X.509: Remove certificate date checks

commit 124df926090b32a998483f6e43ebeccdbe5b5302 upstream. Remove the certificate date checks that are performed when a certificate is parsed. There are two checks: a valid from and a valid to. The first check is causing a lot of problems with system clocks that don't keep good time and the second places an implicit expiry date upon the kernel when used for module signing, so do we really need them? Signed-off-by: David Howells <dhowells@redhat.com> cc: David Woodhouse <dwmw2@infradead.org> cc: Rusty Russell <rusty@rustcorp.com.au> cc: Josh Boyer <jwboyer@redhat.com> cc: Alexander Holler <holler@ahsoftware.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: David Howells <dhowells@redhat.com> 2013-06-18 12:40:44 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-12-04 13:57:33 -0500
commit: d8f0a31aa3ccf94e1902ff6c0c68410e3b68ecca (patch)
tree: 4b419f2ac62151872d1356defcd0f666ea97c0d6
parent: ffc0c180edbae4149206ad5eb8485d3040cb350e (diff)
1 files changed, 0 insertions, 38 deletions
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 06007f0e880c..52222a2f34ba 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -106,7 +106,6 @@ error_no_sig:
 static int x509_key_preparse(struct key_preparsed_payload *prep)
 {
        struct x509_certificate *cert;
-        struct tm now;
        size_t srlen, sulen;
        char *desc = NULL;
        int ret;
@@ -137,43 +136,6 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
                goto error_free_cert;
        }
-        time_to_tm(CURRENT_TIME.tv_sec, 0, &now);
-        pr_devel("Now: %04ld-%02d-%02d %02d:%02d:%02d\n",
-                 now.tm_year + 1900, now.tm_mon + 1, now.tm_mday,
-                 now.tm_hour, now.tm_min,  now.tm_sec);
-        if (now.tm_year < cert->valid_from.tm_year ||
-            (now.tm_year == cert->valid_from.tm_year &&
-             (now.tm_mon < cert->valid_from.tm_mon ||
-              (now.tm_mon == cert->valid_from.tm_mon &&
-               (now.tm_mday < cert->valid_from.tm_mday ||
-                (now.tm_mday == cert->valid_from.tm_mday &&
-                 (now.tm_hour < cert->valid_from.tm_hour ||
-                  (now.tm_hour == cert->valid_from.tm_hour &&
-                   (now.tm_min < cert->valid_from.tm_min ||
-                    (now.tm_min == cert->valid_from.tm_min &&
-                     (now.tm_sec < cert->valid_from.tm_sec
-                      ))))))))))) {
-                pr_warn("Cert %s is not yet valid\n", cert->fingerprint);
-                ret = -EKEYREJECTED;
-                goto error_free_cert;
-        }
-        if (now.tm_year > cert->valid_to.tm_year ||
-            (now.tm_year == cert->valid_to.tm_year &&
-             (now.tm_mon > cert->valid_to.tm_mon ||
-              (now.tm_mon == cert->valid_to.tm_mon &&
-               (now.tm_mday > cert->valid_to.tm_mday ||
-                (now.tm_mday == cert->valid_to.tm_mday &&
-                 (now.tm_hour > cert->valid_to.tm_hour ||
-                  (now.tm_hour == cert->valid_to.tm_hour &&
-                   (now.tm_min > cert->valid_to.tm_min ||
-                    (now.tm_min == cert->valid_to.tm_min &&
-                     (now.tm_sec > cert->valid_to.tm_sec
-                      ))))))))))) {
-                pr_warn("Cert %s has expired\n", cert->fingerprint);
-                ret = -EKEYEXPIRED;
-                goto error_free_cert;
-        }
        cert->pub->algo = x509_public_key_algorithms[cert->pkey_algo];
        cert->pub->id_type = PKEY_ID_X509;
author	David Howells <dhowells@redhat.com>	2013-06-18 12:40:44 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2013-12-04 13:57:33 -0500
commit	d8f0a31aa3ccf94e1902ff6c0c68410e3b68ecca (patch)
tree	4b419f2ac62151872d1356defcd0f666ea97c0d6
parent	ffc0c180edbae4149206ad5eb8485d3040cb350e (diff)

diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 06007f0e880c..52222a2f34ba 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -106,7 +106,6 @@ error_no_sig:
106	static int x509_key_preparse(struct key_preparsed_payload *prep)	106	static int x509_key_preparse(struct key_preparsed_payload *prep)
107	{	107	{
108	struct x509_certificate *cert;	108	struct x509_certificate *cert;
109	struct tm now;
110	size_t srlen, sulen;	109	size_t srlen, sulen;
111	char *desc = NULL;	110	char *desc = NULL;
112	int ret;	111	int ret;
@@ -137,43 +136,6 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
137	goto error_free_cert;	136	goto error_free_cert;
138	}	137	}
139		138
140	time_to_tm(CURRENT_TIME.tv_sec, 0, &now);
141	pr_devel("Now: %04ld-%02d-%02d %02d:%02d:%02d\n",
142	now.tm_year + 1900, now.tm_mon + 1, now.tm_mday,
143	now.tm_hour, now.tm_min, now.tm_sec);
144	if (now.tm_year < cert->valid_from.tm_year \|\|
145	(now.tm_year == cert->valid_from.tm_year &&
146	(now.tm_mon < cert->valid_from.tm_mon \|\|
147	(now.tm_mon == cert->valid_from.tm_mon &&
148	(now.tm_mday < cert->valid_from.tm_mday \|\|
149	(now.tm_mday == cert->valid_from.tm_mday &&
150	(now.tm_hour < cert->valid_from.tm_hour \|\|
151	(now.tm_hour == cert->valid_from.tm_hour &&
152	(now.tm_min < cert->valid_from.tm_min \|\|
153	(now.tm_min == cert->valid_from.tm_min &&
154	(now.tm_sec < cert->valid_from.tm_sec
155	))))))))))) {
156	pr_warn("Cert %s is not yet valid\n", cert->fingerprint);
157	ret = -EKEYREJECTED;
158	goto error_free_cert;
159	}
160	if (now.tm_year > cert->valid_to.tm_year \|\|
161	(now.tm_year == cert->valid_to.tm_year &&
162	(now.tm_mon > cert->valid_to.tm_mon \|\|
163	(now.tm_mon == cert->valid_to.tm_mon &&
164	(now.tm_mday > cert->valid_to.tm_mday \|\|
165	(now.tm_mday == cert->valid_to.tm_mday &&
166	(now.tm_hour > cert->valid_to.tm_hour \|\|
167	(now.tm_hour == cert->valid_to.tm_hour &&
168	(now.tm_min > cert->valid_to.tm_min \|\|
169	(now.tm_min == cert->valid_to.tm_min &&
170	(now.tm_sec > cert->valid_to.tm_sec
171	))))))))))) {
172	pr_warn("Cert %s has expired\n", cert->fingerprint);
173	ret = -EKEYEXPIRED;
174	goto error_free_cert;
175	}
176
177	cert->pub->algo = x509_public_key_algorithms[cert->pkey_algo];	139	cert->pub->algo = x509_public_key_algorithms[cert->pkey_algo];
178	cert->pub->id_type = PKEY_ID_X509;	140	cert->pub->id_type = PKEY_ID_X509;
179		141