Hello,
might have found a little bug in X509_cmp_time().
According to X.680 (section 43.3, 07/2002 issue), the following UTCTime
representations refer to the same point in time:
8201021200Z
8201020700-0500
(namely, 12 noon UTC on 2nd January 1982)
That very same point in time is "378820800 seconds since the epoch":
$ date -u -r 378820800
Sat Jan 2 12:00:00 UTC 1982
So I tried the following code snippet:
-----[cut]-----
int secs_since_epoch;
ASN1_TIME *test_time_UTC = ASN1_TIME_new();
ASN1_TIME *test_time_local = ASN1_TIME_new();
ASN1_UTCTIME_set_string(test_time_UTC, "8201021200Z");
ASN1_UTCTIME_set_string(test_time_local, "8201020700-0500");
secs_since_epoch = 378820800;
printf("test result UTC: %d\n", X509_cmp_time(test_time_UTC,
&secs_since_epoch));
secs_since_epoch--;
printf("test result UTC (minus one sec.): %d\n\n", X509_cmp_time(test_time_UTC,
&secs_since_epoch));
secs_since_epoch = 378820800;
printf("test result local: %d\n",
X509_cmp_time(test_time_local, &secs_since_epoch));
secs_since_epoch--;
printf("test result local (minus one sec.): %d\n",
X509_cmp_time(test_time_local, &secs_since_epoch));
-----[cut again]-----
Results:
test result UTC: -1
test result UTC (minus one sec.): 1
test result local: -1
test result local (minus one sec.): -1
So one sees that in the first case, X509_cmp_time() regards "8201021200Z" and
"378820800 secs" as identical. (X509_cmp_time() will never return "0" for
"identical", so by changing one of the operands by one second, one can see the
change from "smaller than" to "larger than", so that's good enough in terms of
"identical".)
Interestingly, "8201020700-0500", which is the very same point in time, is not
regarded as identical to "378820800 secs". So something's obviously going wrong.
The following change to x509/x509_vfy.c (line numbers according to released
0.9.8r) ...
--- x509_vfy_orig.c
+++ x509_vfy.c
@@ -1097,7 +1097,7 @@
atm.length=sizeof(buff2);
atm.data=(unsigned char *)buff2;
- if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
+ if (X509_time_adj(&atm,offset*60, cmp_time) == NULL)
return 0;
if (ctm->type == V_ASN1_UTCTIME)
... seems to fix the problem. It makes sure the time string built for later
comparison gets corrected in the other direction.
Umm, actually really seems like a bug to me. What to do now? (I'm new to this
list. :-))
Thanks, best regards,
Christoph
--
c...@kawo2.rwth-aachen.de
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
