From 9b894dc1e52d28085c180c2a2584f86b2cc867e0 Mon Sep 17 00:00:00 2001 From: beck <> Date: Mon, 8 Apr 2024 19:57:40 +0000 Subject: Make ASN1_TIME_set_string_X509 and ASN1_TIME_set_string match the man page This makes it where people can't put dumb values in certs without trying harder, and changes the regress to test this. GENERALIZED times outside of the RFC5280 spec are required for OCSP but these should be constructed with the GENERALIZED time string setters. ok tb@ --- src/lib/libcrypto/asn1/a_time_tm.c | 40 +++++++++++++------------------------- 1 file changed, 14 insertions(+), 26 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libcrypto/asn1/a_time_tm.c b/src/lib/libcrypto/asn1/a_time_tm.c index 986c1e735d..c8eabec08f 100644 --- a/src/lib/libcrypto/asn1/a_time_tm.c +++ b/src/lib/libcrypto/asn1/a_time_tm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_time_tm.c,v 1.33 2024/03/02 09:10:42 tb Exp $ */ +/* $OpenBSD: a_time_tm.c,v 1.34 2024/04/08 19:57:40 beck Exp $ */ /* * Copyright (c) 2015 Bob Beck * @@ -160,15 +160,7 @@ tm_to_utctime(struct tm *tm, ASN1_TIME *atime) ASN1_TIME * tm_to_rfc5280_time(struct tm *tm, ASN1_TIME *atime) { - int year; - - year = tm->tm_year + 1900; - if (year < 1950 || year > 9999) { - ASN1error(ASN1_R_ILLEGAL_TIME_VALUE); - return (NULL); - } - - if (year < 2050) + if (tm->tm_year >= 50 && tm->tm_year < 150) return (tm_to_utctime(tm, atime)); return (tm_to_gentime(tm, atime)); @@ -352,25 +344,21 @@ ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode) static int ASN1_TIME_set_string_internal(ASN1_TIME *s, const char *str, int mode) { + struct tm tm; int type; - char *tmp; - if ((type = ASN1_time_parse(str, strlen(str), NULL, mode)) == -1) - return (0); - if (mode != 0 && mode != type) + if ((type = ASN1_time_parse(str, strlen(str), &tm, mode)) == -1) return (0); - - if (s == NULL) - return (1); - - if ((tmp = strdup(str)) == NULL) + switch(mode) { + case V_ASN1_UTCTIME: + return (type == mode && tm_to_utctime(&tm, s) != NULL); + case V_ASN1_GENERALIZEDTIME: + return (type == mode && tm_to_gentime(&tm, s) != NULL); + case RFC5280: + return (tm_to_rfc5280_time(&tm, s) != NULL); + default: return (0); - free(s->data); - s->data = tmp; - s->length = strlen(tmp); - s->type = type; - - return (1); + } } static ASN1_TIME * @@ -448,7 +436,7 @@ LCRYPTO_ALIAS(ASN1_TIME_to_generalizedtime); int ASN1_TIME_set_string(ASN1_TIME *s, const char *str) { - return (ASN1_TIME_set_string_internal(s, str, 0)); + return (ASN1_TIME_set_string_internal(s, str, RFC5280)); } LCRYPTO_ALIAS(ASN1_TIME_set_string); -- cgit v1.2.3-55-g6feb