sync with OpenBSD -current

This commit is contained in:
purplerain 2024-01-08 00:39:27 +00:00
parent a2b5593ce1
commit 19c768bf4f
Signed by: purplerain
GPG key ID: F42C07F07E2E35B7
67 changed files with 1526 additions and 522 deletions

View file

@ -1,4 +1,4 @@
/* $OpenBSD: validate.c,v 1.69 2023/12/27 07:15:55 tb Exp $ */
/* $OpenBSD: validate.c,v 1.70 2024/01/07 09:48:03 tb Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@ -371,6 +371,29 @@ build_crls(const struct crl *crl, STACK_OF(X509_CRL) **crls)
err(1, "sk_X509_CRL_push");
}
/*
* Attempt to upgrade the generic 'certificate revoked' message to include
* a timestamp.
*/
static void
pretty_revocation_time(X509 *x509, X509_CRL *crl, const char **errstr)
{
static char buf[64];
X509_REVOKED *revoked;
const ASN1_TIME *atime;
time_t t;
if (X509_CRL_get0_by_cert(crl, &revoked, x509) != 1)
return;
if ((atime = X509_REVOKED_get0_revocationDate(revoked)) == NULL)
return;
if (!x509_get_time(atime, &t))
return;
snprintf(buf, sizeof(buf), "certificate revoked on %s", time2str(t));
*errstr = buf;
}
/*
* Validate the X509 certificate. Returns 1 for valid certificates,
* returns 0 if there is a verify error and sets *errstr to the error
@ -422,6 +445,8 @@ valid_x509(char *file, X509_STORE_CTX *store_ctx, X509 *x509, struct auth *a,
if (X509_verify_cert(store_ctx) <= 0) {
error = X509_STORE_CTX_get_error(store_ctx);
*errstr = X509_verify_cert_error_string(error);
if (filemode && error == X509_V_ERR_CERT_REVOKED)
pretty_revocation_time(x509, crl->x509_crl, errstr);
X509_STORE_CTX_cleanup(store_ctx);
sk_X509_free(intermediates);
sk_X509_free(root);