sync with OpenBSD -current
This commit is contained in:
parent
c9b8755e8c
commit
fe31ca4724
GPG key ID:
F42C07F07E2E35B7
32 changed files with 215 additions and 170 deletions
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: a_time_tm.c,v 1.33 2024/03/02 09:10:42 tb Exp $ */
|
||||
/* $OpenBSD: a_time_tm.c,v 1.34 2024/04/08 19:57:40 beck Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
|
||||
*
|
||||
|
|
@ -160,15 +160,7 @@ tm_to_utctime(struct tm *tm, ASN1_TIME *atime)
|
|||
ASN1_TIME *
|
||||
tm_to_rfc5280_time(struct tm *tm, ASN1_TIME *atime)
|
||||
{
|
||||
int year;
|
||||
|
||||
year = tm->tm_year + 1900;
|
||||
if (year < 1950 || year > 9999) {
|
||||
ASN1error(ASN1_R_ILLEGAL_TIME_VALUE);
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
if (year < 2050)
|
||||
if (tm->tm_year >= 50 && tm->tm_year < 150)
|
||||
return (tm_to_utctime(tm, atime));
|
||||
|
||||
return (tm_to_gentime(tm, atime));
|
||||
|
|
@ -352,25 +344,21 @@ ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode)
|
|||
static int
|
||||
ASN1_TIME_set_string_internal(ASN1_TIME *s, const char *str, int mode)
|
||||
{
|
||||
struct tm tm;
|
||||
int type;
|
||||
char *tmp;
|
||||
|
||||
if ((type = ASN1_time_parse(str, strlen(str), NULL, mode)) == -1)
|
||||
if ((type = ASN1_time_parse(str, strlen(str), &tm, mode)) == -1)
|
||||
return (0);
|
||||
if (mode != 0 && mode != type)
|
||||
switch(mode) {
|
||||
case V_ASN1_UTCTIME:
|
||||
return (type == mode && tm_to_utctime(&tm, s) != NULL);
|
||||
case V_ASN1_GENERALIZEDTIME:
|
||||
return (type == mode && tm_to_gentime(&tm, s) != NULL);
|
||||
case RFC5280:
|
||||
return (tm_to_rfc5280_time(&tm, s) != NULL);
|
||||
default:
|
||||
return (0);
|
||||
|
||||
if (s == NULL)
|
||||
return (1);
|
||||
|
||||
if ((tmp = strdup(str)) == NULL)
|
||||
return (0);
|
||||
free(s->data);
|
||||
s->data = tmp;
|
||||
s->length = strlen(tmp);
|
||||
s->type = type;
|
||||
|
||||
return (1);
|
||||
}
|
||||
}
|
||||
|
||||
static ASN1_TIME *
|
||||
|
|
@ -448,7 +436,7 @@ LCRYPTO_ALIAS(ASN1_TIME_to_generalizedtime);
|
|||
int
|
||||
ASN1_TIME_set_string(ASN1_TIME *s, const char *str)
|
||||
{
|
||||
return (ASN1_TIME_set_string_internal(s, str, 0));
|
||||
return (ASN1_TIME_set_string_internal(s, str, RFC5280));
|
||||
}
|
||||
LCRYPTO_ALIAS(ASN1_TIME_set_string);
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: x509_local.h,v 1.23 2024/03/26 05:39:47 tb Exp $ */
|
||||
/* $OpenBSD: x509_local.h,v 1.24 2024/04/08 23:46:21 beck Exp $ */
|
||||
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
|
||||
* project 2013.
|
||||
*/
|
||||
|
|
@ -188,8 +188,6 @@ struct x509_st {
|
|||
struct ASIdentifiers_st *rfc3779_asid;
|
||||
#endif
|
||||
unsigned char hash[X509_CERT_HASH_LEN];
|
||||
time_t not_before;
|
||||
time_t not_after;
|
||||
X509_CERT_AUX *aux;
|
||||
} /* X509 */;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: x509_purp.c,v 1.39 2024/03/02 10:43:52 tb Exp $ */
|
||||
/* $OpenBSD: x509_purp.c,v 1.40 2024/04/08 23:46:21 beck Exp $ */
|
||||
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
|
||||
* project 2001.
|
||||
*/
|
||||
|
|
@ -559,9 +559,6 @@ x509v3_cache_extensions_internal(X509 *x)
|
|||
if (!x509_extension_oids_are_unique(x))
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
|
||||
if (!x509_verify_cert_info_populate(x))
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
|
||||
x->ex_flags |= EXFLAG_SET;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: x509_verify.c,v 1.68 2024/02/01 23:16:38 beck Exp $ */
|
||||
/* $OpenBSD: x509_verify.c,v 1.69 2024/04/08 23:46:21 beck Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
|
||||
*
|
||||
|
|
@ -52,6 +52,9 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter,
|
|||
struct tm tm = { 0 };
|
||||
int type;
|
||||
|
||||
if (atime == NULL)
|
||||
return 0;
|
||||
|
||||
type = ASN1_time_parse(atime->data, atime->length, &tm, atime->type);
|
||||
if (type == -1)
|
||||
return 0;
|
||||
|
|
@ -80,35 +83,6 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter,
|
|||
return asn1_time_tm_to_time_t(&tm, out);
|
||||
}
|
||||
|
||||
/*
|
||||
* Cache certificate hash, and values parsed out of an X509.
|
||||
* called from cache_extensions()
|
||||
*/
|
||||
int
|
||||
x509_verify_cert_info_populate(X509 *cert)
|
||||
{
|
||||
const ASN1_TIME *notBefore, *notAfter;
|
||||
|
||||
/*
|
||||
* Parse and save the cert times, or remember that they
|
||||
* are unacceptable/unparsable.
|
||||
*/
|
||||
|
||||
cert->not_before = cert->not_after = -1;
|
||||
|
||||
if ((notBefore = X509_get_notBefore(cert)) == NULL)
|
||||
return 0;
|
||||
if ((notAfter = X509_get_notAfter(cert)) == NULL)
|
||||
return 0;
|
||||
|
||||
if (!x509_verify_asn1_time_to_time_t(notBefore, 0, &cert->not_before))
|
||||
return 0;
|
||||
if (!x509_verify_asn1_time_to_time_t(notAfter, 1, &cert->not_after))
|
||||
return 0;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
struct x509_verify_chain *
|
||||
x509_verify_chain_new(void)
|
||||
{
|
||||
|
|
@ -840,26 +814,28 @@ x509_verify_set_check_time(struct x509_verify_ctx *ctx)
|
|||
static int
|
||||
x509_verify_cert_times(X509 *cert, time_t *cmp_time, int *error)
|
||||
{
|
||||
time_t when;
|
||||
time_t when, not_before, not_after;
|
||||
|
||||
if (cmp_time == NULL)
|
||||
when = time(NULL);
|
||||
else
|
||||
when = *cmp_time;
|
||||
|
||||
if (cert->not_before == -1) {
|
||||
if (!x509_verify_asn1_time_to_time_t(X509_get_notBefore(cert), 0,
|
||||
¬_before)) {
|
||||
*error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
|
||||
return 0;
|
||||
}
|
||||
if (when < cert->not_before) {
|
||||
if (when < not_before) {
|
||||
*error = X509_V_ERR_CERT_NOT_YET_VALID;
|
||||
return 0;
|
||||
}
|
||||
if (cert->not_after == -1) {
|
||||
if (!x509_verify_asn1_time_to_time_t(X509_get_notAfter(cert), 1,
|
||||
¬_after)) {
|
||||
*error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
|
||||
return 0;
|
||||
}
|
||||
if (when > cert->not_after) {
|
||||
if (when > not_after) {
|
||||
*error = X509_V_ERR_CERT_HAS_EXPIRED;
|
||||
return 0;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: x509_vfy.c,v 1.142 2024/03/02 10:40:05 tb Exp $ */
|
||||
/* $OpenBSD: x509_vfy.c,v 1.143 2024/04/08 23:46:21 beck Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
|
|
@ -1744,18 +1744,6 @@ verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err)
|
|||
return ctx->verify_cb(0, ctx);
|
||||
}
|
||||
|
||||
|
||||
/* Mimic OpenSSL '0 for failure' ick */
|
||||
static int
|
||||
time_t_bogocmp(time_t a, time_t b)
|
||||
{
|
||||
if (a == -1 || b == -1)
|
||||
return 0;
|
||||
if (a <= b)
|
||||
return -1;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* Check certificate validity times.
|
||||
*
|
||||
|
|
@ -1777,10 +1765,7 @@ x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
|
|||
else
|
||||
ptime = time(NULL);
|
||||
|
||||
if (x->ex_flags & EXFLAG_SET)
|
||||
i = time_t_bogocmp(x->not_before, ptime);
|
||||
else
|
||||
i = X509_cmp_time(X509_get_notBefore(x), &ptime);
|
||||
i = X509_cmp_time(X509_get_notBefore(x), &ptime);
|
||||
|
||||
if (i >= 0 && depth < 0)
|
||||
return 0;
|
||||
|
|
@ -1791,10 +1776,7 @@ x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
|
|||
X509_V_ERR_CERT_NOT_YET_VALID))
|
||||
return 0;
|
||||
|
||||
if (x->ex_flags & EXFLAG_SET)
|
||||
i = time_t_bogocmp(x->not_after, ptime);
|
||||
else
|
||||
i = X509_cmp_time_internal(X509_get_notAfter(x), &ptime, 1);
|
||||
i = X509_cmp_time_internal(X509_get_notAfter(x), &ptime, 1);
|
||||
|
||||
if (i <= 0 && depth < 0)
|
||||
return 0;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue