From 3b8a78795bef4ca09dc876e28a533d702bf5275d Mon Sep 17 00:00:00 2001
From: beck <>
Date: Fri, 4 Nov 2016 18:07:24 +0000
Subject: make public ASN1_time_parse and ASN1_time_tm_cmp to replace former
hidden functions.. document with a man page. bump majors on libtls, libssl,
libcrypto ok jsing@ guenther@
---
src/lib/libcrypto/asn1/a_time_tm.c | 24 ++++-----
src/lib/libcrypto/asn1/asn1.h | 5 +-
src/lib/libcrypto/man/ASN1_time_parse.3 | 94 +++++++++++++++++++++++++++++++++
src/lib/libcrypto/man/Makefile | 3 +-
src/lib/libcrypto/ocsp/ocsp_cl.c | 17 +++---
src/lib/libcrypto/shlib_version | 4 +-
src/lib/libcrypto/x509/vpm_int.h | 0
src/lib/libcrypto/x509/x509_lcl.h | 2 -
src/lib/libcrypto/x509/x509_vfy.c | 6 +--
src/lib/libssl/shlib_version | 4 +-
src/lib/libtls/shlib_version | 4 +-
src/lib/libtls/tls_conninfo.c | 6 +--
src/lib/libtls/tls_internal.h | 4 +-
src/lib/libtls/tls_ocsp.c | 3 +-
14 files changed, 133 insertions(+), 43 deletions(-)
create mode 100644 src/lib/libcrypto/man/ASN1_time_parse.3
create mode 100644 src/lib/libcrypto/x509/vpm_int.h
(limited to 'src/lib')
diff --git a/src/lib/libcrypto/asn1/a_time_tm.c b/src/lib/libcrypto/asn1/a_time_tm.c
index aa3cb9994c..fcd3acf9c8 100644
--- a/src/lib/libcrypto/asn1/a_time_tm.c
+++ b/src/lib/libcrypto/asn1/a_time_tm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_time_tm.c,v 1.9 2015/12/12 21:02:59 beck Exp $ */
+/* $OpenBSD: a_time_tm.c,v 1.10 2016/11/04 18:07:23 beck Exp $ */
/*
* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
*
@@ -30,7 +30,7 @@
#define UTCTIME_LENGTH 13
int
-asn1_tm_cmp(struct tm *tm1, struct tm *tm2) {
+ASN1_time_tm_cmp(struct tm *tm1, struct tm *tm2) {
if (tm1->tm_year < tm2->tm_year)
return (-1);
if (tm1->tm_year > tm2->tm_year)
@@ -117,8 +117,8 @@ rfc5280_string_from_tm(struct tm *tm)
* Parse an RFC 5280 format ASN.1 time string.
*
* mode must be:
- * 0 if we expect to parse a time as specified in RFC 5280 from an X509 object.
- * V_ASN1_UTCTIME if we wish to parse on RFC5280 format UTC time.
+ * 0 if we expect to parse a time as specified in RFC 5280 for an X509 object.
+ * V_ASN1_UTCTIME if we wish to parse an RFC5280 format UTC time.
* V_ASN1_GENERALIZEDTIME if we wish to parse an RFC5280 format Generalized time.
*
* Returns:
@@ -130,7 +130,7 @@ rfc5280_string_from_tm(struct tm *tm)
*/
#define ATOI2(ar) ((ar) += 2, ((ar)[-2] - '0') * 10 + ((ar)[-1] - '0'))
int
-asn1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode)
+ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode)
{
size_t i;
int type = 0;
@@ -218,7 +218,7 @@ ASN1_TIME_set_string_internal(ASN1_TIME *s, const char *str, int mode)
int type;
char *tmp;
- if ((type = asn1_time_parse(str, strlen(str), NULL, mode)) == -1)
+ if ((type = ASN1_time_parse(str, strlen(str), NULL, mode)) == -1)
return (0);
if (mode != 0 && mode != type)
return (0);
@@ -315,7 +315,7 @@ ASN1_TIME_check(ASN1_TIME *t)
{
if (t->type != V_ASN1_GENERALIZEDTIME && t->type != V_ASN1_UTCTIME)
return (0);
- return (t->type == asn1_time_parse(t->data, t->length, NULL, t->type));
+ return (t->type == ASN1_time_parse(t->data, t->length, NULL, t->type));
}
ASN1_GENERALIZEDTIME *
@@ -329,7 +329,7 @@ ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out)
return (NULL);
memset(&tm, 0, sizeof(tm));
- if (t->type != asn1_time_parse(t->data, t->length, &tm, t->type))
+ if (t->type != ASN1_time_parse(t->data, t->length, &tm, t->type))
return (NULL);
if ((str = gentime_string_from_tm(&tm)) == NULL)
return (NULL);
@@ -364,7 +364,7 @@ ASN1_UTCTIME_check(ASN1_UTCTIME *d)
{
if (d->type != V_ASN1_UTCTIME)
return (0);
- return (d->type == asn1_time_parse(d->data, d->length, NULL, d->type));
+ return (d->type == ASN1_time_parse(d->data, d->length, NULL, d->type));
}
int
@@ -402,13 +402,13 @@ ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t2)
* The danger is that users of this function will not
* differentiate the -2 failure case from t1 < t2.
*/
- if (asn1_time_parse(s->data, s->length, &tm1, V_ASN1_UTCTIME) == -1)
+ if (ASN1_time_parse(s->data, s->length, &tm1, V_ASN1_UTCTIME) == -1)
return (-2); /* XXX */
if (gmtime_r(&t2, &tm2) == NULL)
return (-2); /* XXX */
- return asn1_tm_cmp(&tm1, &tm2);
+ return ASN1_time_tm_cmp(&tm1, &tm2);
}
/*
@@ -420,7 +420,7 @@ ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d)
{
if (d->type != V_ASN1_GENERALIZEDTIME)
return (0);
- return (d->type == asn1_time_parse(d->data, d->length, NULL, d->type));
+ return (d->type == ASN1_time_parse(d->data, d->length, NULL, d->type));
}
int
diff --git a/src/lib/libcrypto/asn1/asn1.h b/src/lib/libcrypto/asn1/asn1.h
index c5d9b55e40..72fdc72881 100644
--- a/src/lib/libcrypto/asn1/asn1.h
+++ b/src/lib/libcrypto/asn1/asn1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1.h,v 1.34 2015/10/13 16:31:08 jsing Exp $ */
+/* $OpenBSD: asn1.h,v 1.35 2016/11/04 18:07:23 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1357,6 +1357,9 @@ void ERR_load_ASN1_strings(void);
#define ASN1_R_WRONG_TAG 168
#define ASN1_R_WRONG_TYPE 169
+
+int ASN1_time_parse(const char *_bytes, size_t _len, struct tm *_tm, int _mode);
+int ASN1_time_tm_cmp(struct tm *_tm1, struct tm *_tm2);
#ifdef __cplusplus
}
#endif
diff --git a/src/lib/libcrypto/man/ASN1_time_parse.3 b/src/lib/libcrypto/man/ASN1_time_parse.3
new file mode 100644
index 0000000000..e70a292f6d
--- /dev/null
+++ b/src/lib/libcrypto/man/ASN1_time_parse.3
@@ -0,0 +1,94 @@
+.\" $OpenBSD: ASN1_time_parse.3,v 1.1 2016/11/04 18:07:23 beck Exp $
+.\"
+.\" Copyright (c) 2016 Bob Beck <beck@@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: November 4 2016 $
+.Dt ASN1_TIME_PARSE 3
+.Os
+.Sh NAME
+.Nm ASN1_time_parse,
+.Nm ASN1_time_tm_cmp
+.Nd LibreSSL utilities for asn1 format time.
+.Sh SYNOPSIS
+.In asn1.h
+.Ft "int"
+.Fn ASN1_time_parse "const char *bytes" "size_t len" "struct tm *tm" "int mode
+.Ft "int"
+.Fn ASN1_time_tm_cmp "struct tm *tm1" "struct tm *tm2"
+.Sh DESCRIPTION
+The
+.Nm ASN1_time_parse
+function parses an asn1 time string of
+.Ar len
+bytes starting at
+.Ar bytes .
+The resulting time is stored in
+.Ar tm
+if
+.Ar tm
+is non NULL.
+.Pp
+The
+.Ar mode
+parameter must be one of
+.Bl -bullet -offset four
+.It
+.Ar 0
+to parse a time as specified in RFC 5280 for an X509 object,
+which may be either a UTC time or a Generalized time.
+.It
+.Ar V_ASN1_UTCTIME
+to parse an RFC 5280 format UTC time.
+.It
+.Ar V_ASN1_GENERALIZEDTIME
+to parse an RFC 5280 format Generalized time.
+.El
+.Pp
+The
+.Nm ASN1_time_tm_cmp
+function compares two times in
+.Ar tm1
+and
+.Ar tm2
+.Sh RETURN VALUES
+.Nm ASN1_parse_time
+returns
+.Bl -bullet -offset four
+.It
+.Ar -1
+if the string was invalid for the
+.Ar mode
+specified
+.It
+.Ar V_ASN1_UTCTIME
+if the string parsed as a valid UTC time.
+.It :
+.Ar V_ASN1_GENERALIZEDTIME
+if the string parsed as a valid Generalized time.
+.El
+.Pp
+.Nm ASN1_time_tm_cmp
+returns
+.Bl -bullet -offset four
+.It
+.Ar -1
+if tm1 is less than tm2.
+.It
+.Ar 1
+if tm1 is greater than tm2.
+.It
+.Ar 0
+if tm1 is the same as tm2.
+.El
diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index a76a03c78a..7819029ff6 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.46 2016/11/04 15:29:03 schwarze Exp $
+# $OpenBSD: Makefile,v 1.47 2016/11/04 18:07:23 beck Exp $
.include <bsd.own.mk> # for NOMAN
@@ -11,6 +11,7 @@ MAN= \
ASN1_STRING_new.3 \
ASN1_STRING_print_ex.3 \
ASN1_generate_nconf.3 \
+ ASN1_time_parse.3 \
BF_set_key.3 \
BIO.3 \
BIO_ctrl.3 \
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
index 86baed8724..40417973f5 100644
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_cl.c,v 1.11 2016/07/16 16:14:28 beck Exp $ */
+/* $OpenBSD: ocsp_cl.c,v 1.12 2016/11/04 18:07:23 beck Exp $ */
/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
* project. */
@@ -71,9 +71,6 @@
#include <openssl/x509.h>
#include <openssl/x509v3.h>
-int asn1_time_parse(const char *, size_t, struct tm *, int);
-int asn1_tm_cmp(struct tm *, struct tm *);
-
/* Utility functions related to sending OCSP requests and extracting
* relevant information from the response.
*/
@@ -342,7 +339,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
*/
/* Check thisUpdate is valid and not more than nsec in the future */
- if (asn1_time_parse(thisupd->data, thisupd->length, &tm_this,
+ if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,
V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
OCSP_R_ERROR_IN_THISUPDATE_FIELD);
@@ -351,7 +348,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
t_tmp = t_now + nsec;
if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
return 0;
- if (asn1_tm_cmp(&tm_this, &tm_tmp) > 0) {
+ if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) {
OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
OCSP_R_STATUS_NOT_YET_VALID);
return 0;
@@ -365,7 +362,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
t_tmp = t_now - maxsec;
if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
return 0;
- if (asn1_tm_cmp(&tm_this, &tm_tmp) < 0) {
+ if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) {
OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
OCSP_R_STATUS_TOO_OLD);
return 0;
@@ -377,7 +374,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
return 1;
/* Check nextUpdate is valid and not more than nsec in the past */
- if (asn1_time_parse(nextupd->data, nextupd->length, &tm_next,
+ if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,
V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
@@ -386,7 +383,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
t_tmp = t_now - nsec;
if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
return 0;
- if (asn1_tm_cmp(&tm_next, &tm_tmp) < 0) {
+ if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) {
OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
OCSP_R_STATUS_EXPIRED);
return 0;
@@ -394,7 +391,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
}
/* Also don't allow nextUpdate to precede thisUpdate */
- if (asn1_tm_cmp(&tm_next, &tm_this) < 0) {
+ if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) {
OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
return 0;
diff --git a/src/lib/libcrypto/shlib_version b/src/lib/libcrypto/shlib_version
index cf69944b9d..77935fe957 100644
--- a/src/lib/libcrypto/shlib_version
+++ b/src/lib/libcrypto/shlib_version
@@ -1,3 +1,3 @@
# Don't forget to give libssl and libtls the same type of bump!
-major=38
-minor=1
+major=39
+minor=0
diff --git a/src/lib/libcrypto/x509/vpm_int.h b/src/lib/libcrypto/x509/vpm_int.h
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/lib/libcrypto/x509/x509_lcl.h b/src/lib/libcrypto/x509/x509_lcl.h
index 9ffdd01e61..b16df78ad7 100644
--- a/src/lib/libcrypto/x509/x509_lcl.h
+++ b/src/lib/libcrypto/x509/x509_lcl.h
@@ -57,5 +57,3 @@
*/
int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);
-int asn1_time_parse(const char *, size_t, struct tm *, int);
-int asn1_tm_cmp(struct tm *tm1, struct tm *tm2);
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index a9330e1c03..7a6d272023 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.50 2016/10/02 20:45:04 guenther Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.51 2016/11/04 18:07:23 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1658,7 +1658,7 @@ X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
memset(&tm1, 0, sizeof(tm1));
- type = asn1_time_parse(ctm->data, ctm->length, &tm1, ctm->type);
+ type = ASN1_time_parse(ctm->data, ctm->length, &tm1, ctm->type);
if (type == -1)
goto out; /* invalid time */
@@ -1679,7 +1679,7 @@ X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
if (gmtime_r(&time2, &tm2) == NULL)
goto out;
- ret = asn1_tm_cmp(&tm1, &tm2);
+ ret = ASN1_time_tm_cmp(&tm1, &tm2);
if (ret == 0)
ret = -1; /* 0 is used for error, so map same to less than */
out:
diff --git a/src/lib/libssl/shlib_version b/src/lib/libssl/shlib_version
index 9149d47732..51f4d897f8 100644
--- a/src/lib/libssl/shlib_version
+++ b/src/lib/libssl/shlib_version
@@ -1,3 +1,3 @@
# Don't forget to give libtls the same type of bump!
-major=39
-minor=1
+major=40
+minor=0
diff --git a/src/lib/libtls/shlib_version b/src/lib/libtls/shlib_version
index faa53892ba..56246d02b2 100644
--- a/src/lib/libtls/shlib_version
+++ b/src/lib/libtls/shlib_version
@@ -1,2 +1,2 @@
-major=11
-minor=6
+major=12
+minor=0
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
index 5882a19cee..1bf4b2285b 100644
--- a/src/lib/libtls/tls_conninfo.c
+++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_conninfo.c,v 1.11 2016/08/22 17:12:35 jsing Exp $ */
+/* $OpenBSD: tls_conninfo.c,v 1.12 2016/11/04 18:07:24 beck Exp $ */
/*
* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -136,9 +136,9 @@ tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore,
goto err;
if ((after = X509_get_notAfter(ctx->ssl_peer_cert)) == NULL)
goto err;
- if (asn1_time_parse(before->data, before->length, &before_tm, 0) == -1)
+ if (ASN1_time_parse(before->data, before->length, &before_tm, 0) == -1)
goto err;
- if (asn1_time_parse(after->data, after->length, &after_tm, 0) == -1)
+ if (ASN1_time_parse(after->data, after->length, &after_tm, 0) == -1)
goto err;
if ((*notbefore = timegm(&before_tm)) == -1)
goto err;
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 0112ceedb9..7b07c96c86 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.46 2016/11/04 05:13:13 beck Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.47 2016/11/04 18:07:24 beck Exp $ */
/*
* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -209,6 +209,4 @@ int tls_ocsp_verify_cb(SSL *ssl, void *arg);
void tls_ocsp_ctx_free(struct tls_ocsp_ctx *ctx);
struct tls_ocsp_ctx *tls_ocsp_setup_from_peer(struct tls *ctx);
-int asn1_time_parse(const char *, size_t, struct tm *, int);
-
#endif /* HEADER_TLS_INTERNAL_H */
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
index af65771f7c..52e90364a7 100644
--- a/src/lib/libtls/tls_ocsp.c
+++ b/src/lib/libtls/tls_ocsp.c
@@ -63,7 +63,7 @@ tls_ocsp_asn1_parse_time(struct tls *ctx, ASN1_GENERALIZEDTIME *gt, time_t *gt_t
if (gt == NULL)
return -1;
/* RFC 6960 specifies that all times in OCSP must be GENERALIZEDTIME */
- if (asn1_time_parse(gt->data, gt->length, &tm,
+ if (ASN1_time_parse(gt->data, gt->length, &tm,
V_ASN1_GENERALIZEDTIME) == -1)
return -1;
if ((*gt_time = timegm(&tm)) == -1)
@@ -258,7 +258,6 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
OCSP_crl_reason_str(crl_reason));
goto error;
}
-
ret = 0;
error:
--
cgit v1.2.3-55-g6feb