7 files changed, 65 insertions, 8 deletions

diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h
index 2d46261..f314b51 100644
--- a/src/include/s6-networking/sbearssl.h
+++ b/src/include/s6-networking/sbearssl.h
@@ -31,6 +31,8 @@
  /* Utility functions */
 
 extern int sbearssl_isder (unsigned char const *, size_t) ;
+extern int sbearssl_tai_from_dayseconds (tai *, uint32_t, uint32_t) ;
+extern int sbearssl_dayseconds_from_tai (uint32_t *, uint32_t *, tai const *) ;
 
 
  /* x509 functions */
@@ -68,6 +70,8 @@ extern int sbearssl_x509_minimal_set_tai (br_x509_minimal_context *, tai const *
 #define sbearssl_x509_small_set_tai_g(ctx) sbearssl_x509_small_set_tain((ctx), &STAMP)
 #define sbearssl_x509_small_set_tain_g(ctx) sbearssl_x509_small_set_tain((ctx), &STAMP)
 
+extern int sbearssl_x509_time_check (void *, uint32_t, uint32_t, uint32_t, uint32_t) ;  /* br_x509_time_check */
+
 extern br_x509_class const sbearssl_x509_small_vtable ;
 extern void sbearssl_x509_small_init_full (sbearssl_x509_small_context *, br_x509_trust_anchor *, size_t, sbearssl_dn *, uint8_t *, char *) ;
 
diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl
index 5241e56..782816e 100644
--- a/src/sbearssl/deps-lib/sbearssl
+++ b/src/sbearssl/deps-lib/sbearssl
@@ -54,5 +54,8 @@ sbearssl_x500_name_len.o
 sbearssl_x509_minimal_set_tai.o
 sbearssl_x509_small_init_full.o
 sbearssl_x509_small_vtable.o
+sbearssl_dayseconds_from_tai.o
+sbearssl_tai_from_dayseconds.o
+sbearssl_x509_time_check.o
 -lbearssl
 -lskarnet
diff --git a/src/sbearssl/sbearssl_dayseconds_from_tai.c b/src/sbearssl/sbearssl_dayseconds_from_tai.c
new file mode 100644
index 0000000..73ab2be
--- /dev/null
+++ b/src/sbearssl/sbearssl_dayseconds_from_tai.c
@@ -0,0 +1,21 @@
+/* ISC license. */
+
+#include <errno.h>
+
+#include <skalibs/uint64.h>
+#include <skalibs/tai.h>
+#include <skalibs/djbtime.h>
+
+#include <s6-networking/sbearssl.h>
+
+int sbearssl_dayseconds_from_tai (uint32_t *days, uint32_t *seconds, tai const *t)
+{
+  uint64_t u, d ;
+  if (!utc_from_tai(&u, t)) return 0 ;
+  u -= TAI_MAGIC ;
+  d = u / 86400 + 719528 ;
+  if (d >= 0xffffffffUL) return (errno = EOVERFLOW, 0) ;
+  *days = d ;
+  *seconds = u % 86400 ;
+  return 1 ;
+}
diff --git a/src/sbearssl/sbearssl_tai_from_dayseconds.c b/src/sbearssl/sbearssl_tai_from_dayseconds.c
new file mode 100644
index 0000000..e97c69c
--- /dev/null
+++ b/src/sbearssl/sbearssl_tai_from_dayseconds.c
@@ -0,0 +1,12 @@
+/* ISC license. */
+
+#include <skalibs/uint64.h>
+#include <skalibs/tai.h>
+#include <skalibs/djbtime.h>
+
+#include <s6-networking/sbearssl.h>
+
+int sbearssl_tai_from_dayseconds (tai *t, uint32_t days, uint32_t seconds)
+{
+  return tai_from_utc(t, TAI_MAGIC + (uint64_t)86400 * (uint64_t)days + 719528 + seconds) ; 
+}
diff --git a/src/sbearssl/sbearssl_x509_minimal_set_tai.c b/src/sbearssl/sbearssl_x509_minimal_set_tai.c
index 58a1a4a..0ca9c9d 100644
--- a/src/sbearssl/sbearssl_x509_minimal_set_tai.c
+++ b/src/sbearssl/sbearssl_x509_minimal_set_tai.c
@@ -1,18 +1,14 @@
 /* ISC license. */
 
+#include <stdint.h>
 #include <bearssl.h>
 
-#include <skalibs/uint64.h>
-#include <skalibs/tai.h>
-#include <skalibs/djbtime.h>
-
 #include <s6-networking/sbearssl.h>
 
 int sbearssl_x509_minimal_set_tai (br_x509_minimal_context *ctx, tai const *t)
 {
-  uint64_t u ;
-  if (!utc_from_tai(&u, t)) return 0 ;
-  u -= TAI_MAGIC ;
-  br_x509_minimal_set_time(ctx, (uint32_t)(u / 86400 + 719528), u % 86400) ;
+  uint32_t days, seconds ;
+  if (!sbearssl_dayseconds_from_tai(&days, &seconds, t)) return 0 ;
+  br_x509_minimal_set_time(ctx, days, seconds) ;
   return 1 ;
 }
diff --git a/src/sbearssl/sbearssl_x509_small_init_full.c b/src/sbearssl/sbearssl_x509_small_init_full.c
index bcb88bb..aece45c 100644
--- a/src/sbearssl/sbearssl_x509_small_init_full.c
+++ b/src/sbearssl/sbearssl_x509_small_init_full.c
@@ -5,6 +5,8 @@
 
 #include <bearssl.h>
 
+#include <skalibs/tai.h>
+
 #include <s6-networking/sbearssl.h>
 
 struct eltinfo_s
@@ -28,6 +30,9 @@ void sbearssl_x509_small_init_full (sbearssl_x509_small_context *ctx, br_x509_tr
 {
   ctx->vtable = &sbearssl_x509_small_vtable ;
   br_x509_minimal_init_full(&ctx->minimal, btas, n) ;
+#ifdef BR_FEATURE_X509_TIME_CALLBACK
+  br_x509_minimal_set_time_callback(&ctx->minimal, tain_secp(&STAMP), &sbearssl_x509_time_check) ;
+#endif
   for (unsigned int i = 0 ; i < 6 ; i++)
   {
     ctx->elts[i].oid = eltinfo[i].oid ;
diff --git a/src/sbearssl/sbearssl_x509_time_check.c b/src/sbearssl/sbearssl_x509_time_check.c
new file mode 100644
index 0000000..83e8072
--- /dev/null
+++ b/src/sbearssl/sbearssl_x509_time_check.c
@@ -0,0 +1,16 @@
+/* ISC license. */
+
+#include <stdint.h>
+#include <bearssl.h>
+
+#include <skalibs/tai.h>
+
+#include <s6-networking/sbearssl.h>
+
+int sbearssl_x509_time_check (void *ctx, uint32_t nbd, uint32_t nbs, uint32_t nad, uint32_t nas)
+{
+  uint32_t days, seconds ;
+  if (!sbearssl_dayseconds_from_tai(&days, &seconds, (tai *)ctx)) return -2 ;
+  if (days < nbd || (days == nbd && seconds < nbs)) return -1 ;
+  return days > nad || (days == nad && seconds > nas) ;
+}