diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2023-05-22 15:15:26 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2023-05-22 15:15:26 +0000 |
commit | 22f27fc29f7aa86676b3da6779987ad7b75ac454 (patch) | |
tree | cf076fff2c078e6d0a398103d14fb140541185d9 /usr.sbin/rpki-client/mft.c | |
parent | d686f033607c1a390785042a2c556e86e621b2b0 (diff) |
Convert generalizedtime_to_tm() to ASN1_TIME_to_tm()
Second step of moving away from ASN1_time_parse(). Being an OpenSSL API,
ASN1_TIME_to_tm() supports a variety of things. In this specific case we
don't really want it to parse anything but a GeneralizedTime expressed in
Zulu time. Unfortunately, OpenSSL make this annoying. So punt on this and
only do checks for the correct type and length. LibreSSL only accepts Zulu
time, so there is no change of behavior.
ok claudio job
Diffstat (limited to 'usr.sbin/rpki-client/mft.c')
-rw-r--r-- | usr.sbin/rpki-client/mft.c | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c index 0c1dea58d16..c7c27ba5b23 100644 --- a/usr.sbin/rpki-client/mft.c +++ b/usr.sbin/rpki-client/mft.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mft.c,v 1.92 2023/05/22 14:56:00 tb Exp $ */ +/* $OpenBSD: mft.c,v 1.93 2023/05/22 15:15:25 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler <tb@openbsd.org> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> @@ -87,6 +87,8 @@ ASN1_SEQUENCE(Manifest) = { DECLARE_ASN1_FUNCTIONS(Manifest); IMPLEMENT_ASN1_FUNCTIONS(Manifest); +#define GENTIME_LENGTH 15 + /* * Convert an ASN1_GENERALIZEDTIME to a struct tm. * Returns 1 on success, 0 on failure. @@ -94,15 +96,18 @@ IMPLEMENT_ASN1_FUNCTIONS(Manifest); static int generalizedtime_to_tm(const ASN1_GENERALIZEDTIME *gtime, struct tm *tm) { - const char *data; - size_t len; - - data = ASN1_STRING_get0_data(gtime); - len = ASN1_STRING_length(gtime); + /* + * ASN1_GENERALIZEDTIME is another name for ASN1_STRING. Check type and + * length, so we don't accidentally accept a UTCTime. Punt on checking + * Zulu time for OpenSSL: we don't want to mess about with silly flags. + */ + if (ASN1_STRING_type(gtime) != V_ASN1_GENERALIZEDTIME) + return 0; + if (ASN1_STRING_length(gtime) != GENTIME_LENGTH) + return 0; memset(tm, 0, sizeof(*tm)); - return ASN1_time_parse(data, len, tm, V_ASN1_GENERALIZEDTIME) == - V_ASN1_GENERALIZEDTIME; + return ASN1_TIME_to_tm(gtime, tm); } /* |