From ec59f338ce2a8842a8478c243e444aefb1459dfa Mon Sep 17 00:00:00 2001 From: beck <> Date: Sun, 27 Aug 2017 01:39:26 +0000 Subject: Make the symbol for ASN1_time_tm_clamp_notafter visible so libtls can get at it, so libtls can also deal with notafter's past the realm of 32 bit time in portable --- src/lib/libcrypto/Symbols.list | 1 + src/lib/libcrypto/asn1/asn1_locl.h | 4 +--- src/lib/libcrypto/x509/x509_vfy.c | 4 +++- src/lib/libtls/tls_conninfo.c | 6 +++++- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/src/lib/libcrypto/Symbols.list b/src/lib/libcrypto/Symbols.list index 2b8557b16a..94442cc5e3 100644 --- a/src/lib/libcrypto/Symbols.list +++ b/src/lib/libcrypto/Symbols.list @@ -214,6 +214,7 @@ ASN1_template_free ASN1_template_i2d ASN1_template_new ASN1_time_parse +ASN1_time_tm_clamp_notafter ASN1_time_tm_cmp ASN1_unpack_string AUTHORITY_INFO_ACCESS_free diff --git a/src/lib/libcrypto/asn1/asn1_locl.h b/src/lib/libcrypto/asn1/asn1_locl.h index 68f71dfc4a..aa35f7b8fc 100644 --- a/src/lib/libcrypto/asn1/asn1_locl.h +++ b/src/lib/libcrypto/asn1/asn1_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_locl.h,v 1.9 2017/08/13 19:47:49 beck Exp $ */ +/* $OpenBSD: asn1_locl.h,v 1.10 2017/08/27 01:39:26 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -152,6 +152,4 @@ struct x509_crl_method_st { int UTF8_getc(const unsigned char *str, int len, unsigned long *val); int UTF8_putc(unsigned char *str, int len, unsigned long value); -int ASN1_time_tm_clamp_notafter(struct tm *tm); - __END_HIDDEN_DECLS diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 23ecf63d60..8efff680c1 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.65 2017/08/13 19:47:49 beck Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.66 2017/08/27 01:39:26 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -143,6 +143,8 @@ static int X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, static int internal_verify(X509_STORE_CTX *ctx); +int ASN1_time_tm_clamp_notafter(struct tm *tm); + static int null_callback(int ok, X509_STORE_CTX *e) { diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c index 87660fa989..e3820988e8 100644 --- a/src/lib/libtls/tls_conninfo.c +++ b/src/lib/libtls/tls_conninfo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_conninfo.c,v 1.15 2017/04/05 03:19:22 beck Exp $ */ +/* $OpenBSD: tls_conninfo.c,v 1.16 2017/08/27 01:39:26 beck Exp $ */ /* * Copyright (c) 2015 Joel Sing * Copyright (c) 2015 Bob Beck @@ -23,6 +23,8 @@ #include #include "tls_internal.h" +int ASN1_time_tm_clamp_notafter(struct tm *tm); + int tls_hex_string(const unsigned char *in, size_t inlen, char **out, size_t *outlen) @@ -121,6 +123,8 @@ tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore, goto err; if (ASN1_time_parse(after->data, after->length, &after_tm, 0) == -1) goto err; + if (!ASN1_time_tm_clamp_notafter(&after_tm)) + goto err; if ((*notbefore = timegm(&before_tm)) == -1) goto err; if ((*notafter = timegm(&after_tm)) == -1) -- cgit v1.2.3-55-g6feb