There are various circumstances in which it makes no sense to be checking the start and end times of a certificate's validity.
When validating OS kernel drivers, or indeed when validating the OS kernel itself when the firmware loads it, we *really* don't want to have a built-in obsolescence date after which the system will no longer function. That would be a bad thing even if we *could* reliably trust the system's real time clock at this stage in the boot sequence. This patch gives us a way to disable the time checks entirely, by using X509_VERIFY_PARAM_set_time() with a time of -1. There is a slight risk here — if anyone was genuinely using the value of -1 to check if a certificate chain was indeed valid in the last second of 1969. I judge that risk to be negligible. And it certainly shouldn't be externally triggerable — if an attacker could influence the value passed to X509_VERIFY_PARAM_set_time() then all bets were off w.r.t. time-based checks anyway. If there are serious concerns, however, I can provide an alternative patch which adds an X509_V_FLAG_NO_CHECK_TIME flag for this purpose instead. I'm happy with anything except the existing version in the UEFI source tree that everyone is shipping, which just disables the time check if OPENSSL_SYS_UEFI is set¹. That one I *don't* like. -- David Woodhouse Open Source Technology Centre david.woodho...@intel.com Intel Corporation ¹ http://git.infradead.org/users/dwmw2/openssl.git/commitdiff/2fb12afc2ceb
>From 7999a8d8bafee04eef7d4015417652e8407d5378 Mon Sep 17 00:00:00 2001
From: David Woodhouse <david.woodho...@intel.com>
Date: Wed, 22 Jul 2015 13:53:20 +0100
Subject: [PATCH] Allow certificate time checks to be disabled
Make a value of (time_t)-1 in X509_VERIFY_PARAM_set_time() indicate that
time checks are to be disabled completely. It seems fairly unlikely that
anyone is genuinely using this value to check whether a certificate
chain *was* valid in the last second of 1969, so this seems cleaner
than adding a new flag for it.
---
crypto/x509/x509_vfy.c | 8 +++++++-
doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 3 ++-
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index df012dd..282c127 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -953,6 +953,9 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
else
ptime = NULL;
+ if (ptime && *ptime == (time_t)-1)
+ goto done;
+
i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
if (i == 0) {
if (!notify)
@@ -989,7 +992,7 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
return 0;
}
}
-
+ done:
if (notify)
ctx->current_crl = NULL;
@@ -1673,6 +1676,9 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
else
ptime = NULL;
+ if (ptime && *ptime == (time_t)-1)
+ return 1;
+
i = X509_cmp_time(X509_get_notBefore(x), ptime);
if (i == 0) {
if (quiet)
diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
index 066ce0f..3b6b4d2 100644
--- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
@@ -60,7 +60,8 @@ X509_VERIFY_PARAM_set_trust() sets the trust setting in B<param> to
B<trust>.
X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
-B<t>. Normally the current time is used.
+B<t>. Normally the current time is used. If B<t> is set to the value B<-1>
+then checking the time is disabled completely.
X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
by default) and adds B<policy> to the acceptable policy set.
--
2.4.3
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
