CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2020/11/05 08:53:55
Modified files:
usr.sbin/rpki-client: mft.c
Log message:
Fix checks for manifest validity interval
The check_validity() function used the X509_cmp_time() functions with
GeneralizedTime. This doesn't work with current dates since LibreSSL
enforces conformance with RFC 5280 in X509_cmp_time(), which requires
that dates before 2050 are represented with UTCTime. The functions
would return an error, but missing error checking led to failing to
detect expired or not yet valid manifests. Fix this by converting the
dates into struct tm and using ASN1_time_tm_cmp() instead.
With input from claudio, jsing
ok benno claudio jsing
