From 63e02b35ac215dc2487ae1123bb03e5ab543bdb3 Mon Sep 17 00:00:00 2001 From: Kaspar Brand Date: Wed, 14 Sep 2011 14:02:28 +0000 Subject: [PATCH] Properly fill in the SSL_{CLIENT,SERVER}_V_{START,END} and SSL_CLIENT_V_REMAIN variables for certs whose notBefore or notAfter fields use GeneralizedTime encodings. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1170631 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_vars.c | 37 ++++++++++++++++++++++------------- 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index ea7aa71816..29ceccfaf2 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -42,8 +42,8 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, char *var); static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, char *var); static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *var); -static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_UTCTIME *tm); -static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_UTCTIME *tm); +static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm); +static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm); static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs); static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var); static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs); @@ -560,7 +560,7 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char * return result; } -static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_UTCTIME *tm) +static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm) { char *result; BIO* bio; @@ -568,7 +568,7 @@ static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_UTCTIME *tm) if ((bio = BIO_new(BIO_s_mem())) == NULL) return NULL; - ASN1_UTCTIME_print(bio, tm); + ASN1_TIME_print(bio, tm); n = BIO_pending(bio); result = apr_pcalloc(p, n+1); n = BIO_read(bio, result, n); @@ -581,27 +581,36 @@ static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_UTCTIME *tm) /* Return a string giving the number of days remaining until 'tm', or * "0" if this can't be determined. */ -static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_UTCTIME *tm) +static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm) { apr_time_t then, now = apr_time_now(); apr_time_exp_t exp = {0}; long diff; + unsigned char *dp; - /* Fail if the time isn't a valid ASN.1 UTCTIME; RFC3280 mandates + /* Fail if the time isn't a valid ASN.1 TIME; RFC3280 mandates * that the seconds digits are present even though ASN.1 * doesn't. */ - if (tm->length < 11 || !ASN1_UTCTIME_check(tm)) { + if ((tm->type == V_ASN1_UTCTIME && tm->length < 11) || + (tm->type == V_ASN1_GENERALIZEDTIME && tm->length < 13) || + !ASN1_TIME_check(tm)) { return apr_pstrdup(p, "0"); } - exp.tm_year = DIGIT2NUM(tm->data); - exp.tm_mon = DIGIT2NUM(tm->data + 2) - 1; - exp.tm_mday = DIGIT2NUM(tm->data + 4) + 1; - exp.tm_hour = DIGIT2NUM(tm->data + 6); - exp.tm_min = DIGIT2NUM(tm->data + 8); - exp.tm_sec = DIGIT2NUM(tm->data + 10); + if (tm->type == V_ASN1_UTCTIME) { + exp.tm_year = DIGIT2NUM(tm->data); + if (exp.tm_year <= 50) exp.tm_year += 100; + dp = tm->data + 2; + } else { + exp.tm_year = DIGIT2NUM(tm->data) * 100 + DIGIT2NUM(tm->data + 2) - 1900; + dp = tm->data + 4; + } - if (exp.tm_year <= 50) exp.tm_year += 100; + exp.tm_mon = DIGIT2NUM(dp) - 1; + exp.tm_mday = DIGIT2NUM(dp + 2) + 1; + exp.tm_hour = DIGIT2NUM(dp + 4); + exp.tm_min = DIGIT2NUM(dp + 6); + exp.tm_sec = DIGIT2NUM(dp + 8); if (apr_time_exp_gmt_get(&then, &exp) != APR_SUCCESS) { return apr_pstrdup(p, "0"); -- 2.40.0