Convert x509_get_time() to ASN1_TIME_to_tm()

Instead of using the LibreSSL-specific ASN1_time_parse(), we can use
OpenSSL's ASN1_TIME_to_tm() which LibreSSL provides since 3.6.0. The
latter has a few API quirks such as silently falling back to being a
timegm() replacement if called with a NULL ASN1_TIME. We don't want
that, so just return an error instead.

rpki-client portable now needs LibreSSL >= 3.6. This is a small price
to pay for rather significant smiplifications in regress and portable
(which will be possible after the next commit).

Also adjust a couple of error strings.

ok claudio job

diff --git a/usr.sbin/rpki-client/crl.c b/usr.sbin/rpki-client/crl.c
index d60e664..ad43e18 100644 (file)
--- a/usr.sbin/rpki-client/crl.c
+++ b/usr.sbin/rpki-client/crl.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: crl.c,v 1.24 2023/03/10 12:44:56 job Exp $ */
+/*     $OpenBSD: crl.c,v 1.25 2023/05/22 15:07:02 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -75,7 +75,7 @@ crl_parse(const char *fn, const unsigned char *der, size_t len)
                goto out;
        }
        if (!x509_get_time(at, &crl->lastupdate)) {
-               warnx("%s: ASN1_time_parse failed", fn);
+               warnx("%s: ASN1_TIME_to_tm failed", fn);
                goto out;
        }
 
@@ -85,7 +85,7 @@ crl_parse(const char *fn, const unsigned char *der, size_t len)
                goto out;
        }
        if (!x509_get_time(at, &crl->nextupdate)) {
-               warnx("%s: ASN1_time_parse failed", fn);
+               warnx("%s: ASN1_TIME_to_tm failed", fn);
                goto out;
        }
 

diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index 0ab6469..59f6d10 100644 (file)
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: x509.c,v 1.70 2023/03/14 07:09:11 tb Exp $ */
+/*     $OpenBSD: x509.c,v 1.71 2023/05/22 15:07:02 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -506,7 +506,7 @@ x509_get_notbefore(X509 *x, const char *fn, time_t *tt)
                return 0;
        }
        if (!x509_get_time(at, tt)) {
-               warnx("%s: ASN1_time_parse failed", fn);
+               warnx("%s: ASN1_TIME_to_tm failed", fn);
                return 0;
        }
        return 1;
@@ -526,7 +526,7 @@ x509_get_notafter(X509 *x, const char *fn, time_t *tt)
                return 0;
        }
        if (!x509_get_time(at, tt)) {
-               warnx("%s: ASN1_time_parse failed", fn);
+               warnx("%s: ASN1_TIME_to_tm failed", fn);
                return 0;
        }
        return 1;
@@ -757,7 +757,10 @@ x509_get_time(const ASN1_TIME *at, time_t *t)
 
        *t = 0;
        memset(&tm, 0, sizeof(tm));
-       if (ASN1_time_parse(at->data, at->length, &tm, 0) == -1)
+       /* Fail instead of silently falling back to the current time. */
+       if (at == NULL)
+               return 0;
+       if (!ASN1_TIME_to_tm(at, &tm))
                return 0;
        if ((*t = timegm(&tm)) == -1)
                errx(1, "timegm failed");