src - OpenBSD base system

diff options


context:
space:
mode:

author	Bob Beck <beck@cvs.openbsd.org>	2016-11-04 18:07:25 +0000
committer	Bob Beck <beck@cvs.openbsd.org>	2016-11-04 18:07:25 +0000
commit	396633d63aca49076ff603738e121a55b65af92d (patch)
tree	18cb524e608acecdd048020698bce37a7a2fff57 /lib
parent	28393fdddd44b5251bbb0ea08ce9d8b3683b6a37 (diff)

make public ASN1_time_parse and ASN1_time_tm_cmp to replace former hidden

functions.. document with a man page. bump majors on libtls, libssl, libcrypto ok jsing@ guenther@

Diffstat (limited to 'lib')

-rw-r--r--

lib/libcrypto/asn1/a_time_tm.c

-rw-r--r--

lib/libcrypto/asn1/asn1.h

-rw-r--r--

lib/libcrypto/man/ASN1_time_parse.3

-rw-r--r--

lib/libcrypto/man/Makefile

-rw-r--r--

lib/libcrypto/ocsp/ocsp_cl.c

-rw-r--r--

lib/libcrypto/shlib_version

-rw-r--r--

lib/libcrypto/x509/vpm_int.h

-rw-r--r--

lib/libcrypto/x509/x509_lcl.h

-rw-r--r--

lib/libcrypto/x509/x509_vfy.c

-rw-r--r--

lib/libssl/shlib_version

-rw-r--r--

lib/libtls/shlib_version

-rw-r--r--

lib/libtls/tls_conninfo.c

-rw-r--r--

lib/libtls/tls_internal.h

-rw-r--r--

lib/libtls/tls_ocsp.c

14 files changed, 133 insertions, 43 deletions

diff --git a/lib/libcrypto/asn1/a_time_tm.c b/lib/libcrypto/asn1/a_time_tm.c
index aa3cb9994cb..fcd3acf9c8e 100644
--- a/lib/libcrypto/asn1/a_time_tm.c
+++ b/lib/libcrypto/asn1/a_time_tm.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: a_time_tm.c,v 1.9 2015/12/12 21:02:59 beck Exp $ */

+/* $OpenBSD: a_time_tm.c,v 1.10 2016/11/04 18:07:23 beck Exp $ */

@@ -30,7 +30,7 @@

#define UTCTIME_LENGTH 13

int

-asn1_tm_cmp(struct tm *tm1, struct tm *tm2) {

+ASN1_time_tm_cmp(struct tm *tm1, struct tm *tm2) {

if (tm1->tm_year < tm2->tm_year)

return (-1);

if (tm1->tm_year > tm2->tm_year)

@@ -117,8 +117,8 @@ rfc5280_string_from_tm(struct tm *tm)

* Parse an RFC 5280 format ASN.1 time string.

* mode must be:

- * 0 if we expect to parse a time as specified in RFC 5280 from an X509 object.

- * V_ASN1_UTCTIME if we wish to parse on RFC5280 format UTC time.

+ * 0 if we expect to parse a time as specified in RFC 5280 for an X509 object.

+ * V_ASN1_UTCTIME if we wish to parse an RFC5280 format UTC time.

* V_ASN1_GENERALIZEDTIME if we wish to parse an RFC5280 format Generalized time.

* Returns:

@@ -130,7 +130,7 @@ rfc5280_string_from_tm(struct tm *tm)

#define ATOI2(ar) ((ar) += 2, ((ar)[-2] - '0') * 10 + ((ar)[-1] - '0'))

int

-asn1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode)

+ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode)

{

size_t i;

int type = 0;

@@ -218,7 +218,7 @@ ASN1_TIME_set_string_internal(ASN1_TIME *s, const char *str, int mode)

int type;

char *tmp;

- if ((type = asn1_time_parse(str, strlen(str), NULL, mode)) == -1)

+ if ((type = ASN1_time_parse(str, strlen(str), NULL, mode)) == -1)

return (0);

if (mode != 0 && mode != type)

return (0);

@@ -315,7 +315,7 @@ ASN1_TIME_check(ASN1_TIME *t)

{

if (t->type != V_ASN1_GENERALIZEDTIME && t->type != V_ASN1_UTCTIME)

return (0);

- return (t->type == asn1_time_parse(t->data, t->length, NULL, t->type));

+ return (t->type == ASN1_time_parse(t->data, t->length, NULL, t->type));

}

ASN1_GENERALIZEDTIME *

@@ -329,7 +329,7 @@ ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out)

return (NULL);

memset(&tm, 0, sizeof(tm));

- if (t->type != asn1_time_parse(t->data, t->length, &tm, t->type))

+ if (t->type != ASN1_time_parse(t->data, t->length, &tm, t->type))

return (NULL);

if ((str = gentime_string_from_tm(&tm)) == NULL)

return (NULL);

@@ -364,7 +364,7 @@ ASN1_UTCTIME_check(ASN1_UTCTIME *d)

{

if (d->type != V_ASN1_UTCTIME)

return (0);

- return (d->type == asn1_time_parse(d->data, d->length, NULL, d->type));

+ return (d->type == ASN1_time_parse(d->data, d->length, NULL, d->type));

}

int

@@ -402,13 +402,13 @@ ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t2)

* The danger is that users of this function will not

* differentiate the -2 failure case from t1 < t2.

- if (asn1_time_parse(s->data, s->length, &tm1, V_ASN1_UTCTIME) == -1)

+ if (ASN1_time_parse(s->data, s->length, &tm1, V_ASN1_UTCTIME) == -1)

return (-2); /* XXX */

if (gmtime_r(&t2, &tm2) == NULL)

return (-2); /* XXX */

- return asn1_tm_cmp(&tm1, &tm2);

+ return ASN1_time_tm_cmp(&tm1, &tm2);

}

@@ -420,7 +420,7 @@ ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d)

{

if (d->type != V_ASN1_GENERALIZEDTIME)

return (0);

- return (d->type == asn1_time_parse(d->data, d->length, NULL, d->type));

+ return (d->type == ASN1_time_parse(d->data, d->length, NULL, d->type));

}

int

diff --git a/lib/libcrypto/asn1/asn1.h b/lib/libcrypto/asn1/asn1.h
index c5d9b55e400..72fdc728816 100644
--- a/lib/libcrypto/asn1/asn1.h
+++ b/lib/libcrypto/asn1/asn1.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: asn1.h,v 1.34 2015/10/13 16:31:08 jsing Exp $ */

+/* $OpenBSD: asn1.h,v 1.35 2016/11/04 18:07:23 beck Exp $ */

@@ -1357,6 +1357,9 @@ void ERR_load_ASN1_strings(void);

#define ASN1_R_WRONG_TAG 168

#define ASN1_R_WRONG_TYPE 169

+int ASN1_time_parse(const char *_bytes, size_t _len, struct tm *_tm, int _mode);

+int ASN1_time_tm_cmp(struct tm *_tm1, struct tm *_tm2);

#ifdef __cplusplus

}

#endif

diff --git a/lib/libcrypto/man/ASN1_time_parse.3 b/lib/libcrypto/man/ASN1_time_parse.3
new file mode 100644
index 00000000000..e70a292f6df
--- /dev/null
+++ b/lib/libcrypto/man/ASN1_time_parse.3

@@ -0,0 +1,94 @@

+.\" $OpenBSD: ASN1_time_parse.3,v 1.1 2016/11/04 18:07:23 beck Exp $

+.\"

+.\" Permission to use, copy, modify, and distribute this software for any

+.\" purpose with or without fee is hereby granted, provided that the above

+.\" copyright notice and this permission notice appear in all copies.

+.\"

+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

+.\"

+.Dd $Mdocdate: November 4 2016 $

+.Dt ASN1_TIME_PARSE 3

+.Os

+.Sh NAME

+.Nm ASN1_time_parse,

+.Nm ASN1_time_tm_cmp

+.Nd LibreSSL utilities for asn1 format time.

+.Sh SYNOPSIS

+.In asn1.h

+.Ft "int"

+.Fn ASN1_time_parse "const char *bytes" "size_t len" "struct tm *tm" "int mode

+.Ft "int"

+.Fn ASN1_time_tm_cmp "struct tm *tm1" "struct tm *tm2"

+.Sh DESCRIPTION

+The

+.Nm ASN1_time_parse

+function parses an asn1 time string of

+.Ar len

+bytes starting at

+.Ar bytes .

+The resulting time is stored in

+.Ar tm

+if

+.Ar tm

+is non NULL.

+.Pp

+The

+.Ar mode

+parameter must be one of

+.Bl -bullet -offset four

+.It

+.Ar 0

+to parse a time as specified in RFC 5280 for an X509 object,

+which may be either a UTC time or a Generalized time.

+.It

+.Ar V_ASN1_UTCTIME

+to parse an RFC 5280 format UTC time.

+.It

+.Ar V_ASN1_GENERALIZEDTIME

+to parse an RFC 5280 format Generalized time.

+.El

+.Pp

+The

+.Nm ASN1_time_tm_cmp

+function compares two times in

+.Ar tm1

+and

+.Ar tm2

+.Sh RETURN VALUES

+.Nm ASN1_parse_time

+returns

+.Bl -bullet -offset four

+.It

+.Ar -1

+if the string was invalid for the

+.Ar mode

+specified

+.It

+.Ar V_ASN1_UTCTIME

+if the string parsed as a valid UTC time.

+.It :

+.Ar V_ASN1_GENERALIZEDTIME

+if the string parsed as a valid Generalized time.

+.El

+.Pp

+.Nm ASN1_time_tm_cmp

+returns

+.Bl -bullet -offset four

+.It

+.Ar -1

+if tm1 is less than tm2.

+.It

+.Ar 1

+if tm1 is greater than tm2.

+.It

+.Ar 0

+if tm1 is the same as tm2.

+.El

diff --git a/lib/libcrypto/man/Makefile b/lib/libcrypto/man/Makefile
index a76a03c78ac..7819029ff67 100644
--- a/lib/libcrypto/man/Makefile
+++ b/lib/libcrypto/man/Makefile

@@ -1,4 +1,4 @@

-# $OpenBSD: Makefile,v 1.46 2016/11/04 15:29:03 schwarze Exp $

+# $OpenBSD: Makefile,v 1.47 2016/11/04 18:07:23 beck Exp $

.include <bsd.own.mk> # for NOMAN

@@ -11,6 +11,7 @@ MAN= \

ASN1_STRING_new.3 \

ASN1_STRING_print_ex.3 \

ASN1_generate_nconf.3 \

+ ASN1_time_parse.3 \

BF_set_key.3 \

BIO.3 \

BIO_ctrl.3 \

diff --git a/lib/libcrypto/ocsp/ocsp_cl.c b/lib/libcrypto/ocsp/ocsp_cl.c
index 86baed87247..40417973f51 100644
--- a/lib/libcrypto/ocsp/ocsp_cl.c
+++ b/lib/libcrypto/ocsp/ocsp_cl.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ocsp_cl.c,v 1.11 2016/07/16 16:14:28 beck Exp $ */

+/* $OpenBSD: ocsp_cl.c,v 1.12 2016/11/04 18:07:23 beck Exp $ */

/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL

* project. */

@@ -71,9 +71,6 @@

#include <openssl/x509.h>

#include <openssl/x509v3.h>

-int asn1_time_parse(const char *, size_t, struct tm *, int);

-int asn1_tm_cmp(struct tm *, struct tm *);

/* Utility functions related to sending OCSP requests and extracting

* relevant information from the response.

@@ -342,7 +339,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,

/* Check thisUpdate is valid and not more than nsec in the future */

- if (asn1_time_parse(thisupd->data, thisupd->length, &tm_this,

+ if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,

V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {

OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,

OCSP_R_ERROR_IN_THISUPDATE_FIELD);

@@ -351,7 +348,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,

t_tmp = t_now + nsec;

if (gmtime_r(&t_tmp, &tm_tmp) == NULL)

return 0;

- if (asn1_tm_cmp(&tm_this, &tm_tmp) > 0) {

+ if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) {

OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,

OCSP_R_STATUS_NOT_YET_VALID);

return 0;

@@ -365,7 +362,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,

t_tmp = t_now - maxsec;

if (gmtime_r(&t_tmp, &tm_tmp) == NULL)

return 0;

- if (asn1_tm_cmp(&tm_this, &tm_tmp) < 0) {

+ if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) {

OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,

OCSP_R_STATUS_TOO_OLD);

return 0;

@@ -377,7 +374,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,

return 1;

/* Check nextUpdate is valid and not more than nsec in the past */

- if (asn1_time_parse(nextupd->data, nextupd->length, &tm_next,

+ if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,

V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {

OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,

OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);

@@ -386,7 +383,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,

t_tmp = t_now - nsec;

if (gmtime_r(&t_tmp, &tm_tmp) == NULL)

return 0;

- if (asn1_tm_cmp(&tm_next, &tm_tmp) < 0) {

+ if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) {

OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,

OCSP_R_STATUS_EXPIRED);

return 0;

@@ -394,7 +391,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,

}

/* Also don't allow nextUpdate to precede thisUpdate */

- if (asn1_tm_cmp(&tm_next, &tm_this) < 0) {

+ if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) {

OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,

OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);

return 0;

diff --git a/lib/libcrypto/shlib_version b/lib/libcrypto/shlib_version
index cf69944b9dd..77935fe957d 100644
--- a/lib/libcrypto/shlib_version
+++ b/lib/libcrypto/shlib_version

@@ -1,3 +1,3 @@

# Don't forget to give libssl and libtls the same type of bump!

-major=38

-minor=1

+major=39

+minor=0

diff --git a/lib/libcrypto/x509/vpm_int.h b/lib/libcrypto/x509/vpm_int.h
new file mode 100644
index 00000000000..e69de29bb2d
--- /dev/null
+++ b/lib/libcrypto/x509/vpm_int.h

diff --git a/lib/libcrypto/x509/x509_lcl.h b/lib/libcrypto/x509/x509_lcl.h
index 9ffdd01e61c..b16df78ad7c 100644
--- a/lib/libcrypto/x509/x509_lcl.h
+++ b/lib/libcrypto/x509/x509_lcl.h

@@ -57,5 +57,3 @@

int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);

-int asn1_time_parse(const char *, size_t, struct tm *, int);

-int asn1_tm_cmp(struct tm *tm1, struct tm *tm2);

diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index a9330e1c036..7a6d2720230 100644
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: x509_vfy.c,v 1.50 2016/10/02 20:45:04 guenther Exp $ */

+/* $OpenBSD: x509_vfy.c,v 1.51 2016/11/04 18:07:23 beck Exp $ */

@@ -1658,7 +1658,7 @@ X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)

memset(&tm1, 0, sizeof(tm1));

- type = asn1_time_parse(ctm->data, ctm->length, &tm1, ctm->type);

+ type = ASN1_time_parse(ctm->data, ctm->length, &tm1, ctm->type);

if (type == -1)

goto out; /* invalid time */

@@ -1679,7 +1679,7 @@ X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)

if (gmtime_r(&time2, &tm2) == NULL)

goto out;

- ret = asn1_tm_cmp(&tm1, &tm2);

+ ret = ASN1_time_tm_cmp(&tm1, &tm2);

if (ret == 0)

ret = -1; /* 0 is used for error, so map same to less than */

out:

diff --git a/lib/libssl/shlib_version b/lib/libssl/shlib_version
index 9149d47732c..51f4d897f8e 100644
--- a/lib/libssl/shlib_version
+++ b/lib/libssl/shlib_version

@@ -1,3 +1,3 @@

# Don't forget to give libtls the same type of bump!

-major=39

-minor=1

+major=40

+minor=0

diff --git a/lib/libtls/shlib_version b/lib/libtls/shlib_version
index faa53892ba9..56246d02b24 100644
--- a/lib/libtls/shlib_version
+++ b/lib/libtls/shlib_version

@@ -1,2 +1,2 @@

-major=11

-minor=6

+major=12

+minor=0

diff --git a/lib/libtls/tls_conninfo.c b/lib/libtls/tls_conninfo.c
index 5882a19cee8..1bf4b2285b2 100644
--- a/lib/libtls/tls_conninfo.c
+++ b/lib/libtls/tls_conninfo.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: tls_conninfo.c,v 1.11 2016/08/22 17:12:35 jsing Exp $ */

+/* $OpenBSD: tls_conninfo.c,v 1.12 2016/11/04 18:07:24 beck Exp $ */

@@ -136,9 +136,9 @@ tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore,

goto err;

if ((after = X509_get_notAfter(ctx->ssl_peer_cert)) == NULL)

goto err;

- if (asn1_time_parse(before->data, before->length, &before_tm, 0) == -1)

+ if (ASN1_time_parse(before->data, before->length, &before_tm, 0) == -1)

goto err;

- if (asn1_time_parse(after->data, after->length, &after_tm, 0) == -1)

+ if (ASN1_time_parse(after->data, after->length, &after_tm, 0) == -1)

goto err;

if ((*notbefore = timegm(&before_tm)) == -1)

goto err;

diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h
index 0112ceedb9c..7b07c96c86a 100644
--- a/lib/libtls/tls_internal.h
+++ b/lib/libtls/tls_internal.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: tls_internal.h,v 1.46 2016/11/04 05:13:13 beck Exp $ */

+/* $OpenBSD: tls_internal.h,v 1.47 2016/11/04 18:07:24 beck Exp $ */

@@ -209,6 +209,4 @@ int tls_ocsp_verify_cb(SSL *ssl, void *arg);

void tls_ocsp_ctx_free(struct tls_ocsp_ctx *ctx);

struct tls_ocsp_ctx *tls_ocsp_setup_from_peer(struct tls *ctx);

-int asn1_time_parse(const char *, size_t, struct tm *, int);

#endif /* HEADER_TLS_INTERNAL_H */

diff --git a/lib/libtls/tls_ocsp.c b/lib/libtls/tls_ocsp.c
index af65771f7cc..52e90364a77 100644
--- a/lib/libtls/tls_ocsp.c
+++ b/lib/libtls/tls_ocsp.c

@@ -63,7 +63,7 @@ tls_ocsp_asn1_parse_time(struct tls *ctx, ASN1_GENERALIZEDTIME *gt, time_t *gt_t

if (gt == NULL)

return -1;

/* RFC 6960 specifies that all times in OCSP must be GENERALIZEDTIME */

- if (asn1_time_parse(gt->data, gt->length, &tm,

+ if (ASN1_time_parse(gt->data, gt->length, &tm,

V_ASN1_GENERALIZEDTIME) == -1)

return -1;

if ((*gt_time = timegm(&tm)) == -1)

@@ -258,7 +258,6 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)

OCSP_crl_reason_str(crl_reason));

goto error;

}

ret = 0;

error: