From cd37f401a4c565c94b842aadc87f955ef1615025 Mon Sep 17 00:00:00 2001 From: beck <> Date: Mon, 27 Jun 2016 15:42:33 +0000 Subject: Incorrect/unneeded fix for 5.8 noticed by jsing@ --- src/lib/libssl/src/crypto/ocsp/ocsp_cl.c | 38 ++++++------------------------- src/lib/libssl/src/crypto/ocsp/ocsp_srv.c | 4 ++-- 2 files changed, 9 insertions(+), 33 deletions(-) (limited to 'src/lib/libssl') diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c b/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c index 811101f385..d4f847023b 100644 --- a/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c +++ b/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_cl.c,v 1.8.6.1 2016/06/25 16:42:40 beck Exp $ */ +/* $OpenBSD: ocsp_cl.c,v 1.8.6.2 2016/06/27 15:42:31 beck Exp $ */ /* Written by Tom Titchener for the OpenSSL * project. */ @@ -71,9 +71,6 @@ #include #include -int asn1_time_parse(const char *, size_t, struct tm *, int); -int asn1_tm_cmp(struct tm *, struct tm *); - /* Utility functions related to sending OCSP requests and extracting * relevant information from the response. */ @@ -332,43 +329,25 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, { int ret = 1; time_t t_now, t_tmp; - struct tm tm_this, tm_next, tm_tmp; time(&t_now); - - /* - * Times must explicitly be a GENERALIZEDTIME as per section - * 4.2.2.1 of RFC 6960 - It is invalid to accept other times - * (such as UTCTIME permitted/required by RFC 5280 for certificates) - */ - /* Check thisUpdate is valid and not more than nsec in the future */ - if (asn1_time_parse(thisupd->data, thisupd->length, &tm_this, - V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) { + if (!ASN1_GENERALIZEDTIME_check(thisupd)) { OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD); ret = 0; } else { t_tmp = t_now + nsec; - if (gmtime_r(&t_tmp, &tm_tmp) == NULL) - return 0; - if (asn1_tm_cmp(&tm_this, &tm_tmp) > 0) { + if (X509_cmp_time(thisupd, &t_tmp) > 0) { OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID); ret = 0; } - /* - * If maxsec specified check thisUpdate is not more than maxsec - * in the past - */ + /* If maxsec specified check thisUpdate is not more than maxsec in the past */ if (maxsec >= 0) { t_tmp = t_now - maxsec; - if (gmtime_r(&t_tmp, &tm_tmp) == NULL) - return 0; - if (gmtime_r(&t_tmp, &tm_tmp) == NULL) - return 0; - if (asn1_tm_cmp(&tm_this, &tm_tmp) < 0) { + if (X509_cmp_time(thisupd, &t_tmp) < 0) { OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD); ret = 0; @@ -380,16 +359,13 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, return ret; /* Check nextUpdate is valid and not more than nsec in the past */ - if (asn1_time_parse(nextupd->data, nextupd->length, &tm_next, - V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) { + if (!ASN1_GENERALIZEDTIME_check(nextupd)) { OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD); ret = 0; } else { t_tmp = t_now - nsec; - if (gmtime_r(&t_tmp, &tm_tmp) == NULL) - return 0; - if (asn1_tm_cmp(&tm_next, &tm_tmp) < 0) { + if (X509_cmp_time(nextupd, &t_tmp) < 0) { OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED); ret = 0; diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c b/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c index a215c4ac0e..be462141a4 100644 --- a/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c +++ b/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_srv.c,v 1.7.6.1 2016/06/25 16:42:40 beck Exp $ */ +/* $OpenBSD: ocsp_srv.c,v 1.7.6.2 2016/06/27 15:42:31 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -260,7 +260,7 @@ OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key, } if (!(flags & OCSP_NOTIME) && - !ASN1_GENERALIZEDTIME_set(brsp->tbsResponseData->producedAt, time(NULL))) + !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0)) goto err; /* Right now, I think that not doing double hashing is the right -- cgit v1.2.3-55-g6feb