[openssl] master update
dev at ddvo.net
dev at ddvo.net
Wed Jan 20 14:56:39 UTC 2021
The branch master has been updated
via 63162e3d55e38aff51e243212bc73aa27bed8c4c (commit)
via b09aa550d3d9af269f9551a5a95a3d8408d9098d (commit)
from 9495cfbc22393aee87aa877e9e2e726c2cc441f1 (commit)
- Log -----------------------------------------------------------------
commit 63162e3d55e38aff51e243212bc73aa27bed8c4c
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Mon Jan 18 17:18:03 2021 +0100
X509: Enable printing cert even with invalid validity times, saying 'Bad time value'
Add internal asn1_time_print_ex() that can return success on invalid time.
This is a workaround for inconsistent error behavior of ASN1_TIME_print(),
used in X509_print_ex().
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13714)
commit b09aa550d3d9af269f9551a5a95a3d8408d9098d
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Dec 18 21:47:20 2020 +0100
ASN1_TIME_print() etc.: Improve doc and add comment on handling invalid time input
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13714)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/a_time.c | 18 +++++++++++-------
crypto/x509/t_x509.c | 4 ++--
doc/man3/ASN1_TIME_set.pod | 15 +++++++++------
include/crypto/asn1.h | 1 +
4 files changed, 23 insertions(+), 15 deletions(-)
diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c
index c34b028eaf..aebbf53fd0 100644
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@@ -16,6 +16,7 @@
#include <stdio.h>
#include <time.h>
+#include "crypto/asn1.h"
#include "crypto/ctype.h"
#include "internal/cryptlib.h"
#include <openssl/asn1t.h>
@@ -467,17 +468,23 @@ static const char _asn1_mon[12][4] = {
"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
};
+/* returns 1 on success, 0 on BIO write error or parse failure */
int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm)
+{
+ return asn1_time_print_ex(bp, tm) > 0;
+}
+
+/* returns 0 on BIO write error, else -1 in case of parse failure, else 1 */
+int asn1_time_print_ex(BIO *bp, const ASN1_TIME *tm)
{
char *v;
int gmt = 0, l;
struct tm stm;
const char upper_z = 0x5A, period = 0x2E;
- if (!asn1_time_to_tm(&stm, tm)) {
- /* asn1_time_to_tm will check the time type */
- goto err;
- }
+ /* asn1_time_to_tm will check the time type */
+ if (!asn1_time_to_tm(&stm, tm))
+ return BIO_write(bp, "Bad time value", 14) ? -1 : 0;
l = tm->length;
v = (char *)tm->data;
@@ -509,9 +516,6 @@ int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm)
stm.tm_min, stm.tm_sec, stm.tm_year + 1900,
(gmt ? " GMT" : "")) > 0;
}
- err:
- BIO_write(bp, "Bad time value", 14);
- return 0;
}
int ASN1_TIME_cmp_time_t(const ASN1_TIME *s, time_t t)
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 9636756b66..d4bfe455fc 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -140,11 +140,11 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
goto err;
if (BIO_write(bp, " Not Before: ", 24) <= 0)
goto err;
- if (!ASN1_TIME_print(bp, X509_get0_notBefore(x)))
+ if (asn1_time_print_ex(bp, X509_get0_notBefore(x)) == 0)
goto err;
if (BIO_write(bp, "\n Not After : ", 25) <= 0)
goto err;
- if (!ASN1_TIME_print(bp, X509_get0_notAfter(x)))
+ if (asn1_time_print_ex(bp, X509_get0_notAfter(x)) == 0)
goto err;
if (BIO_write(bp, "\n", 1) <= 0)
goto err;
diff --git a/doc/man3/ASN1_TIME_set.pod b/doc/man3/ASN1_TIME_set.pod
index b3163ad539..60898e4e0a 100644
--- a/doc/man3/ASN1_TIME_set.pod
+++ b/doc/man3/ASN1_TIME_set.pod
@@ -102,9 +102,9 @@ functions check the syntax of the time structure I<s>.
The ASN1_TIME_print(), ASN1_UTCTIME_print() and ASN1_GENERALIZEDTIME_print()
functions print the time structure I<s> to BIO I<b> in human readable
format. It will be of the format MMM DD HH:MM:SS YYYY [GMT], for example
-"Feb 3 00:55:52 2015 GMT" it does not include a newline. If the time
-structure has invalid format it prints out "Bad time value" and returns
-an error. The output for generalized time may include a fractional part
+"Feb 3 00:55:52 2015 GMT", which does not include a newline.
+If the time structure has invalid format it prints out "Bad time value" and
+returns an error. The output for generalized time may include a fractional part
following the second.
ASN1_TIME_to_tm() converts the time I<s> to the standard I<tm> structure.
@@ -181,6 +181,9 @@ ASN1_TIME_print(), ASN1_UTCTIME_print() and ASN1_GENERALIZEDTIME_print()
do not print out the timezone: it either prints out "GMT" or nothing. But all
certificates complying with RFC5280 et al use GMT anyway.
+ASN1_TIME_print(), ASN1_UTCTIME_print() and ASN1_GENERALIZEDTIME_print()
+do not distinguish if they fail because of an I/O error or invalid time format.
+
Use the ASN1_TIME_normalize() function to normalize the time value before
printing to get GMT results.
@@ -199,9 +202,9 @@ ASN1_TIME_normalize() returns 1 on success, and 0 on error.
ASN1_TIME_check(), ASN1_UTCTIME_check and ASN1_GENERALIZEDTIME_check() return 1
if the structure is syntactically correct and 0 otherwise.
-ASN1_TIME_print(), ASN1_UTCTIME_print() and ASN1_GENERALIZEDTIME_print() return
-1 if the time is successfully printed out and 0 if an error occurred (I/O error
-or invalid time format).
+ASN1_TIME_print(), ASN1_UTCTIME_print() and ASN1_GENERALIZEDTIME_print()
+return 1 if the time is successfully printed out and
+0 if an I/O error occurred an error occurred (I/O error or invalid time format).
ASN1_TIME_to_tm() returns 1 if the time is successfully parsed and 0 if an
error occurred (invalid time format).
diff --git a/include/crypto/asn1.h b/include/crypto/asn1.h
index 0d5d2116de..1add640630 100644
--- a/include/crypto/asn1.h
+++ b/include/crypto/asn1.h
@@ -138,3 +138,4 @@ int x509_algor_new_from_md(X509_ALGOR **palg, const EVP_MD *md);
const EVP_MD *x509_algor_get_md(X509_ALGOR *alg);
X509_ALGOR *x509_algor_mgf1_decode(X509_ALGOR *alg);
int x509_algor_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md);
+int asn1_time_print_ex(BIO *bp, const ASN1_TIME *tm);
More information about the openssl-commits
mailing list