From: tb <tb@openbsd.org>
Date: Mon, 22 May 2023 15:07:02 +0000 (+0000)
Subject: Convert x509_get_time() to ASN1_TIME_to_tm()
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=5abefff61e76d942d2eb9b54a97ff91e323d53ff;p=openbsd

Convert x509_get_time() to ASN1_TIME_to_tm()

Instead of using the LibreSSL-specific ASN1_time_parse(), we can use
OpenSSL's ASN1_TIME_to_tm() which LibreSSL provides since 3.6.0. The
latter has a few API quirks such as silently falling back to being a
timegm() replacement if called with a NULL ASN1_TIME. We don't want
that, so just return an error instead.

rpki-client portable now needs LibreSSL >= 3.6. This is a small price
to pay for rather significant smiplifications in regress and portable
(which will be possible after the next commit).

Also adjust a couple of error strings.

ok claudio job
---

diff --git a/usr.sbin/rpki-client/crl.c b/usr.sbin/rpki-client/crl.c
index d60e66477fe..ad43e18fb68 100644
--- a/usr.sbin/rpki-client/crl.c
+++ b/usr.sbin/rpki-client/crl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: crl.c,v 1.24 2023/03/10 12:44:56 job Exp $ */
+/*	$OpenBSD: crl.c,v 1.25 2023/05/22 15:07:02 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -75,7 +75,7 @@ crl_parse(const char *fn, const unsigned char *der, size_t len)
 		goto out;
 	}
 	if (!x509_get_time(at, &crl->lastupdate)) {
-		warnx("%s: ASN1_time_parse failed", fn);
+		warnx("%s: ASN1_TIME_to_tm failed", fn);
 		goto out;
 	}
 
@@ -85,7 +85,7 @@ crl_parse(const char *fn, const unsigned char *der, size_t len)
 		goto out;
 	}
 	if (!x509_get_time(at, &crl->nextupdate)) {
-		warnx("%s: ASN1_time_parse failed", fn);
+		warnx("%s: ASN1_TIME_to_tm failed", fn);
 		goto out;
 	}
 
diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index 0ab646984b8..59f6d10a584 100644
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509.c,v 1.70 2023/03/14 07:09:11 tb Exp $ */
+/*	$OpenBSD: x509.c,v 1.71 2023/05/22 15:07:02 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -506,7 +506,7 @@ x509_get_notbefore(X509 *x, const char *fn, time_t *tt)
 		return 0;
 	}
 	if (!x509_get_time(at, tt)) {
-		warnx("%s: ASN1_time_parse failed", fn);
+		warnx("%s: ASN1_TIME_to_tm failed", fn);
 		return 0;
 	}
 	return 1;
@@ -526,7 +526,7 @@ x509_get_notafter(X509 *x, const char *fn, time_t *tt)
 		return 0;
 	}
 	if (!x509_get_time(at, tt)) {
-		warnx("%s: ASN1_time_parse failed", fn);
+		warnx("%s: ASN1_TIME_to_tm failed", fn);
 		return 0;
 	}
 	return 1;
@@ -757,7 +757,10 @@ x509_get_time(const ASN1_TIME *at, time_t *t)
 
 	*t = 0;
 	memset(&tm, 0, sizeof(tm));
-	if (ASN1_time_parse(at->data, at->length, &tm, 0) == -1)
+	/* Fail instead of silently falling back to the current time. */
+	if (at == NULL)
+		return 0;
+	if (!ASN1_TIME_to_tm(at, &tm))
 		return 0;
 	if ((*t = timegm(&tm)) == -1)
 		errx(1, "timegm failed");