sync with OpenBSD -current
This commit is contained in:
parent
fa20b4dfa4
commit
56a087cff9
GPG key ID:
F42C07F07E2E35B7
61 changed files with 2001 additions and 1682 deletions
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ts.h,v 1.23 2023/11/19 15:46:10 tb Exp $ */
|
||||
/* $OpenBSD: ts.h,v 1.24 2024/03/26 00:39:22 beck Exp $ */
|
||||
/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
|
||||
* project 2002, 2003, 2004.
|
||||
*/
|
||||
|
|
@ -389,8 +389,8 @@ int TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx,
|
|||
'0' means sec, '3' msec, '6' usec, and so on. Default is 0. */
|
||||
int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx,
|
||||
unsigned clock_precision_digits);
|
||||
/* At most we accept usec precision. */
|
||||
#define TS_MAX_CLOCK_PRECISION_DIGITS 6
|
||||
/* At most we accept sec precision. */
|
||||
#define TS_MAX_CLOCK_PRECISION_DIGITS 0
|
||||
|
||||
/* No flags are set by default. */
|
||||
void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags);
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ts_conf.c,v 1.13 2023/11/19 15:46:10 tb Exp $ */
|
||||
/* $OpenBSD: ts_conf.c,v 1.14 2024/03/26 00:39:22 beck Exp $ */
|
||||
/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
|
||||
* project 2002.
|
||||
*/
|
||||
|
|
@ -437,7 +437,8 @@ TS_CONF_set_clock_precision_digits(CONF *conf, const char *section,
|
|||
if (!NCONF_get_number_e(conf, section, ENV_CLOCK_PRECISION_DIGITS,
|
||||
&digits))
|
||||
digits = 0;
|
||||
if (digits < 0 || digits > TS_MAX_CLOCK_PRECISION_DIGITS) {
|
||||
/* We only support second precision, so reject everything else */
|
||||
if (digits != 0) {
|
||||
TS_CONF_invalid(section, ENV_CLOCK_PRECISION_DIGITS);
|
||||
goto err;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ts_rsp_sign.c,v 1.33 2024/03/24 11:30:12 beck Exp $ */
|
||||
/* $OpenBSD: ts_rsp_sign.c,v 1.35 2024/03/26 00:39:22 beck Exp $ */
|
||||
/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
|
||||
* project 2002.
|
||||
*/
|
||||
|
|
@ -90,9 +90,6 @@ static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed);
|
|||
static int TS_TST_INFO_content_new(PKCS7 *p7);
|
||||
static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc);
|
||||
|
||||
static ASN1_GENERALIZEDTIME *TS_RESP_set_genTime_with_precision(
|
||||
ASN1_GENERALIZEDTIME *, time_t, long, unsigned);
|
||||
|
||||
/* Default callbacks for response generation. */
|
||||
|
||||
static ASN1_INTEGER *
|
||||
|
|
@ -434,7 +431,7 @@ LCRYPTO_ALIAS(TS_RESP_CTX_get_tst_info);
|
|||
int
|
||||
TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx, unsigned precision)
|
||||
{
|
||||
if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
|
||||
if (precision > 0)
|
||||
return 0;
|
||||
ctx->clock_precision_digits = precision;
|
||||
return 1;
|
||||
|
|
@ -650,8 +647,7 @@ TS_RESP_create_tst_info(TS_RESP_CTX *ctx, ASN1_OBJECT *policy)
|
|||
!TS_TST_INFO_set_serial(tst_info, serial))
|
||||
goto end;
|
||||
if (!(*ctx->time_cb)(ctx, ctx->time_cb_data, &sec, &usec) ||
|
||||
!(asn1_time = TS_RESP_set_genTime_with_precision(NULL, sec, usec,
|
||||
ctx->clock_precision_digits)) ||
|
||||
((asn1_time = ASN1_GENERALIZEDTIME_set(NULL, sec)) == NULL) ||
|
||||
!TS_TST_INFO_set_time(tst_info, asn1_time))
|
||||
goto end;
|
||||
|
||||
|
|
@ -984,75 +980,3 @@ err:
|
|||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
static ASN1_GENERALIZEDTIME *
|
||||
TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
|
||||
time_t sec, long usec, unsigned precision)
|
||||
{
|
||||
struct tm *tm = NULL;
|
||||
char genTime_str[17 + TS_MAX_CLOCK_PRECISION_DIGITS];
|
||||
char usecstr[TS_MAX_CLOCK_PRECISION_DIGITS + 2];
|
||||
char *p;
|
||||
int rv;
|
||||
|
||||
if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
|
||||
goto err;
|
||||
|
||||
if (OPENSSL_gmtime(&sec, tm) == NULL)
|
||||
goto err;
|
||||
|
||||
/*
|
||||
* Put "genTime_str" in GeneralizedTime format. We work around the
|
||||
* restrictions imposed by rfc3280 (i.e. "GeneralizedTime values MUST
|
||||
* NOT include fractional seconds") and OpenSSL related functions to
|
||||
* meet the rfc3161 requirement: "GeneralizedTime syntax can include
|
||||
* fraction-of-second details".
|
||||
*/
|
||||
if (precision > 0) {
|
||||
/* To make things a bit harder, X.690 | ISO/IEC 8825-1 provides
|
||||
the following restrictions for a DER-encoding, which OpenSSL
|
||||
(specifically ASN1_GENERALIZEDTIME_check() function) doesn't
|
||||
support:
|
||||
"The encoding MUST terminate with a "Z" (which means "Zulu"
|
||||
time). The decimal point element, if present, MUST be the
|
||||
point option ".". The fractional-seconds elements,
|
||||
if present, MUST omit all trailing 0's;
|
||||
if the elements correspond to 0, they MUST be wholly
|
||||
omitted, and the decimal point element also MUST be
|
||||
omitted." */
|
||||
(void) snprintf(usecstr, sizeof(usecstr), ".%06ld", usec);
|
||||
/* truncate and trim trailing 0 */
|
||||
usecstr[precision + 1] = '\0';
|
||||
p = usecstr + strlen(usecstr) - 1;
|
||||
while (p > usecstr && *p == '0')
|
||||
*p-- = '\0';
|
||||
/* if we've reached the beginning, delete the . too */
|
||||
if (p == usecstr)
|
||||
*p = '\0';
|
||||
|
||||
} else {
|
||||
/* empty */
|
||||
usecstr[0] = '\0';
|
||||
}
|
||||
rv = snprintf(genTime_str, sizeof(genTime_str),
|
||||
"%04d%02d%02d%02d%02d%02d%sZ",
|
||||
tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
|
||||
tm->tm_hour, tm->tm_min, tm->tm_sec, usecstr);
|
||||
if (rv < 0 || rv >= sizeof(genTime_str))
|
||||
goto err;
|
||||
|
||||
/* Now call OpenSSL to check and set our genTime value */
|
||||
if (!asn1_time && !(asn1_time = ASN1_GENERALIZEDTIME_new()))
|
||||
goto err;
|
||||
if (!ASN1_GENERALIZEDTIME_set_string(asn1_time, genTime_str)) {
|
||||
ASN1_GENERALIZEDTIME_free(asn1_time);
|
||||
goto err;
|
||||
}
|
||||
|
||||
return asn1_time;
|
||||
|
||||
err:
|
||||
TSerror(TS_R_COULD_NOT_SET_TIME);
|
||||
return NULL;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue