forked from wolfSSL/wolfssl
Merge pull request #6185 from lealem47/time_check
Adding NO_ASN_TIME_CHECK build option
This commit is contained in:
Sean Parkinson
GitHub
@@ -42,6 +42,12 @@
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
ASN Options:
|
ASN Options:
|
||||||
|
* NO_ASN_TIME_CHECK: Disables ASN time checks (avoiding the ASN_BEFORE_DATE_E
|
||||||
|
* and ASN_AFTER_DATE_E errors). Safer ways to avoid date errors would be to
|
||||||
|
* set the WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY flag when calling the _ex versions of
|
||||||
|
* cert loading functions or to define the WOLFSSL_NO_OCSP_DATE_CHECK macro to
|
||||||
|
* skip OCSP date errors. Defining NO_ASN_TIME_CHECK will skip ALL date checks
|
||||||
|
* and could pose a security risk.
|
||||||
* NO_ASN_TIME: Disables time parts of the ASN code for systems without an RTC
|
* NO_ASN_TIME: Disables time parts of the ASN code for systems without an RTC
|
||||||
or wishing to save space.
|
or wishing to save space.
|
||||||
* IGNORE_NAME_CONSTRAINTS: Skip ASN name checks.
|
* IGNORE_NAME_CONSTRAINTS: Skip ASN name checks.
|
||||||
@@ -14153,7 +14159,7 @@ static int GetDate(DecodedCert* cert, int dateType, int verify, int maxIdx)
|
|||||||
else
|
else
|
||||||
cert->afterDateLen = (int)(cert->srcIdx - startIdx);
|
cert->afterDateLen = (int)(cert->srcIdx - startIdx);
|
||||||
|
|
||||||
#ifndef NO_ASN_TIME
|
#ifndef NO_ASN_TIME_CHECK
|
||||||
if (verify != NO_VERIFY && verify != VERIFY_SKIP_DATE &&
|
if (verify != NO_VERIFY && verify != VERIFY_SKIP_DATE &&
|
||||||
!XVALIDATE_DATE(date, format, dateType)) {
|
!XVALIDATE_DATE(date, format, dateType)) {
|
||||||
if (dateType == BEFORE) {
|
if (dateType == BEFORE) {
|
||||||
@@ -20028,7 +20034,7 @@ static int CheckDate(ASNGetData *dataASN, int dateType)
|
|||||||
ret = ASN_DATE_SZ_E;
|
ret = ASN_DATE_SZ_E;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifndef NO_ASN_TIME
|
#ifndef NO_ASN_TIME_CHECK
|
||||||
/* Check date is a valid string and BEFORE or AFTER now. */
|
/* Check date is a valid string and BEFORE or AFTER now. */
|
||||||
if ((ret == 0) &&
|
if ((ret == 0) &&
|
||||||
(!XVALIDATE_DATE(dataASN->data.ref.data, dataASN->tag, dateType))) {
|
(!XVALIDATE_DATE(dataASN->data.ref.data, dataASN->tag, dateType))) {
|
||||||
@@ -33631,7 +33637,7 @@ static int DecodeSingleResponse(byte* source, word32* ioIndex, word32 size,
|
|||||||
&single->status->thisDateFormat, size) < 0)
|
&single->status->thisDateFormat, size) < 0)
|
||||||
return ASN_PARSE_E;
|
return ASN_PARSE_E;
|
||||||
|
|
||||||
#ifndef NO_ASN_TIME
|
#ifndef NO_ASN_TIME_CHECK
|
||||||
#ifndef WOLFSSL_NO_OCSP_DATE_CHECK
|
#ifndef WOLFSSL_NO_OCSP_DATE_CHECK
|
||||||
if (!XVALIDATE_DATE(single->status->thisDate, single->status->thisDateFormat, BEFORE))
|
if (!XVALIDATE_DATE(single->status->thisDate, single->status->thisDateFormat, BEFORE))
|
||||||
return ASN_BEFORE_DATE_E;
|
return ASN_BEFORE_DATE_E;
|
||||||
@@ -33667,7 +33673,7 @@ static int DecodeSingleResponse(byte* source, word32* ioIndex, word32 size,
|
|||||||
&single->status->nextDateFormat, size) < 0)
|
&single->status->nextDateFormat, size) < 0)
|
||||||
return ASN_PARSE_E;
|
return ASN_PARSE_E;
|
||||||
|
|
||||||
#ifndef NO_ASN_TIME
|
#ifndef NO_ASN_TIME_CHECK
|
||||||
#ifndef WOLFSSL_NO_OCSP_DATE_CHECK
|
#ifndef WOLFSSL_NO_OCSP_DATE_CHECK
|
||||||
if (!XVALIDATE_DATE(single->status->nextDate, single->status->nextDateFormat, AFTER))
|
if (!XVALIDATE_DATE(single->status->nextDate, single->status->nextDateFormat, AFTER))
|
||||||
return ASN_AFTER_DATE_E;
|
return ASN_AFTER_DATE_E;
|
||||||
@@ -33764,7 +33770,7 @@ static int DecodeSingleResponse(byte* source, word32* ioIndex, word32 size,
|
|||||||
|
|
||||||
/* Store the thisDate format - only one possible. */
|
/* Store the thisDate format - only one possible. */
|
||||||
cs->thisDateFormat = ASN_GENERALIZED_TIME;
|
cs->thisDateFormat = ASN_GENERALIZED_TIME;
|
||||||
#if !defined(NO_ASN_TIME) && !defined(WOLFSSL_NO_OCSP_DATE_CHECK)
|
#if !defined(NO_ASN_TIME_CHECK) && !defined(WOLFSSL_NO_OCSP_DATE_CHECK)
|
||||||
/* Check date is a valid string and BEFORE now. */
|
/* Check date is a valid string and BEFORE now. */
|
||||||
if (!XVALIDATE_DATE(cs->thisDate, ASN_GENERALIZED_TIME, BEFORE)) {
|
if (!XVALIDATE_DATE(cs->thisDate, ASN_GENERALIZED_TIME, BEFORE)) {
|
||||||
ret = ASN_BEFORE_DATE_E;
|
ret = ASN_BEFORE_DATE_E;
|
||||||
@@ -33787,7 +33793,7 @@ static int DecodeSingleResponse(byte* source, word32* ioIndex, word32 size,
|
|||||||
(dataASN[SINGLERESPONSEASN_IDX_NEXTUPDATE_GT].tag != 0)) {
|
(dataASN[SINGLERESPONSEASN_IDX_NEXTUPDATE_GT].tag != 0)) {
|
||||||
/* Store the nextDate format - only one possible. */
|
/* Store the nextDate format - only one possible. */
|
||||||
cs->nextDateFormat = ASN_GENERALIZED_TIME;
|
cs->nextDateFormat = ASN_GENERALIZED_TIME;
|
||||||
#if !defined(NO_ASN_TIME) && !defined(WOLFSSL_NO_OCSP_DATE_CHECK)
|
#if !defined(NO_ASN_TIME_CHECK) && !defined(WOLFSSL_NO_OCSP_DATE_CHECK)
|
||||||
/* Check date is a valid string and AFTER now. */
|
/* Check date is a valid string and AFTER now. */
|
||||||
if (!XVALIDATE_DATE(cs->nextDate, ASN_GENERALIZED_TIME, AFTER)) {
|
if (!XVALIDATE_DATE(cs->nextDate, ASN_GENERALIZED_TIME, AFTER)) {
|
||||||
ret = ASN_AFTER_DATE_E;
|
ret = ASN_AFTER_DATE_E;
|
||||||
|
|||||||
@@ -2607,6 +2607,11 @@ extern void uITRON4_free(void *p) ;
|
|||||||
#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
|
#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* Disable time checking if no timer */
|
||||||
|
#if defined(NO_ASN_TIME)
|
||||||
|
#define NO_ASN_TIME_CHECK
|
||||||
|
#endif
|
||||||
|
|
||||||
/* both CURVE and ED small math should be enabled */
|
/* both CURVE and ED small math should be enabled */
|
||||||
#ifdef CURVED25519_SMALL
|
#ifdef CURVED25519_SMALL
|
||||||
#define CURVE25519_SMALL
|
#define CURVE25519_SMALL
|
||||||
|
|||||||
Reference in New Issue
Block a user