From 0e84a3939e912f6a384416b3af214fe8d44ff343 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Mon, 14 Sep 2015 16:16:38 +0000
Subject: Provide tls_config_insecure_noverifytime() in order to be able to
 disable certificate validity checking.

ok beck@
---
 src/lib/libtls/Makefile       |  3 ++-
 src/lib/libtls/tls.c          |  7 ++++++-
 src/lib/libtls/tls.h          |  3 ++-
 src/lib/libtls/tls_config.c   |  9 ++++++++-
 src/lib/libtls/tls_init.3     | 10 +++++++++-
 src/lib/libtls/tls_internal.h |  3 ++-
 6 files changed, 29 insertions(+), 6 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile
index 2e6c48716c..679aabb9ed 100644
--- a/src/lib/libtls/Makefile
+++ b/src/lib/libtls/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.20 2015/09/14 14:29:30 jmc Exp $
+#	$OpenBSD: Makefile,v 1.21 2015/09/14 16:16:38 jsing Exp $
 
 CFLAGS+= -Wall -Werror -Wimplicit
 CFLAGS+= -DLIBRESSL_INTERNAL
@@ -44,6 +44,7 @@ MLINKS+=tls_init.3 tls_config_prefer_ciphers_server.3
 MLINKS+=tls_init.3 tls_config_clear_keys.3
 MLINKS+=tls_init.3 tls_config_insecure_noverifycert.3
 MLINKS+=tls_init.3 tls_config_insecure_noverifyname.3
+MLINKS+=tls_init.3 tls_config_insecure_noverifytime.3
 MLINKS+=tls_init.3 tls_config_verify.3
 MLINKS+=tls_init.3 tls_config_verify_client.3
 MLINKS+=tls_init.3 tls_config_verify_client_optional.3
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 236ed9185b..ac9262a4fc 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.31 2015/09/14 12:29:16 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.32 2015/09/14 16:16:38 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -257,6 +257,11 @@ tls_configure_ssl(struct tls *ctx)
 		}
 	}
 
+	if (ctx->config->verify_time == 0) {
+		X509_VERIFY_PARAM_set_flags(ctx->ssl_ctx->param,
+		    X509_V_FLAG_NO_CHECK_TIME);
+	}
+
 	return (0);
 
  err:
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 442fe35064..670ad0d711 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.23 2015/09/13 10:32:46 beck Exp $ */
+/* $OpenBSD: tls.h,v 1.24 2015/09/14 16:16:38 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -71,6 +71,7 @@ void tls_config_prefer_ciphers_server(struct tls_config *_config);
 
 void tls_config_insecure_noverifycert(struct tls_config *_config);
 void tls_config_insecure_noverifyname(struct tls_config *_config);
+void tls_config_insecure_noverifytime(struct tls_config *_config);
 void tls_config_verify(struct tls_config *_config);
 
 void tls_config_verify_client(struct tls_config *_config);
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 4d536853c8..d5beb38f3e 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.12 2015/09/10 09:10:42 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.13 2015/09/14 16:16:38 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -308,11 +308,18 @@ tls_config_insecure_noverifyname(struct tls_config *config)
 	config->verify_name = 0;
 }
 
+void
+tls_config_insecure_noverifytime(struct tls_config *config)
+{
+	config->verify_time = 0;
+}
+
 void
 tls_config_verify(struct tls_config *config)
 {
 	config->verify_cert = 1;
 	config->verify_name = 1;
+	config->verify_time = 1;
 }
 
 void
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index feef85dcb6..12a8e4bcf7 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.47 2015/09/14 15:14:55 schwarze Exp $
+.\" $OpenBSD: tls_init.3,v 1.48 2015/09/14 16:16:38 jsing Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -40,6 +40,7 @@
 .Nm tls_config_clear_keys ,
 .Nm tls_config_insecure_noverifycert ,
 .Nm tls_config_insecure_noverifyname ,
+.Nm tls_config_insecure_noverifytime ,
 .Nm tls_config_verify ,
 .Nm tls_config_verify_client ,
 .Nm tls_config_verify_client_optional ,
@@ -114,6 +115,8 @@
 .Ft "void"
 .Fn tls_config_insecure_noverifyname "struct tls_config *config"
 .Ft "void"
+.Fn tls_config_insecure_noverifytime "struct tls_config *config"
+.Ft "void"
 .Fn tls_config_verify "struct tls_config *config"
 .Ft "void"
 .Fn tls_config_verify_client "struct tls_config *config"
@@ -365,6 +368,11 @@ disables server name verification.
 Be careful when using this option.
 .Em (Client)
 .It
+.Fn tls_config_insecure_noverifytime
+disables validity checking of certificate.
+Be careful when using this option.
+.Em (Client and server)
+.It
 .Fn tls_config_verify
 reenables server name and certificate verification.
 .Em (Client)
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 320f1fbfaa..8128c05dfc 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.23 2015/09/14 12:29:16 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.24 2015/09/14 16:16:38 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -46,6 +46,7 @@ struct tls_config {
 	int verify_client;
 	int verify_depth;
 	int verify_name;
+	int verify_time;
 };
 
 struct tls_conninfo {
-- 
cgit v1.2.3-55-g6feb