From 4abed603e66e229dd22adefec8520b9a472ed533 Mon Sep 17 00:00:00 2001 From: beck <> Date: Tue, 15 Sep 2020 11:55:14 +0000 Subject: Deduplicate the time validation code between the legacy and new verification code. ok jsing@ --- src/lib/libcrypto/x509/x509_internal.h | 5 ++++- src/lib/libcrypto/x509/x509_verify.c | 4 ++-- src/lib/libcrypto/x509/x509_vfy.c | 26 ++------------------------ 3 files changed, 8 insertions(+), 27 deletions(-) (limited to 'src/lib/libcrypto') diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h index ced6b306e5..9d69055afa 100644 --- a/src/lib/libcrypto/x509/x509_internal.h +++ b/src/lib/libcrypto/x509/x509_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_internal.h,v 1.2 2020/09/13 15:06:17 beck Exp $ */ +/* $OpenBSD: x509_internal.h,v 1.3 2020/09/15 11:55:14 beck Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -87,6 +87,9 @@ int x509_vfy_check_trust(X509_STORE_CTX *ctx); int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx); void x509v3_cache_extensions(X509 *x); +int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, + int notafter); + struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, STACK_OF(X509) *roots); diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index 431f5ab1bc..c3280774f9 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.6 2020/09/14 12:33:51 beck Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.7 2020/09/15 11:55:14 beck Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -484,7 +484,7 @@ x509_verify_set_check_time(struct x509_verify_ctx *ctx) { return 1; } -static int +int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, int notafter) { int type; diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 8a616b6bc2..99a699f99e 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.78 2020/09/14 09:09:08 beck Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.79 2020/09/15 11:55:14 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2004,7 +2004,6 @@ X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, int clamp_notafte time_t compare; struct tm tm1, tm2; int ret = 0; - int type; if (cmp_time == NULL) compare = time(NULL); @@ -2013,30 +2012,9 @@ X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, int clamp_notafte memset(&tm1, 0, sizeof(tm1)); - type = ASN1_time_parse(ctm->data, ctm->length, &tm1, ctm->type); - if (type == -1) + if (!x509_verify_asn1_time_to_tm(ctm, &tm1, clamp_notafter)) goto out; /* invalid time */ - /* RFC 5280 section 4.1.2.5 */ - if (tm1.tm_year < 150 && type != V_ASN1_UTCTIME) - goto out; - if (tm1.tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME) - goto out; - - if (clamp_notafter) { - /* Allow for completely broken operating systems. */ - if (!ASN1_time_tm_clamp_notafter(&tm1)) - goto out; - } - - /* - * Defensively fail if the time string is not representable as - * a time_t. A time_t must be sane if you care about times after - * Jan 19 2038. - */ - if (timegm(&tm1) == -1) - goto out; - if (gmtime_r(&compare, &tm2) == NULL) goto out; -- cgit v1.2.3-55-g6feb