From 5176ab31ca58949fc78b5b06b23adf63a83b9c44 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Sun, 24 Mar 2024 11:30:12 +0000
Subject: Convert libressl to use the BoringSSL style time conversions
This gets rid of our last uses of timegm and gmtime in the
library and things that ship with it. It includes a bit
of refactoring in ocsp_cl.c to remove some obvious ugly.
ok tb@
---
src/lib/libcrypto/ocsp/ocsp_cl.c | 75 +++++++++++++++++---------------------
src/lib/libcrypto/ts/ts_rsp_sign.c | 4 +-
src/lib/libtls/tls_conninfo.c | 26 +++++++++----
src/lib/libtls/tls_ocsp.c | 5 ++-
src/usr.sbin/ocspcheck/ocspcheck.c | 5 ++-
5 files changed, 61 insertions(+), 54 deletions(-)
(limited to 'src')
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
index 5ef2226785..d8ee33c391 100644
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_cl.c,v 1.24 2024/03/02 09:08:41 tb Exp $ */
+/* $OpenBSD: ocsp_cl.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
* project. */
@@ -68,6 +68,7 @@
#include <openssl/ocsp.h>
#include <openssl/objects.h>
#include <openssl/pem.h>
+#include <openssl/posix_time.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
@@ -394,69 +395,61 @@ int
OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
{
- time_t t_now, t_tmp;
- struct tm tm_this, tm_next, tm_tmp;
+ int64_t posix_next, posix_this, posix_now;
+ struct tm tm_this, tm_next;
- time(&t_now);
+ /* Negative values of nsec make no sense */
+ if (nsec < 0)
+ return 0;
+
+ posix_now = time(NULL);
/*
* Times must explicitly be a GENERALIZEDTIME as per section
* 4.2.2.1 of RFC 6960 - It is invalid to accept other times
* (such as UTCTIME permitted/required by RFC 5280 for certificates)
*/
-
- /* Check thisUpdate is valid and not more than nsec in the future */
+ /* Check that thisUpdate is valid. */
if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,
V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD);
return 0;
- } else {
- t_tmp = t_now + nsec;
- if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
- return 0;
- if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) {
- OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);
- return 0;
- }
-
- /*
- * If maxsec specified check thisUpdate is not more than maxsec
- * in the past
- */
- if (maxsec >= 0) {
- t_tmp = t_now - maxsec;
- if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
- return 0;
- if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) {
- OCSPerror(OCSP_R_STATUS_TOO_OLD);
- return 0;
- }
- }
+ }
+ if (!OPENSSL_tm_to_posix(&tm_this, &posix_this))
+ return 0;
+ /* thisUpdate must not be more than nsec in the future. */
+ if (posix_this - nsec > posix_now) {
+ OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);
+ return 0;
+ }
+ /* thisUpdate must not be more than maxsec seconds in the past. */
+ if (maxsec >= 0 && posix_this < posix_now - maxsec) {
+ OCSPerror(OCSP_R_STATUS_TOO_OLD);
+ return 0;
}
- if (!nextupd)
+ /* RFC 6960 section 4.2.2.1 allows for servers to not set nextUpdate */
+ if (nextupd == NULL)
return 1;
- /* Check nextUpdate is valid and not more than nsec in the past */
+ /* Check that nextUpdate is valid. */
if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,
V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
return 0;
- } else {
- t_tmp = t_now - nsec;
- if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
- return 0;
- if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) {
- OCSPerror(OCSP_R_STATUS_EXPIRED);
- return 0;
- }
}
-
- /* Also don't allow nextUpdate to precede thisUpdate */
- if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) {
+ if (!OPENSSL_tm_to_posix(&tm_next, &posix_next))
+ return 0;
+ /* Don't allow nextUpdate to precede thisUpdate. */
+ if (posix_next < posix_this) {
OCSPerror(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
return 0;
}
+ /* nextUpdate must not be more than nsec seconds in the past. */
+ if (posix_next + nsec < posix_now) {
+ OCSPerror(OCSP_R_STATUS_EXPIRED);
+ return 0;
+ }
return 1;
}
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c
index 3013cffbc5..8eb687aab1 100644
--- a/src/lib/libcrypto/ts/ts_rsp_sign.c
+++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_sign.c,v 1.32 2023/08/22 08:09:36 tb Exp $ */
+/* $OpenBSD: ts_rsp_sign.c,v 1.33 2024/03/24 11:30:12 beck Exp $ */
/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
* project 2002.
*/
@@ -999,7 +999,7 @@ TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
goto err;
- if (!(tm = gmtime(&sec)))
+ if (OPENSSL_gmtime(&sec, tm) == NULL)
goto err;
/*
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
index 90fdfacad3..08f8714ecd 100644
--- a/src/lib/libtls/tls_conninfo.c
+++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_conninfo.c,v 1.24 2023/11/13 10:51:49 tb Exp $ */
+/* $OpenBSD: tls_conninfo.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
/*
* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -19,12 +19,27 @@
#include <stdio.h>
#include <string.h>
+#include <openssl/posix_time.h>
#include <openssl/x509.h>
#include <tls.h>
#include "tls_internal.h"
-int ASN1_time_tm_clamp_notafter(struct tm *tm);
+static int
+tls_convert_notafter(struct tm *tm, time_t *out_time)
+{
+ int64_t posix_time;
+
+ /* OPENSSL_timegm() fails if tm is not representable in a time_t */
+ if (OPENSSL_timegm(tm, out_time))
+ return 1;
+ if (!OPENSSL_tm_to_posix(tm, &posix_time))
+ return 0;
+ if (posix_time < INT32_MIN)
+ return 0;
+ *out_time = (posix_time > INT32_MAX) ? INT32_MAX : posix_time;
+ return 1;
+}
int
tls_hex_string(const unsigned char *in, size_t inlen, char **out,
@@ -121,13 +136,10 @@ tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore,
goto err;
if (!ASN1_TIME_to_tm(after, &after_tm))
goto err;
- if (!ASN1_time_tm_clamp_notafter(&after_tm))
+ if (!tls_convert_notafter(&after_tm, notafter))
goto err;
- if ((*notbefore = timegm(&before_tm)) == -1)
+ if (!OPENSSL_timegm(&before_tm, notbefore))
goto err;
- if ((*notafter = timegm(&after_tm)) == -1)
- goto err;
-
return (0);
err:
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
index c7eb3e5986..f7d7ba9199 100644
--- a/src/lib/libtls/tls_ocsp.c
+++ b/src/lib/libtls/tls_ocsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_ocsp.c,v 1.24 2023/11/13 10:56:19 tb Exp $ */
+/* $OpenBSD: tls_ocsp.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
/*
* Copyright (c) 2015 Marko Kreen <markokr@gmail.com>
* Copyright (c) 2016 Bob Beck <beck@openbsd.org>
@@ -25,6 +25,7 @@
#include <openssl/err.h>
#include <openssl/ocsp.h>
+#include <openssl/posix_time.h>
#include <openssl/x509.h>
#include <tls.h>
@@ -68,7 +69,7 @@ tls_ocsp_asn1_parse_time(struct tls *ctx, ASN1_GENERALIZEDTIME *gt, time_t *gt_t
return -1;
if (!ASN1_TIME_to_tm(gt, &tm))
return -1;
- if ((*gt_time = timegm(&tm)) == -1)
+ if (!OPENSSL_timegm(&tm, gt_time))
return -1;
return 0;
}
diff --git a/src/usr.sbin/ocspcheck/ocspcheck.c b/src/usr.sbin/ocspcheck/ocspcheck.c
index 234f3d22f6..9739e398e8 100644
--- a/src/usr.sbin/ocspcheck/ocspcheck.c
+++ b/src/usr.sbin/ocspcheck/ocspcheck.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocspcheck.c,v 1.32 2023/11/13 11:46:24 tb Exp $ */
+/* $OpenBSD: ocspcheck.c,v 1.33 2024/03/24 11:30:12 beck Exp $ */
/*
* Copyright (c) 2017,2020 Bob Beck <beck@openbsd.org>
@@ -34,6 +34,7 @@
#include <openssl/err.h>
#include <openssl/ocsp.h>
+#include <openssl/posix_time.h>
#include <openssl/ssl.h>
#include "http.h"
@@ -193,7 +194,7 @@ parse_ocsp_time(ASN1_GENERALIZEDTIME *gt)
return -1;
if (!ASN1_TIME_to_tm(gt, &tm))
return -1;
- if ((rv = timegm(&tm)) == -1)
+ if (!OPENSSL_timegm(&tm, &rv))
return -1;
return rv;
}
--
cgit v1.2.3-55-g6feb