From: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Mon, 18 Jan 2021 16:18:03 +0000 (+0100)
Subject: X509: Enable printing cert even with invalid validity times, saying 'Bad time value'
X-Git-Tag: openssl-3.0.0-alpha11~68
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=63162e3d55e38aff51e243212bc73aa27bed8c4c;p=thirdparty%2Fopenssl.git

X509: Enable printing cert even with invalid validity times, saying 'Bad time value'

Add internal asn1_time_print_ex() that can return success on invalid time.
This is a workaround for inconsistent error behavior of ASN1_TIME_print(),
used in X509_print_ex().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13714)
---

diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c
index 7bd97c65986..aebbf53fd07 100644
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@@ -16,6 +16,7 @@
 
 #include <stdio.h>
 #include <time.h>
+#include "crypto/asn1.h"
 #include "crypto/ctype.h"
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>
@@ -467,19 +468,23 @@ static const char _asn1_mon[12][4] = {
     "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
 };
 
+/* returns 1 on success, 0 on BIO write error or parse failure */
 int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm)
+{
+    return asn1_time_print_ex(bp, tm) > 0;
+}
+
+/* returns 0 on BIO write error, else -1 in case of parse failure, else 1 */
+int asn1_time_print_ex(BIO *bp, const ASN1_TIME *tm)
 {
     char *v;
     int gmt = 0, l;
     struct tm stm;
     const char upper_z = 0x5A, period = 0x2E;
 
-    if (!asn1_time_to_tm(&stm, tm)) {
-        /* asn1_time_to_tm will check the time type */
-        (void)BIO_write(bp, "Bad time value", 14);
-        return 0;
-        /* It would have been more consistent to return BIO_write(...) */
-    }
+    /* asn1_time_to_tm will check the time type */
+    if (!asn1_time_to_tm(&stm, tm))
+        return BIO_write(bp, "Bad time value", 14) ? -1 : 0;
 
     l = tm->length;
     v = (char *)tm->data;
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 9636756b660..d4bfe455fcb 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -140,11 +140,11 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
             goto err;
         if (BIO_write(bp, "            Not Before: ", 24) <= 0)
             goto err;
-        if (!ASN1_TIME_print(bp, X509_get0_notBefore(x)))
+        if (asn1_time_print_ex(bp, X509_get0_notBefore(x)) == 0)
             goto err;
         if (BIO_write(bp, "\n            Not After : ", 25) <= 0)
             goto err;
-        if (!ASN1_TIME_print(bp, X509_get0_notAfter(x)))
+        if (asn1_time_print_ex(bp, X509_get0_notAfter(x)) == 0)
             goto err;
         if (BIO_write(bp, "\n", 1) <= 0)
             goto err;
diff --git a/include/crypto/asn1.h b/include/crypto/asn1.h
index 0d5d2116de3..1add6406302 100644
--- a/include/crypto/asn1.h
+++ b/include/crypto/asn1.h
@@ -138,3 +138,4 @@ int x509_algor_new_from_md(X509_ALGOR **palg, const EVP_MD *md);
 const EVP_MD *x509_algor_get_md(X509_ALGOR *alg);
 X509_ALGOR *x509_algor_mgf1_decode(X509_ALGOR *alg);
 int x509_algor_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md);
+int asn1_time_print_ex(BIO *bp, const ASN1_TIME *tm);