beck ported the OpenSSL ASN1_TIME API to use the ASN1_time* API under
the hood, so for LibreSSL the diff here is a noop.
This allows us to eliminate most of the gross openssl hacks in regress.
The unistd.h thing is still needed because of STACK_OF discrepancies,
but the reacharound into libcrypto disappears, which is already a big
step forward.
This will simplify portable as well at the cost of requiring LibreSSL 3.6
at a minimum. I think we have enough reason to require this for the next
release and you should not be using LibreSSL 3.5 anymore anyway.
If you are using rpki-client with OpenSSL, you're already using these
functions under the hood, so the yolo factor isn't really increased.
As usual, there are some weird API quirks such as passing a NULL time
resulting in ASN1_TIME_to_tm() silently returning the current time, so
check for this, because who would want that and why...
If you really only want to accept an ASN1_GENERALIZEDTIME with Zulu
time, you're supposed to set a flag on the time. LibreSSL doesn't accept
anything but Zulu time and doesn't have this flag. Since nobody appears
to have discovered this yet, we certainly don't want it, so I decided to
do a type and length check by hand and to punt on checking for the Z at
the end because that's just gross.
ASN1_time_tm_cmp() could have been replaced by a straightforward
comparison of time_t a long time ago.
Index: usr.sbin/rpki-client/crl.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/crl.c,v
retrieving revision 1.24
diff -u -p -r1.24 crl.c
--- usr.sbin/rpki-client/crl.c 10 Mar 2023 12:44:56 -0000 1.24
+++ usr.sbin/rpki-client/crl.c 9 May 2023 14:14:24 -0000
@@ -75,7 +75,7 @@ crl_parse(const char *fn, const unsigned
goto out;
}
if (!x509_get_time(at, &crl->lastupdate)) {
- warnx("%s: ASN1_time_parse failed", fn);
+ warnx("%s: ASN1_TIME_to_tm failed", fn);
goto out;
}
@@ -85,7 +85,7 @@ crl_parse(const char *fn, const unsigned
goto out;
}
if (!x509_get_time(at, &crl->nextupdate)) {
- warnx("%s: ASN1_time_parse failed", fn);
+ warnx("%s: ASN1_TIME_to_tm failed", fn);
goto out;
}
Index: usr.sbin/rpki-client/mft.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/mft.c,v
retrieving revision 1.91
diff -u -p -r1.91 mft.c
--- usr.sbin/rpki-client/mft.c 26 Apr 2023 16:32:41 -0000 1.91
+++ usr.sbin/rpki-client/mft.c 9 May 2023 14:47:40 -0000
@@ -87,6 +87,8 @@ ASN1_SEQUENCE(Manifest) = {
DECLARE_ASN1_FUNCTIONS(Manifest);
IMPLEMENT_ASN1_FUNCTIONS(Manifest);
+#define GENTIME_LENGTH 15
+
/*
* Convert an ASN1_GENERALIZEDTIME to a struct tm.
* Returns 1 on success, 0 on failure.
@@ -94,15 +96,18 @@ IMPLEMENT_ASN1_FUNCTIONS(Manifest);
static int
generalizedtime_to_tm(const ASN1_GENERALIZEDTIME *gtime, struct tm *tm)
{
- const char *data;
- size_t len;
-
- data = ASN1_STRING_get0_data(gtime);
- len = ASN1_STRING_length(gtime);
+ /*
+ * ASN1_GENERALIZEDTIME is just another name for ASN1_STRING. Check
+ * its type and length, so we don't accidentally accept a UTCTime.
+ * We don't want to mess about with silly flags on gtime.
+ */
+ if (ASN1_STRING_type(gtime) != V_ASN1_GENERALIZEDTIME)
+ return 0;
+ if (ASN1_STRING_length(gtime) != GENTIME_LENGTH)
+ return 0;
memset(tm, 0, sizeof(*tm));
- return ASN1_time_parse(data, len, tm, V_ASN1_GENERALIZEDTIME) ==
- V_ASN1_GENERALIZEDTIME;
+ return ASN1_TIME_to_tm(gtime, tm);
}
/*
@@ -124,15 +129,14 @@ mft_parse_time(const ASN1_GENERALIZEDTIM
return 0;
}
- /* check that until is not before from */
- if (ASN1_time_tm_cmp(&tm_until, &tm_from) < 0) {
- warnx("%s: bad update interval", p->fn);
- return 0;
- }
-
if ((p->res->thisupdate = timegm(&tm_from)) == -1 ||
(p->res->nextupdate = timegm(&tm_until)) == -1)
errx(1, "%s: timegm failed", p->fn);
+
+ if (p->res->thisupdate > p->res->nextupdate) {
+ warnx("%s: bad update interval", p->fn);
+ return 0;
+ }
return 1;
}
Index: usr.sbin/rpki-client/x509.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
retrieving revision 1.70
diff -u -p -r1.70 x509.c
--- usr.sbin/rpki-client/x509.c 14 Mar 2023 07:09:11 -0000 1.70
+++ usr.sbin/rpki-client/x509.c 9 May 2023 14:14:24 -0000
@@ -506,7 +506,7 @@ x509_get_notbefore(X509 *x, const char *
return 0;
}
if (!x509_get_time(at, tt)) {
- warnx("%s: ASN1_time_parse failed", fn);
+ warnx("%s: ASN1_TIME_to_tm failed", fn);
return 0;
}
return 1;
@@ -526,7 +526,7 @@ x509_get_notafter(X509 *x, const char *f
return 0;
}
if (!x509_get_time(at, tt)) {
- warnx("%s: ASN1_time_parse failed", fn);
+ warnx("%s: ASN1_TIME_to_tm failed", fn);
return 0;
}
return 1;
@@ -757,7 +757,10 @@ x509_get_time(const ASN1_TIME *at, time_
*t = 0;
memset(&tm, 0, sizeof(tm));
- if (ASN1_time_parse(at->data, at->length, &tm, 0) == -1)
+ /* Fail instead of silently falling back to the current time. */
+ if (at == NULL)
+ return 0;
+ if (!ASN1_TIME_to_tm(at, &tm))
return 0;
if ((*t = timegm(&tm)) == -1)
errx(1, "timegm failed");
Index: regress/usr.sbin/rpki-client/openssl11/Makefile
===================================================================
RCS file: /cvs/src/regress/usr.sbin/rpki-client/openssl11/Makefile,v
retrieving revision 1.17
diff -u -p -r1.17 Makefile
--- regress/usr.sbin/rpki-client/openssl11/Makefile 14 Apr 2023 15:35:12
-0000 1.17
+++ regress/usr.sbin/rpki-client/openssl11/Makefile 9 May 2023 15:07:54
-0000
@@ -2,43 +2,7 @@
LDADD += -Wl,-rpath,/usr/local/lib/eopenssl11 -L/usr/local/lib/eopenssl11
CFLAGS += -I${.CURDIR}/ -I/usr/local/include/eopenssl11/
-CFLAGS += -DLIBRESSL_INTERNAL
-
-# For mft.c we need ASN1_time_parse() and ASN1_time_tm_cmp() from LibreSSL
-
-# Provide a missing prototype
-a_time_tm_gen.c: a_time_tm.c
- echo '#include <openssl/asn1.h>\n' > [email protected]
- echo '#include "bytestring.h"\n' >> [email protected]
- echo '#define ASN1error(err) ASN1err(0, (err));' >> [email protected]
- cat $> >> [email protected]
- mv -f [email protected] $@
-
-CLEANFILES += a_time_tm_gen.c a_time_tm_gen.c.tmp
-
-LIBCRYPTO_COMPAT += a_time_tm_gen.c a_time_posix.c
-LIBCRYPTO_COMPAT += bs_ber.c bs_cbb.c bs_cbs.c
-
-SRCS_test-ip = ${LIBCRYPTO_COMPAT}
-SRCS_test-mft = ${LIBCRYPTO_COMPAT}
-SRCS_test-roa = ${LIBCRYPTO_COMPAT}
-SRCS_test-cert = ${LIBCRYPTO_COMPAT}
-SRCS_test-gbr = ${LIBCRYPTO_COMPAT}
-SRCS_test-geofeed = ${LIBCRYPTO_COMPAT}
-SRCS_test-tal = ${LIBCRYPTO_COMPAT}
-SRCS_test-bgpsec = ${LIBCRYPTO_COMPAT}
-SRCS_test-rrdp = ${LIBCRYPTO_COMPAT}
-SRCS_test-rsc = ${LIBCRYPTO_COMPAT}
-SRCS_test-aspa = ${LIBCRYPTO_COMPAT}
-SRCS_test-tak = ${LIBCRYPTO_COMPAT}
-
-CFLAGS += -I${.CURDIR}/../../../../lib/libcrypto/
-CFLAGS += -I${.CURDIR}/../../../../lib/libcrypto/asn1
-CFLAGS += -I${.CURDIR}/../../../../lib/libcrypto/bytestring
.PATH: ${.CURDIR}/..
-.PATH: ${.CURDIR}/../../../../lib/libcrypto
-.PATH: ${.CURDIR}/../../../../lib/libcrypto/asn1
-.PATH: ${.CURDIR}/../../../../lib/libcrypto/bytestring
.include <bsd.regress.mk>
Index: regress/usr.sbin/rpki-client/openssl11/unistd.h
===================================================================
RCS file: /cvs/src/regress/usr.sbin/rpki-client/openssl11/unistd.h,v
retrieving revision 1.3
diff -u -p -r1.3 unistd.h
--- regress/usr.sbin/rpki-client/openssl11/unistd.h 30 Jun 2022 07:28:38
-0000 1.3
+++ regress/usr.sbin/rpki-client/openssl11/unistd.h 9 May 2023 15:12:02
-0000
@@ -6,11 +6,7 @@
#include_next <unistd.h>
-#include <openssl/asn1.h>
#include <openssl/stack.h>
-
-int ASN1_time_parse(const char *, size_t, struct tm *, int);
-int ASN1_time_tm_cmp(struct tm *, struct tm *);
#ifndef DECLARE_STACK_OF
#define DECLARE_STACK_OF DEFINE_STACK_OF
