Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 6916493c292e8003d3efea991389246553fb13b3^! / .
commit6916493c292e8003d3efea991389246553fb13b3[log] [tgz]
authorRemi Tricot-Le Breton <rlebreton@haproxy.com>Fri Jun 11 10:28:09 2021 +0200
committerWilliam Lallemand <wlallemand@haproxy.org>Mon Jun 14 15:12:53 2021 +0200
tree8eb6f8aa8ef04afb626227db565bbd5cb21edbde
parent095303956708a3f87594ae60cd9d7df12d12d905 [diff]
MINOR: ssl: Use OpenSSL's ASN1_TIME convertor when available

The ASN1_TIME_to_tm function was added in OpenSSL1.1.1 so with this
version of the library we do not need our homemade time convertor
anymore.

diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index dad95a6..983ee03 100644
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h

@@ -51,6 +51,7 @@
 
 #if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL))
 #define HAVE_SSL_CTX_SET_CIPHERSUITES
+#define HAVE_ASN1_TIME_TO_TM
 #endif
 
 #if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9fb91f2..fcb089b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -763,7 +763,7 @@
 }
 #endif
 
-#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP && !defined HAVE_ASN1_TIME_TO_TM)
 /*
  *  This function returns the number of seconds  elapsed
  *  since the Epoch, 1970-01-01 00:00:00 +0000 (UTC) and the
@@ -845,7 +845,9 @@
 
 	return -1;
 }
+#endif
 
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
 /*
  * struct alignment works here such that the key.key is the same as key_data
  * Do not change the placement of key_data
@@ -906,6 +908,9 @@
 	ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd = NULL;
 	int reason;
 	int ret = 1;
+#ifdef HAVE_ASN1_TIME_TO_TM
+	struct tm nextupd_tm = {0};
+#endif
 
 	resp = d2i_OCSP_RESPONSE(NULL, (const unsigned char **)&p,
 				 ocsp_response->data);
@@ -996,11 +1001,19 @@
 		goto out;
 	}
 
+#ifdef HAVE_ASN1_TIME_TO_TM
+	if (ASN1_TIME_to_tm(nextupd, &nextupd_tm) == 0) {
+		memprintf(err, "OCSP single response: Invalid \"Next Update\" time");
+		goto out;
+	}
+	ocsp->expire = my_timegm(&nextupd_tm) - OCSP_MAX_RESPONSE_TIME_SKEW;
+#else
 	ocsp->expire = asn1_generalizedtime_to_epoch(nextupd) - OCSP_MAX_RESPONSE_TIME_SKEW;
 	if (ocsp->expire < 0) {
 		memprintf(err, "OCSP single response: Invalid \"Next Update\" time");
 		goto out;
 	}
+#endif
 
 	ret = 0;
 out: