verification, accepting CRLs that ought to be rejected, if an unusual
combination of verification flags was specified.
If time verification was explicitly requested with
X509_V_FLAG_USE_CHECK_TIME, it was skipped on CRLs if
X509_V_FLAG_NO_CHECK_TIME was also set, even though the former is
documented to override the latter both in the OpenSSL and in the
LibreSSL X509_VERIFY_PARAM_set_flags(3) manual page.
The same bug in x509_check_cert_time() was already fixed by beck@
in rev. 1.57 on 2017/01/20.
This syncs the beginning of the function check_crl_time() with the
OpenSSL 1.1.1 branch, which is still under a free license.
OK beck@
This teaches that having too many flags and options is bad because they
breed bugs, and even more so if they are poorly designed to override
each other in surprising ways.
-/* $OpenBSD: x509_vfy.c,v 1.96 2021/11/07 15:52:38 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.97 2021/11/13 18:24:45 schwarze Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
static int
check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
{
- time_t *ptime = NULL;
+ time_t *ptime;
int i;
- if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
- return (1);
-
- if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
- ptime = &ctx->param->check_time;
-
if (notify)
ctx->current_crl = crl;
+ if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
+ ptime = &ctx->param->check_time;
+ else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
+ return (1);
+ else
+ ptime = NULL;
i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
if (i == 0) {