx->time_cb)(ctx, ctx->time_cb_data, &sec, &usec) \|\|	649	if (!(*ctx->time_cb)(ctx, ctx->time_cb_data, &sec, &usec) \|\|
653	!(asn1_time = TS_RESP_set_genTime_with_precision(NULL, sec, usec,	650	((asn1_time = ASN1_GENERALIZEDTIME_set(NULL, sec)) == NULL) \|\|
654	ctx->clock_precision_digits)) \|\|
655	!TS_TST_INFO_set_time(tst_info, asn1_time))	651	!TS_TST_INFO_set_time(tst_info, asn1_time))
656	goto end;	652	goto end;
657		653
@@ -984,75 +980,3 @@ err:
984		980
985	return 0;	981	return 0;
986	}	982	}
987
988
989	static ASN1_GENERALIZEDTIME *
990	TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
991	time_t sec, long usec, unsigned precision)
992	{
993	struct tm tm;
994	char genTime_str[17 + TS_MAX_CLOCK_PRECISION_DIGITS];
995	char usecstr[TS_MAX_CLOCK_PRECISION_DIGITS + 2];
996	char *p;
997	int rv;
998
999	if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
1000	goto err;
1001
1002	if (OPENSSL_gmtime(&sec, &tm) == NULL)
1003	goto err;
1004
1005	/*
1006	* Put "genTime_str" in GeneralizedTime format. We work around the
1007	* restrictions imposed by rfc3280 (i.e. "GeneralizedTime values MUST
1008	* NOT include fractional seconds") and OpenSSL related functions to
1009	* meet the rfc3161 requirement: "GeneralizedTime syntax can include
1010	* fraction-of-second details".
1011	*/
1012	if (precision > 0) {
1013	/* To make things a bit harder, X.690 \| ISO/IEC 8825-1 provides
1014	the following restrictions for a DER-encoding, which OpenSSL
1015	(specifically ASN1_GENERALIZEDTIME_check() function) doesn't
1016	support:
1017	"The encoding MUST terminate with a "Z" (which means "Zulu"
1018	time). The decimal point element, if present, MUST be the
1019	point option ".". The fractional-seconds elements,
1020	if present, MUST omit all trailing 0's;
1021	if the elements correspond to 0, they MUST be wholly
1022	omitted, and the decimal point element also MUST be
1023	omitted." */
1024	(void) snprintf(usecstr, sizeof(usecstr), ".%06ld", usec);
1025	/* truncate and trim trailing 0 */
1026	usecstr[precision + 1] = '\0';
1027	p = usecstr + strlen(usecstr) - 1;
1028	while (p > usecstr && *p == '0')
1029	*p-- = '\0';
1030	/* if we've reached the beginning, delete the . too */
1031	if (p == usecstr)
1032	*p = '\0';
1033
1034	} else {
1035	/* empty */
1036	usecstr[0] = '\0';
1037	}
1038	rv = snprintf(genTime_str, sizeof(genTime_str),
1039	"%04d%02d%02d%02d%02d%02d%sZ",
1040	tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
1041	tm.tm_hour, tm.tm_min, tm.tm_sec, usecstr);
1042	if (rv < 0 \|\| rv >= sizeof(genTime_str))
1043	goto err;
1044
1045	/* Now call OpenSSL to check and set our genTime value */
1046	if (!asn1_time && !(asn1_time = ASN1_GENERALIZEDTIME_new()))
1047	goto err;
1048	if (!ASN1_GENERALIZEDTIME_set_string(asn1_time, genTime_str)) {
1049	ASN1_GENERALIZEDTIME_free(asn1_time);
1050	goto err;
1051	}
1052
1053	return asn1_time;
1054
1055	err:
1056	TSerror(TS_R_COULD_NOT_SET_TIME);
1057	return NULL;
1058	}