summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2022-10-07 15:29:40 +0000
committerLaurent Bercot <ska@appnovation.com>2022-10-07 15:29:40 +0000
commite8d3f9d42c34f268a181661ca4aaedfa066c0a0a (patch)
treedd6eaaf3499e851f3b96bd9a1b391e14acaabe78 /src
parentd41fef5b74478b36787f387ed3f58099ac19c905 (diff)
downloads6-networking-e8d3f9d42c34f268a181661ca4aaedfa066c0a0a.tar.xz
Add workaround to bearssl regression with BR_FEATURE_X509_TIME_CALLBACK
Signed-off-by: Laurent Bercot <ska@appnovation.com>
Diffstat (limited to 'src')
-rw-r--r--src/include/s6-networking/sbearssl.h4
-rw-r--r--src/sbearssl/deps-lib/sbearssl3
-rw-r--r--src/sbearssl/sbearssl_dayseconds_from_tai.c21
-rw-r--r--src/sbearssl/sbearssl_tai_from_dayseconds.c12
-rw-r--r--src/sbearssl/sbearssl_x509_minimal_set_tai.c12
-rw-r--r--src/sbearssl/sbearssl_x509_small_init_full.c5
-rw-r--r--src/sbearssl/sbearssl_x509_time_check.c16
7 files changed, 65 insertions, 8 deletions
diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h
index 2d46261..f314b51 100644
--- a/src/include/s6-networking/sbearssl.h
+++ b/src/include/s6-networking/sbearssl.h
@@ -31,6 +31,8 @@
/* Utility functions */
extern int sbearssl_isder (unsigned char const *, size_t) ;
+extern int sbearssl_tai_from_dayseconds (tai *, uint32_t, uint32_t) ;
+extern int sbearssl_dayseconds_from_tai (uint32_t *, uint32_t *, tai const *) ;
/* x509 functions */
@@ -68,6 +70,8 @@ extern int sbearssl_x509_minimal_set_tai (br_x509_minimal_context *, tai const *
#define sbearssl_x509_small_set_tai_g(ctx) sbearssl_x509_small_set_tain((ctx), &STAMP)
#define sbearssl_x509_small_set_tain_g(ctx) sbearssl_x509_small_set_tain((ctx), &STAMP)
+extern int sbearssl_x509_time_check (void *, uint32_t, uint32_t, uint32_t, uint32_t) ; /* br_x509_time_check */
+
extern br_x509_class const sbearssl_x509_small_vtable ;
extern void sbearssl_x509_small_init_full (sbearssl_x509_small_context *, br_x509_trust_anchor *, size_t, sbearssl_dn *, uint8_t *, char *) ;
diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl
index 5241e56..782816e 100644
--- a/src/sbearssl/deps-lib/sbearssl
+++ b/src/sbearssl/deps-lib/sbearssl
@@ -54,5 +54,8 @@ sbearssl_x500_name_len.o
sbearssl_x509_minimal_set_tai.o
sbearssl_x509_small_init_full.o
sbearssl_x509_small_vtable.o
+sbearssl_dayseconds_from_tai.o
+sbearssl_tai_from_dayseconds.o
+sbearssl_x509_time_check.o
-lbearssl
-lskarnet
diff --git a/src/sbearssl/sbearssl_dayseconds_from_tai.c b/src/sbearssl/sbearssl_dayseconds_from_tai.c
new file mode 100644
index 0000000..73ab2be
--- /dev/null
+++ b/src/sbearssl/sbearssl_dayseconds_from_tai.c
@@ -0,0 +1,21 @@
+/* ISC license. */
+
+#include <errno.h>
+
+#include <skalibs/uint64.h>
+#include <skalibs/tai.h>
+#include <skalibs/djbtime.h>
+
+#include <s6-networking/sbearssl.h>
+
+int sbearssl_dayseconds_from_tai (uint32_t *days, uint32_t *seconds, tai const *t)
+{
+ uint64_t u, d ;
+ if (!utc_from_tai(&u, t)) return 0 ;
+ u -= TAI_MAGIC ;
+ d = u / 86400 + 719528 ;
+ if (d >= 0xffffffffUL) return (errno = EOVERFLOW, 0) ;
+ *days = d ;
+ *seconds = u % 86400 ;
+ return 1 ;
+}
diff --git a/src/sbearssl/sbearssl_tai_from_dayseconds.c b/src/sbearssl/sbearssl_tai_from_dayseconds.c
new file mode 100644
index 0000000..e97c69c
--- /dev/null
+++ b/src/sbearssl/sbearssl_tai_from_dayseconds.c
@@ -0,0 +1,12 @@
+/* ISC license. */
+
+#include <skalibs/uint64.h>
+#include <skalibs/tai.h>
+#include <skalibs/djbtime.h>
+
+#include <s6-networking/sbearssl.h>
+
+int sbearssl_tai_from_dayseconds (tai *t, uint32_t days, uint32_t seconds)
+{
+ return tai_from_utc(t, TAI_MAGIC + (uint64_t)86400 * (uint64_t)days + 719528 + seconds) ;
+}
diff --git a/src/sbearssl/sbearssl_x509_minimal_set_tai.c b/src/sbearssl/sbearssl_x509_minimal_set_tai.c
index 58a1a4a..0ca9c9d 100644
--- a/src/sbearssl/sbearssl_x509_minimal_set_tai.c
+++ b/src/sbearssl/sbearssl_x509_minimal_set_tai.c
@@ -1,18 +1,14 @@
/* ISC license. */
+#include <stdint.h>
#include <bearssl.h>
-#include <skalibs/uint64.h>
-#include <skalibs/tai.h>
-#include <skalibs/djbtime.h>
-
#include <s6-networking/sbearssl.h>
int sbearssl_x509_minimal_set_tai (br_x509_minimal_context *ctx, tai const *t)
{
- uint64_t u ;
- if (!utc_from_tai(&u, t)) return 0 ;
- u -= TAI_MAGIC ;
- br_x509_minimal_set_time(ctx, (uint32_t)(u / 86400 + 719528), u % 86400) ;
+ uint32_t days, seconds ;
+ if (!sbearssl_dayseconds_from_tai(&days, &seconds, t)) return 0 ;
+ br_x509_minimal_set_time(ctx, days, seconds) ;
return 1 ;
}
diff --git a/src/sbearssl/sbearssl_x509_small_init_full.c b/src/sbearssl/sbearssl_x509_small_init_full.c
index bcb88bb..aece45c 100644
--- a/src/sbearssl/sbearssl_x509_small_init_full.c
+++ b/src/sbearssl/sbearssl_x509_small_init_full.c
@@ -5,6 +5,8 @@
#include <bearssl.h>
+#include <skalibs/tai.h>
+
#include <s6-networking/sbearssl.h>
struct eltinfo_s
@@ -28,6 +30,9 @@ void sbearssl_x509_small_init_full (sbearssl_x509_small_context *ctx, br_x509_tr
{
ctx->vtable = &sbearssl_x509_small_vtable ;
br_x509_minimal_init_full(&ctx->minimal, btas, n) ;
+#ifdef BR_FEATURE_X509_TIME_CALLBACK
+ br_x509_minimal_set_time_callback(&ctx->minimal, tain_secp(&STAMP), &sbearssl_x509_time_check) ;
+#endif
for (unsigned int i = 0 ; i < 6 ; i++)
{
ctx->elts[i].oid = eltinfo[i].oid ;
diff --git a/src/sbearssl/sbearssl_x509_time_check.c b/src/sbearssl/sbearssl_x509_time_check.c
new file mode 100644
index 0000000..83e8072
--- /dev/null
+++ b/src/sbearssl/sbearssl_x509_time_check.c
@@ -0,0 +1,16 @@
+/* ISC license. */
+
+#include <stdint.h>
+#include <bearssl.h>
+
+#include <skalibs/tai.h>
+
+#include <s6-networking/sbearssl.h>
+
+int sbearssl_x509_time_check (void *ctx, uint32_t nbd, uint32_t nbs, uint32_t nad, uint32_t nas)
+{
+ uint32_t days, seconds ;
+ if (!sbearssl_dayseconds_from_tai(&days, &seconds, (tai *)ctx)) return -2 ;
+ if (days < nbd || (days == nbd && seconds < nbs)) return -1 ;
+ return days > nad || (days == nad && seconds > nas) ;
+}