From 6916493c292e8003d3efea991389246553fb13b3 Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Fri, 11 Jun 2021 10:28:09 +0200 Subject: [PATCH] MINOR: ssl: Use OpenSSL's ASN1_TIME convertor when available The ASN1_TIME_to_tm function was added in OpenSSL1.1.1 so with this version of the library we do not need our homemade time convertor anymore. --- include/haproxy/openssl-compat.h | 1 + src/ssl_sock.c | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index dad95a6..983ee03 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -51,6 +51,7 @@ #if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)) #define HAVE_SSL_CTX_SET_CIPHERSUITES +#define HAVE_ASN1_TIME_TO_TM #endif #if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL)) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 9fb91f2..fcb089b 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -763,7 +763,7 @@ static inline void ssl_async_process_fds(struct ssl_sock_ctx *ctx) } #endif -#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP && !defined HAVE_ASN1_TIME_TO_TM) /* * This function returns the number of seconds elapsed * since the Epoch, 1970-01-01 00:00:00 +0000 (UTC) and the @@ -845,7 +845,9 @@ nosec: return -1; } +#endif +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) /* * struct alignment works here such that the key.key is the same as key_data * Do not change the placement of key_data @@ -906,6 +908,9 @@ static int ssl_sock_load_ocsp_response(struct buffer *ocsp_response, ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd = NULL; int reason; int ret = 1; +#ifdef HAVE_ASN1_TIME_TO_TM + struct tm nextupd_tm = {0}; +#endif resp = d2i_OCSP_RESPONSE(NULL, (const unsigned char **)&p, ocsp_response->data); @@ -996,11 +1001,19 @@ static int ssl_sock_load_ocsp_response(struct buffer *ocsp_response, goto out; } +#ifdef HAVE_ASN1_TIME_TO_TM + if (ASN1_TIME_to_tm(nextupd, &nextupd_tm) == 0) { + memprintf(err, "OCSP single response: Invalid \"Next Update\" time"); + goto out; + } + ocsp->expire = my_timegm(&nextupd_tm) - OCSP_MAX_RESPONSE_TIME_SKEW; +#else ocsp->expire = asn1_generalizedtime_to_epoch(nextupd) - OCSP_MAX_RESPONSE_TIME_SKEW; if (ocsp->expire < 0) { memprintf(err, "OCSP single response: Invalid \"Next Update\" time"); goto out; } +#endif ret = 0; out: -- 1.7.10.4