diff options
| -rw-r--r-- | lib/libcrypto/x509/x509_local.h | 4 | ||||
| -rw-r--r-- | lib/libcrypto/x509/x509_purp.c | 5 | ||||
| -rw-r--r-- | lib/libcrypto/x509/x509_verify.c | 46 | ||||
| -rw-r--r-- | lib/libcrypto/x509/x509_vfy.c | 24 |
4 files changed, 16 insertions, 63 deletions
diff --git a/lib/libcrypto/x509/x509_local.h b/lib/libcrypto/x509/x509_local.h index 73cc582d7bc..5b74b0d1bda 100644 --- a/lib/libcrypto/x509/x509_local.h +++ b/lib/libcrypto/x509/x509_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_local.h,v 1.23 2024/03/26 05:39:47 tb Exp $ */ +/* $OpenBSD: x509_local.h,v 1.24 2024/04/08 23:46:21 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2013. */ @@ -188,8 +188,6 @@ struct x509_st { struct ASIdentifiers_st *rfc3779_asid; #endif unsigned char hash[X509_CERT_HASH_LEN]; - time_t not_before; - time_t not_after; X509_CERT_AUX *aux; } /* X509 */; diff --git a/lib/libcrypto/x509/x509_purp.c b/lib/libcrypto/x509/x509_purp.c index 53f4f2f9675..8f4e5934e1f 100644 --- a/lib/libcrypto/x509/x509_purp.c +++ b/lib/libcrypto/x509/x509_purp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_purp.c,v 1.39 2024/03/02 10:43:52 tb Exp $ */ +/* $OpenBSD: x509_purp.c,v 1.40 2024/04/08 23:46:21 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -559,9 +559,6 @@ x509v3_cache_extensions_internal(X509 *x) if (!x509_extension_oids_are_unique(x)) x->ex_flags |= EXFLAG_INVALID; - if (!x509_verify_cert_info_populate(x)) - x->ex_flags |= EXFLAG_INVALID; - x->ex_flags |= EXFLAG_SET; } diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c index 19bb925d9c6..c7b2219fa9b 100644 --- a/lib/libcrypto/x509/x509_verify.c +++ b/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.68 2024/02/01 23:16:38 beck Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.69 2024/04/08 23:46:21 beck Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> * @@ -52,6 +52,9 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter, struct tm tm = { 0 }; int type; + if (atime == NULL) + return 0; + type = ASN1_time_parse(atime->data, atime->length, &tm, atime->type); if (type == -1) return 0; @@ -80,35 +83,6 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter, return asn1_time_tm_to_time_t(&tm, out); } -/* - * Cache certificate hash, and values parsed out of an X509. - * called from cache_extensions() - */ -int -x509_verify_cert_info_populate(X509 *cert) -{ - const ASN1_TIME *notBefore, *notAfter; - - /* - * Parse and save the cert times, or remember that they - * are unacceptable/unparsable. - */ - - cert->not_before = cert->not_after = -1; - - if ((notBefore = X509_get_notBefore(cert)) == NULL) - return 0; - if ((notAfter = X509_get_notAfter(cert)) == NULL) - return 0; - - if (!x509_verify_asn1_time_to_time_t(notBefore, 0, &cert->not_before)) - return 0; - if (!x509_verify_asn1_time_to_time_t(notAfter, 1, &cert->not_after)) - return 0; - - return 1; -} - struct x509_verify_chain * x509_verify_chain_new(void) { @@ -840,26 +814,28 @@ x509_verify_set_check_time(struct x509_verify_ctx *ctx) static int x509_verify_cert_times(X509 *cert, time_t *cmp_time, int *error) { - time_t when; + time_t when, not_before, not_after; if (cmp_time == NULL) when = time(NULL); else when = *cmp_time; - if (cert->not_before == -1) { + if (!x509_verify_asn1_time_to_time_t(X509_get_notBefore(cert), 0, + ¬_before)) { *error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; return 0; } - if (when < cert->not_before) { + if (when < not_before) { *error = X509_V_ERR_CERT_NOT_YET_VALID; return 0; } - if (cert->not_after == -1) { + if (!x509_verify_asn1_time_to_time_t(X509_get_notAfter(cert), 1, + ¬_after)) { *error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; return 0; } - if (when > cert->not_after) { + if (when > not_after) { *error = X509_V_ERR_CERT_HAS_EXPIRED; return 0; } diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 53996586391..501f5e57107 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.142 2024/03/02 10:40:05 tb Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.143 2024/04/08 23:46:21 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1744,18 +1744,6 @@ verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err) return ctx->verify_cb(0, ctx); } - -/* Mimic OpenSSL '0 for failure' ick */ -static int -time_t_bogocmp(time_t a, time_t b) -{ - if (a == -1 || b == -1) - return 0; - if (a <= b) - return -1; - return 1; -} - /* * Check certificate validity times. * @@ -1777,10 +1765,7 @@ x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) else ptime = time(NULL); - if (x->ex_flags & EXFLAG_SET) - i = time_t_bogocmp(x->not_before, ptime); - else - i = X509_cmp_time(X509_get_notBefore(x), &ptime); + i = X509_cmp_time(X509_get_notBefore(x), &ptime); if (i >= 0 && depth < 0) return 0; @@ -1791,10 +1776,7 @@ x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) X509_V_ERR_CERT_NOT_YET_VALID)) return 0; - if (x->ex_flags & EXFLAG_SET) - i = time_t_bogocmp(x->not_after, ptime); - else - i = X509_cmp_time_internal(X509_get_notAfter(x), &ptime, 1); + i = X509_cmp_time_internal(X509_get_notAfter(x), &ptime, 1); if (i <= 0 && depth < 0) return 0; |