diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2023-05-22 15:07:03 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2023-05-22 15:07:03 +0000 |
| commit | d686f033607c1a390785042a2c556e86e621b2b0 (patch) | |
| tree | f32d6d776cd17e7efa481bf6dde015183e3ce20b | |
| parent | e72887be1955493a8f813edb82f8e113d07620e4 (diff) | |
Convert x509_get_time() to ASN1_TIME_to_tm()
Instead of using the LibreSSL-specific ASN1_time_parse(), we can use
OpenSSL's ASN1_TIME_to_tm() which LibreSSL provides since 3.6.0. The
latter has a few API quirks such as silently falling back to being a
timegm() replacement if called with a NULL ASN1_TIME. We don't want
that, so just return an error instead.
rpki-client portable now needs LibreSSL >= 3.6. This is a small price
to pay for rather significant smiplifications in regress and portable
(which will be possible after the next commit).
Also adjust a couple of error strings.
ok claudio job
| -rw-r--r-- | usr.sbin/rpki-client/crl.c | 6 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/x509.c | 11 |
2 files changed, 10 insertions, 7 deletions
diff --git a/usr.sbin/rpki-client/crl.c b/usr.sbin/rpki-client/crl.c index d60e66477fe..ad43e18fb68 100644 --- a/usr.sbin/rpki-client/crl.c +++ b/usr.sbin/rpki-client/crl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: crl.c,v 1.24 2023/03/10 12:44:56 job Exp $ */ +/* $OpenBSD: crl.c,v 1.25 2023/05/22 15:07:02 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -75,7 +75,7 @@ crl_parse(const char *fn, const unsigned char *der, size_t len) goto out; } if (!x509_get_time(at, &crl->lastupdate)) { - warnx("%s: ASN1_time_parse failed", fn); + warnx("%s: ASN1_TIME_to_tm failed", fn); goto out; } @@ -85,7 +85,7 @@ crl_parse(const char *fn, const unsigned char *der, size_t len) goto out; } if (!x509_get_time(at, &crl->nextupdate)) { - warnx("%s: ASN1_time_parse failed", fn); + warnx("%s: ASN1_TIME_to_tm failed", fn); goto out; } diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 0ab646984b8..59f6d10a584 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.70 2023/03/14 07:09:11 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.71 2023/05/22 15:07:02 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler <tb@openbsd.org> * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org> @@ -506,7 +506,7 @@ x509_get_notbefore(X509 *x, const char *fn, time_t *tt) return 0; } if (!x509_get_time(at, tt)) { - warnx("%s: ASN1_time_parse failed", fn); + warnx("%s: ASN1_TIME_to_tm failed", fn); return 0; } return 1; @@ -526,7 +526,7 @@ x509_get_notafter(X509 *x, const char *fn, time_t *tt) return 0; } if (!x509_get_time(at, tt)) { - warnx("%s: ASN1_time_parse failed", fn); + warnx("%s: ASN1_TIME_to_tm failed", fn); return 0; } return 1; @@ -757,7 +757,10 @@ x509_get_time(const ASN1_TIME *at, time_t *t) *t = 0; memset(&tm, 0, sizeof(tm)); - if (ASN1_time_parse(at->data, at->length, &tm, 0) == -1) + /* Fail instead of silently falling back to the current time. */ + if (at == NULL) + return 0; + if (!ASN1_TIME_to_tm(at, &tm)) return 0; if ((*t = timegm(&tm)) == -1) errx(1, "timegm failed"); |