From: Bob Beck <beck@openssl.org>
Date: Tue, 7 Oct 2025 10:40:20 +0000 (-0600)
Subject: Allow us to pass NULL to have the current time, since CMP appears to be determined... 
X-Git-Tag: 4.0-PRE-CLANG-FORMAT-WEBKIT~357
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=36b2777a12b0b452e2f6e594526a68f4eed525f1;p=thirdparty%2Fopenssl.git

Allow us to pass NULL to have the current time, since CMP appears to be determined to do so

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28623)
---

diff --git a/crypto/cmp/cmp_genm.c b/crypto/cmp/cmp_genm.c
index 963d1e4bce1..4028699fbc9 100644
--- a/crypto/cmp/cmp_genm.c
+++ b/crypto/cmp/cmp_genm.c
@@ -43,6 +43,7 @@ static int ossl_X509_check(OSSL_CMP_CTX *ctx, const char *source, X509 *cert,
     ret = ossl_x509_check_certificate_times(vpm, cert, &err);
     if (!ret) {
         const char * msg;
+
         switch (err) {
         case X509_V_ERR_CERT_NOT_YET_VALID:
             msg = "not yet valid";
diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index 638843b346c..e2432febb2f 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -280,7 +280,7 @@ static int cert_acceptable(const OSSL_CMP_CTX *ctx,
             message = "cert has an invalid not after field";
             break;
         default:
-            message= "cert is invalid for an unspecfied reason";
+            message = "cert is invalid for an unspecfied reason";
             break;
         }
 
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 7560172d901..de3be330278 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1016,7 +1016,7 @@ static int validate_certifiate_time(const ASN1_TIME *ctm)
  *  (-1, 0, or 1) in *out_comparison.
  */
 static int x509_cmp_time_internal(const ASN1_TIME *ctm, const time_t *cmp_time,
-                                  int* out_comparison)
+                                  int *out_comparison)
 {
     time_t t = cmp_time == NULL ? time(NULL) : *cmp_time;
     int comparison;
@@ -2131,17 +2131,20 @@ static int check_policy(X509_STORE_CTX *ctx)
  * Return 1 on success, 0 otherwise.
  */
 int ossl_x509_compare_asn1_time(const X509_VERIFY_PARAM *vpm,
-                                const ASN1_TIME *time, int *comparison)
+                                const ASN1_TIME *asn1_time, int *comparison)
 {
+    const time_t now = time(NULL);
     const time_t *check_time = NULL;
 
-    if ((vpm->flags & X509_V_FLAG_USE_CHECK_TIME) != 0) {
+    if (vpm == NULL) {
+        check_time = &now;
+    } else if ((vpm->flags & X509_V_FLAG_USE_CHECK_TIME) != 0) {
         check_time = &vpm->check_time;
     } else if ((vpm->flags & X509_V_FLAG_NO_CHECK_TIME) != 0) {
         *comparison = 0;
         return 1;
     }
-    return x509_cmp_time_internal(time, check_time, comparison);
+    return x509_cmp_time_internal(asn1_time, check_time, comparison);
 }
 
 /*-
diff --git a/test/x509_internal_test.c b/test/x509_internal_test.c
index 3c4f2b3c07d..121f8b3258e 100644
--- a/test/x509_internal_test.c
+++ b/test/x509_internal_test.c
@@ -1,4 +1,5 @@
-/* Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
+/*
+ * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -338,7 +339,8 @@ static int test_a_time(X509_STORE_CTX *ctx, X509 *x509,
     return 0;
 }
 
-static int do_x509_time_tests(CERT_TEST_DATA *tests, size_t ntests, int64_t lower_limit, int64_t upper_limit)
+static int do_x509_time_tests(CERT_TEST_DATA *tests, size_t ntests,
+                              int64_t lower_limit, int64_t upper_limit)
 {
     int ret = 0;
     int failures = 0;