diff options
| author |   jsing <jsing@openbsd.org> | 2015-09-14 16:13:39 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2015-09-14 16:13:39 +0000 |
| commit | 0d666e4ec398a6c0ad90a26e900a1952dd9237e4 (patch) | |
| tree | 1429872e9020b023b5121f2d0c4fa9dad1db46d2 /lib/libssl/src | |
| parent | SIZEOF_INT is no longer needed. (diff) | |
| download | wireguard-openbsd-0d666e4ec398a6c0ad90a26e900a1952dd9237e4.tar.xz wireguard-openbsd-0d666e4ec398a6c0ad90a26e900a1952dd9237e4.zip | |
Add support for disabling certificate and CRL validity checking.
Loosely based on changes in OpenSSL.
ok beck@
Diffstat (limited to 'lib/libssl/src')
| -rw-r--r-- | lib/libssl/src/crypto/x509/x509_vfy.c | 21 | ||||
| -rw-r--r-- | lib/libssl/src/crypto/x509/x509_vfy.h | 5 |
2 files changed, 15 insertions, 11 deletions
diff --git a/lib/libssl/src/crypto/x509/x509_vfy.c b/lib/libssl/src/crypto/x509/x509_vfy.c index f2dc356dc8d..8d4d15668ec 100644 --- a/lib/libssl/src/crypto/x509/x509_vfy.c +++ b/lib/libssl/src/crypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.44 2015/07/19 05:42:55 miod Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.45 2015/09/14 16:13:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -758,15 +758,17 @@ err: static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { - time_t *ptime; + time_t *ptime = NULL; int i; - if (notify) - ctx->current_crl = crl; + if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) + return (1); + if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) ptime = &ctx->param->check_time; - else - ptime = NULL; + + if (notify) + ctx->current_crl = crl; i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); if (i == 0) { @@ -1489,13 +1491,14 @@ check_policy(X509_STORE_CTX *ctx) int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet) { - time_t *ptime; + time_t *ptime = NULL; int i; + if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) + return (1); + if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) ptime = &ctx->param->check_time; - else - ptime = NULL; i = X509_cmp_time(X509_get_notBefore(x), ptime); if (i == 0) { diff --git a/lib/libssl/src/crypto/x509/x509_vfy.h b/lib/libssl/src/crypto/x509/x509_vfy.h index e760279b526..e3a1db24078 100644 --- a/lib/libssl/src/crypto/x509/x509_vfy.h +++ b/lib/libssl/src/crypto/x509/x509_vfy.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.h,v 1.15 2015/02/07 13:19:15 doug Exp $ */ +/* $OpenBSD: x509_vfy.h,v 1.16 2015/09/14 16:13:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -383,7 +383,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_FLAG_USE_DELTAS 0x2000 /* Check selfsigned CA signature */ #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 - +/* Do not check certificate or CRL validity against current time. */ +#define X509_V_FLAG_NO_CHECK_TIME 0x200000 #define X509_VP_FLAG_DEFAULT 0x1 #define X509_VP_FLAG_OVERWRITE 0x2 |