From 0f763b25777f63f3832ab70f6b1fccb6ee041476 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Mon, 14 Sep 2015 16:13:39 +0000
Subject: Add support for disabling certificate and CRL validity checking.

Loosely based on changes in OpenSSL.

ok beck@
---
 src/lib/libcrypto/x509/x509_vfy.c         | 21 ++++++++++++---------
 src/lib/libcrypto/x509/x509_vfy.h         |  5 +++--
 src/lib/libssl/src/crypto/x509/x509_vfy.c | 21 ++++++++++++---------
 src/lib/libssl/src/crypto/x509/x509_vfy.h |  5 +++--
 4 files changed, 30 insertions(+), 22 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index f2dc356dc8..8d4d15668e 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.44 2015/07/19 05:42:55 miod Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.45 2015/09/14 16:13:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -758,15 +758,17 @@ err:
 static int
 check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
 {
-	time_t *ptime;
+	time_t *ptime = NULL;
 	int i;
 
-	if (notify)
-		ctx->current_crl = crl;
+	if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
+		return (1);
+
 	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
 		ptime = &ctx->param->check_time;
-	else
-		ptime = NULL;
+
+	if (notify)
+		ctx->current_crl = crl;
 
 	i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
 	if (i == 0) {
@@ -1489,13 +1491,14 @@ check_policy(X509_STORE_CTX *ctx)
 int
 x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
 {
-	time_t *ptime;
+	time_t *ptime = NULL;
 	int i;
 
+	if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
+		return (1);
+
 	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
 		ptime = &ctx->param->check_time;
-	else
-		ptime = NULL;
 
 	i = X509_cmp_time(X509_get_notBefore(x), ptime);
 	if (i == 0) {
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index e760279b52..e3a1db2407 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.h,v 1.15 2015/02/07 13:19:15 doug Exp $ */
+/* $OpenBSD: x509_vfy.h,v 1.16 2015/09/14 16:13:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -383,7 +383,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define X509_V_FLAG_USE_DELTAS			0x2000
 /* Check selfsigned CA signature */
 #define X509_V_FLAG_CHECK_SS_SIGNATURE		0x4000
-
+/* Do not check certificate or CRL validity against current time. */
+#define X509_V_FLAG_NO_CHECK_TIME		0x200000
 
 #define X509_VP_FLAG_DEFAULT			0x1
 #define X509_VP_FLAG_OVERWRITE			0x2
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c
index f2dc356dc8..8d4d15668e 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.44 2015/07/19 05:42:55 miod Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.45 2015/09/14 16:13:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -758,15 +758,17 @@ err:
 static int
 check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
 {
-	time_t *ptime;
+	time_t *ptime = NULL;
 	int i;
 
-	if (notify)
-		ctx->current_crl = crl;
+	if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
+		return (1);
+
 	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
 		ptime = &ctx->param->check_time;
-	else
-		ptime = NULL;
+
+	if (notify)
+		ctx->current_crl = crl;
 
 	i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
 	if (i == 0) {
@@ -1489,13 +1491,14 @@ check_policy(X509_STORE_CTX *ctx)
 int
 x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
 {
-	time_t *ptime;
+	time_t *ptime = NULL;
 	int i;
 
+	if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
+		return (1);
+
 	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
 		ptime = &ctx->param->check_time;
-	else
-		ptime = NULL;
 
 	i = X509_cmp_time(X509_get_notBefore(x), ptime);
 	if (i == 0) {
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.h b/src/lib/libssl/src/crypto/x509/x509_vfy.h
index e760279b52..e3a1db2407 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.h
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.h,v 1.15 2015/02/07 13:19:15 doug Exp $ */
+/* $OpenBSD: x509_vfy.h,v 1.16 2015/09/14 16:13:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -383,7 +383,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define X509_V_FLAG_USE_DELTAS			0x2000
 /* Check selfsigned CA signature */
 #define X509_V_FLAG_CHECK_SS_SIGNATURE		0x4000
-
+/* Do not check certificate or CRL validity against current time. */
+#define X509_V_FLAG_NO_CHECK_TIME		0x200000
 
 #define X509_VP_FLAG_DEFAULT			0x1
 #define X509_VP_FLAG_OVERWRITE			0x2
-- 
cgit v1.2.3-55-g6feb