RT3951: Add X509_V_FLAG_NO_CHECK_TIME to suppress time check (d35ff2c0) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

apps/apps.h

+5 −3

Original line number	Diff line number	Diff line
		@@ -179,7 +179,7 @@ void unbuffer(FILE *fp);
		OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \
		OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
		OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
		OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, \
		OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
		OPT_V__LAST

		# define OPT_V_OPTIONS \
		@@ -209,7 +209,8 @@ void unbuffer(FILE *fp);
		{ "suiteB_128", OPT_V_SUITEB_128, '-' }, \
		{ "suiteB_192", OPT_V_SUITEB_192, '-' }, \
		{ "partial_chain", OPT_V_PARTIAL_CHAIN, '-' }, \
		{ "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" }
		{ "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" }, \
		{ "no_check_time", OPT_V_NO_CHECK_TIME, '-', "Do not check validity against current time" }

		# define OPT_V_CASES \
		OPT_V__FIRST: case OPT_V__LAST: break; \
		@@ -239,7 +240,8 @@ void unbuffer(FILE *fp);
		case OPT_V_SUITEB_128: \
		case OPT_V_SUITEB_192: \
		case OPT_V_PARTIAL_CHAIN: \
		case OPT_V_NO_ALT_CHAINS
		case OPT_V_NO_ALT_CHAINS: \
		case OPT_V_NO_CHECK_TIME

		/*
		* Common "extended"? options.

+4 −0

Original line number	Diff line number	Diff line
		@@ -543,6 +543,10 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
		break;
		case OPT_V_NO_ALT_CHAINS:
		X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_ALT_CHAINS);
		break;
		case OPT_V_NO_CHECK_TIME:
		X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME);
		break;
		}
		return 1;

+4 −0

Original line number	Diff line number	Diff line
		@@ -957,6 +957,8 @@ static int check_crl_time(X509_STORE_CTX ctx, X509_CRL crl, int notify)
		ctx->current_crl = crl;
		if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
		ptime = &ctx->param->check_time;
		else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
		return 1;
		else
		ptime = NULL;

		@@ -1677,6 +1679,8 @@ int x509_check_cert_time(X509_STORE_CTX ctx, X509 x, int quiet)

		if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
		ptime = &ctx->param->check_time;
		else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
		return 1;
		else
		ptime = NULL;

+4 −0

Original line number	Diff line number	Diff line
		@@ -203,6 +203,10 @@ chain found is not trusted, then OpenSSL will continue to check to see if an
		alternative chain can be found that is trusted. With this flag set the behaviour
		will match that of OpenSSL versions prior to 1.1.0.

		The B<X509_V_FLAG_NO_CHECK_TIME> flag suppresses checking the validity period
		of certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time()
		is used to specify a verification time, the check is not suppressed.

		=head1 NOTES

		The above functions should be used to manipulate verification parameters

+2 −0

Original line number	Diff line number	Diff line
		@@ -407,6 +407,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
		* will force the behaviour to match that of previous versions.
		*/
		# define X509_V_FLAG_NO_ALT_CHAINS 0x100000
		/* Do not check certificate/CRL validity against current time */
		# define X509_V_FLAG_NO_CHECK_TIME 0x200000

		# define X509_VP_FLAG_DEFAULT 0x1
		# define X509_VP_FLAG_OVERWRITE 0x2