From: Remi Tricot-Le Breton Date: Fri, 11 Jun 2021 08:28:09 +0000 (+0200) Subject: MINOR: ssl: Use OpenSSL's ASN1_TIME convertor when available X-Git-Tag: v2.5-dev1~133 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6916493c292e8003d3efea991389246553fb13b3;p=thirdparty%2Fhaproxy.git MINOR: ssl: Use OpenSSL's ASN1_TIME convertor when available The ASN1_TIME_to_tm function was added in OpenSSL1.1.1 so with this version of the library we do not need our homemade time convertor anymore. --- diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index dad95a6c54..983ee03fef 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -51,6 +51,7 @@ #if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)) #define HAVE_SSL_CTX_SET_CIPHERSUITES +#define HAVE_ASN1_TIME_TO_TM #endif #if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL)) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 9fb91f2d87..fcb089b92d 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -763,7 +763,7 @@ static inline void ssl_async_process_fds(struct ssl_sock_ctx *ctx) } #endif -#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP && !defined HAVE_ASN1_TIME_TO_TM) /* * This function returns the number of seconds elapsed * since the Epoch, 1970-01-01 00:00:00 +0000 (UTC) and the @@ -845,7 +845,9 @@ nosec: return -1; } +#endif +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) /* * struct alignment works here such that the key.key is the same as key_data * Do not change the placement of key_data @@ -906,6 +908,9 @@ static int ssl_sock_load_ocsp_response(struct buffer *ocsp_response, ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd = NULL; int reason; int ret = 1; +#ifdef HAVE_ASN1_TIME_TO_TM + struct tm nextupd_tm = {0}; +#endif resp = d2i_OCSP_RESPONSE(NULL, (const unsigned char **)&p, ocsp_response->data); @@ -996,11 +1001,19 @@ static int ssl_sock_load_ocsp_response(struct buffer *ocsp_response, goto out; } +#ifdef HAVE_ASN1_TIME_TO_TM + if (ASN1_TIME_to_tm(nextupd, &nextupd_tm) == 0) { + memprintf(err, "OCSP single response: Invalid \"Next Update\" time"); + goto out; + } + ocsp->expire = my_timegm(&nextupd_tm) - OCSP_MAX_RESPONSE_TIME_SKEW; +#else ocsp->expire = asn1_generalizedtime_to_epoch(nextupd) - OCSP_MAX_RESPONSE_TIME_SKEW; if (ocsp->expire < 0) { memprintf(err, "OCSP single response: Invalid \"Next Update\" time"); goto out; } +#endif ret = 0; out: