static int
tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore, time_t *notafter)
{
struct tm before_tm, after_tm;
ASN1_TIME *before, *after;
int rv = -1;
memset(&before_tm, 0, sizeof(before_tm));
memset(&after_tm, 0, sizeof(after_tm));
if (ctx->ssl_peer_cert != NULL) {
if ((before = X509_get_notBefore(ctx->ssl_peer_cert)) == NULL)
goto err;
if ((after = X509_get_notAfter(ctx->ssl_peer_cert)) == NULL)
goto err;
if (asn1_time_parse((char*)before->data, before->length, &before_tm, 0) == -1)
goto err;
if (asn1_time_parse((char*)after->data, after->length, &after_tm, 0) == -1)
goto err;
if ((*notbefore = timegm(&before_tm)) == -1)
goto err;
if ((*notafter = timegm(&after_tm)) == -1)
goto err;
}
rv = 0;
err:
return (rv);
}
int
ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d)
{
if (d->type != V_ASN1_GENERALIZEDTIME)
return (0);
return (d->type == asn1_time_parse(d->data, d->length, NULL, d->type));
}
ASN1_GENERALIZEDTIME *
ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out)
{
ASN1_GENERALIZEDTIME *tmp = NULL;
struct tm tm;
char *str;
if (t->type != V_ASN1_GENERALIZEDTIME && t->type != V_ASN1_UTCTIME)
return (NULL);
memset(&tm, 0, sizeof(tm));
if (t->type != asn1_time_parse(t->data, t->length, &tm, t->type))
return (NULL);
if ((str = gentime_string_from_tm(&tm)) == NULL)
return (NULL);
if (out != NULL)
tmp = *out;
if (tmp == NULL && (tmp = ASN1_GENERALIZEDTIME_new()) == NULL) {
free(str);
return (NULL);
}
if (out != NULL)
*out = tmp;
free(tmp->data);
tmp->data = str;
tmp->length = strlen(str);
return (tmp);
}
int
ASN1_TIME_check(ASN1_TIME *t)
{
if (t->type != V_ASN1_GENERALIZEDTIME && t->type != V_ASN1_UTCTIME)
return (0);
return (t->type == asn1_time_parse(t->data, t->length, NULL, t->type));
}
int
ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t2)
{
struct tm tm1, tm2;
/*
* This function has never handled failure conditions properly
* and should be deprecated. The OpenSSL version used to
* simply follow NULL pointers on failure. BoringSSL and
* OpenSSL now make it return -2 on failure.
*
* The danger is that users of this function will not
* differentiate the -2 failure case from t1 < t2.
*/
if (asn1_time_parse(s->data, s->length, &tm1, V_ASN1_UTCTIME) == -1)
return (-2); /* XXX */
if (gmtime_r(&t2, &tm2) == NULL)
return (-2); /* XXX */
return asn1_tm_cmp(&tm1, &tm2);
}
static int
ASN1_TIME_set_string_internal(ASN1_TIME *s, const char *str, int mode)
{
int type;
char *tmp;
if ((type = asn1_time_parse(str, strlen(str), NULL, mode)) == -1)
return (0);
if (mode != 0 && mode != type)
return (0);
if (s == NULL)
return (1);
if ((tmp = strdup(str)) == NULL)
return (0);
free(s->data);
s->data = tmp;
s->length = strlen(tmp);
s->type = type;
return (1);
}
int
ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t2)
{
struct tm tm1;
time_t t1;
/*
* This function has never handled failure conditions properly
* and should be deprecated. BoringSSL makes it return -2 on
* failures, the OpenSSL version follows NULL pointers instead.
*/
if (asn1_time_parse(s->data, s->length, &tm1, V_ASN1_UTCTIME) == -1)
return (-2); /* XXX */
if ((t1 = timegm(&tm1)) == -1)
return (-2); /* XXX */
if (t1 < t2)
return (-1);
if (t1 > t2)
return (1);
return (0);
}
